How to use Linux bots to penetrate a small Intranet
The shell method in the case is relatively simple. We only focus on the limited space, starting from obtaining permissions.
Install Backdoor
After entering the system, my RP was so lucky that it turned out to be the root permission...
View passwd account information
Directory tree structure:
Because Intranet penetration is required and permissions may be lost at any time, we will first install an ssh backdoor. We originally wanted to install the pam backdoor because all accounts must verify the pam module when logging on to the server, the pam webshell can intercept the user password, but the kernel is
Default
(Linux jcms 2.6.32-71. el6.i686 #1 SMP Wed Sep 1 01:26:34 EDT 2010i686 i686 i386 GNU/Linux)
It must be a redhat/centos6 system.
It is indeed 6.0, and it is still the redhat Enterprise Edition operating system, a little headache, as to why? You will know later
Install openssh Backdoor
Download and unzip the backdoor:
The compilation is successful. Now it is an Intranet environment. I have to map out port 22 of ssh and add it as root, which makes the operation easier.
Port forwarding
If you have a server with a public IP address, first upload lcx to the server.
Local listening port
An error occurred while matching for the first time.
Modify log records:
Because all operations may be recorded in the log, I commented out the log first.
Information Collection
First, check the number of active hosts in the network:
Then, check whether ssh has a trust relationship:
Unfortunately, none of them can log on
Check that kerberos has no information, and rsync has not been installed.
Mount is not remotely mounted to any command.
Check frequently logged on IP addresses in history, but there seems to be nothing.
Keyboard record
I prefer LD_keylog non-local records, which can be used to record all operations on local ssh, rsync, and su ..
Configure the location to store and command sniffing
Tests show that the keyboard record is easy to use. It's not that accurate, but it's okay to work with history.
Configure the yum source to install ettercap
Install ettercap below. I will install ettercap directly with yum, but what?
I found a problem: this system is a redhat Enterprise 6.0 operating system. This yum source is hard to find on the Internet and I do not want to download a redhat iso image from the server, build a yum source to provide download, which is not very secure. So?
Try to make the redhat yum source use the centos yum source for installation. It is not possible by default. Do not try it. Be careful when your system installation package is incompatible
1. Delete the original yum source of redhat.
Default
# Rpm-aq | grep yum | xargs rpm-e -- nodeps
2. download the new yum installation package
We have packed all the packages in advance.
After the installation is successful, configure the yum Source:
Yum source test:
Check the ettercap installation path after installation.
View the port used for ettercap sniffing (do not modify it. The ports 80,636, 25,110, and 23 are all in common use. The default port is enough)
Next, let's use ettercap for sniffing.
Use ettercap for Intranet sniffing:
The problem encountered during sniffing is due to the ettercap installed using yum. Therefore, it is relatively new, which is 0.7.5. After ettercap0.7.5, an ipv6 sniffing method is introduced, so some parameters are different from those of 0.7.3.
After the problem is solved, you can sniff. However, sniffing is not a short time, and you cannot stare at the computer, or what if you set the terminal to time out? Once the terminal is disconnected, your process will also be disconnected. Now we can use Nobup
Nohup: run the command without hanging up.
OK. It has been successfully run in the background. Next, let's test whether the sniffing is powerful.
You can sniff something.
Delete aide File Audit:
When I cleared my tail, I saw a directory, aide. I suddenly thought that all the files I changed were recorded.
Delete it directly. I want you to check it.
Sed command to view sniffing content
Check the sniffing result. The data is sniffed out, but there is a lot of unnecessary information in the middle. I need to delete it.
Use the sed command.
We can see that unnecessary information has been completely deleted.
Install the desktop environment
Since there are accounts, passwords, and URLs for Intranet addresses, they need to penetrate the website over the Intranet again. An SSH Socks proxy and a vnc will definitely select the latter for easy operation. However, the Intranet ip address cannot be accessed from the Internet, so I will install vnc and then forward port 5900 of vnc to the Internet.
Again, the general server will certainly not install the desktop environment, so that even if you have successfully installed the vnc, the port will be forwarded, and there is no graphical interface to connect, in this way, you still cannot run a browser to perform Intranet penetration.
Install necessary firefox and desktop environments
Install firefox first
2 groups are required to install the desktop environment
Install vnc
Configure vnc
Use port forwarding to forward port 5902 to connect and continue Intranet penetration.
Red/Black Alliance comments: This article is a more detailed article from obtaining permissions, then planting backdoors, sniffing, and finally installing the graphic interface, step by step. However, this can only be suitable for the penetration of small-sized intranets. In a slightly better Intranet environment, you may just find someone else and immediately throw you out. Not to mention installing a desktop environment after sniffing. Penetration should be fast, accurate, and static, so it can only be in a small intranet.
However, there are still many merits in the article, which is suitable for new friends to learn. You can try to reproduce some of the content and skills described in this article to expand your actual technology. Wish you all the learning progress!