Introduction to Basic Ideas for Maintaining Access
1. Course Description
1.1 Course Overview
This course is a hands-on experimental class. To clearly explain certain operations during the experiments, theoretical content will also be included. For the theoretical sections, most topics, such as backdoor Trojans, are already well-documented by experts in existing articles. The experiments will select and recommend the most essential articles for you to read, helping you build a strong theoretical foundation while engaging in practical exercises.
This course primarily introduces maintaining access to target hosts through backdoors on Kali Linux.
The camp mainly focuses on the practical aspects of backdoor techniques, emphasizing post-exploitation access persistence. The course consists of 10 experiments, each providing detailed steps and screenshots. Among these, three experiments will focus exclusively on creating Trojans and analyzing the source code of the generated backdoor Trojans. It is suitable for individuals with a basic understanding of Linux systems who want to quickly get started with Kali penetration testing, are interested in Trojan creation, or wish to establish backdoors for persistent access after successful penetration testing.
Note: Due to the high cost of configuring the cloud machines used in the experiments, the number of attempts is limited to no more than six per experiment.
2. Introduction to Kali Linux
2.1 What is Kali Linux?
Kali Linux is a Debian-based Linux operating system designed for penetration testing and security auditing. It originated from the BackTrack system, which had similar functionalities, and was developed in March 2013 with support from the Offensive Security team. To support various functions for security auditing and penetration testing, Kali Linux has been customized, including specific adjustments to the kernel, network services, and user settings.
Compared to Debian, Kali Linux is tailored toward professional penetration testing and security auditing. It has been modified in several critical areas, such as being designed for root login. Due to the nature of security auditing, Kali Linux is built as a “single user, root access” environment.
Kali Linux comes pre-installed with many security-related tools, such as the well-known Nmap (port scanner), John the Ripper (password cracker), and Metasploit Framework (remote attack framework). In this camp, we primarily use some of the pre-installed tools within the Kali Linux system to conduct penetration attacks on target hosts, infect the target hosts with backdoor Trojans, and achieve persistent access.
3. Recommended Readings for This Section
3.1 Recommended Readings for This Section
For this experiment, it is recommended to first read the following materials:
Getting Started with Kali: http://docs.kali.org/category/introduction
The above article, “Getting Started with Kali,” is suitable for those unfamiliar with Kali’s basic operations.
Metasploitable2 User Guide: https://community.rapid7.com/docs/DOC-1875
This article introduces the tutorial for using Metasploitable2 and serves as an excellent introductory resource.
4. Introduction to Metasploit
4.1 Introduction to Metasploit
Metasploit is a free, downloadable framework that makes it easy to acquire, develop, and exploit software vulnerabilities. It comes with hundreds of professional-level tools for known software vulnerabilities. The modular architecture of Metasploit, which allows combining exploit codes and payloads freely, is its main advantage.
Users can create different combinations to import various payloads for limited vulnerabilities. The Metasploit Framework can also be extended by adding modules, enabling users, exploit developers, and payload developers to focus on their specific functionalities without dealing with other issues.
To select an exploit code and payload, information about the target system (e.g., OS version and installed network services) is needed. This information can be collected using tools like Nmap for port scanning and system fingerprinting or vulnerability scanners like Nexpose or Nessus to detect weaknesses in the target system.
Metasploit can import vulnerability scan data and conduct precise attacks by comparing identified weaknesses with available exploit modules. The basic steps for attacking a target host using the Metasploit Framework include:
- Selecting and configuring an exploit code (an exploit that takes advantage of a target system’s vulnerability).
- Verifying whether the target system is susceptible to the exploit.
- Selecting and configuring a payload, which is code executed on the target system post-exploitation.
- Choosing an encoding option to bypass intrusion prevention systems (IPS) that may block encoded payloads.
- Running the code command to launch the attack on the target host.
4.2 Using Metasploit to Attack the Target Host
The training camp’s Kali backdoor practical environment is provided by Labs. The host system’s OS is Ubuntu 14.04, with Kali Linux attacker machines installed via Docker containers on the host. Virtual target machines for testing, running Metasploitable2, are also part of the experimental setup. Metasploitable2 is an Ubuntu-based OS specifically crafted for security testing and demonstrating common vulnerabilities.
First, issue the command sudo virsh list --all in the host terminal to see a virtual machine named Metasploitable2.
In the host terminal of the lab building, enter the command sudo virsh start Metasploitable2to start the target machine. It may take about four minutes to start the target machine. If you can ping the target machine, it means that the target machine has been truly started, as shown in the following figure:
In the host machine, Kali uses a Docker container. You can see the Docker image of Kali by executing the following command:
Use the following command to enter the kali virtual host:
$ docker run -ti --network host 6f113 bash
To facilitate the attack, we add the target machine address to the /etc/hosts of the kali virtual host:
192.168.122.102 target
Use
vi /etc/hoststhe command to open the hosts file, then pressithe key to enter the editing mode. After adding the content, pressesc, then enter:wq, and then pressenterthe key to save and exit.
After entering the Kali virtual host, we can use the scanning tool Namp to scan the target host. Nmap, which is called Network Mapper in Chinese, is a network security tool used for network discovery and security auditing. It is free software. The software name Nmap is the abbreviation of Network Mapper in English.
Nmap can detect whether the target host is online, the port openness, the type and version of the running service, the operating system and device type, etc. It is one of the must-have software for network administrators to evaluate the security of network systems. Enter the command in the Kali Linux terminal nmap -sV -T4 192.168.122.102to scan the target machine. The IP address of the target machine is 192.168.122.102:
If we have configured the /etc/hosts file, we can also use
nmap -sV -T4 targetthe command to scan it.
The parameter in the Nmap command line -sVmeans to display detailed information about the scanned port, while -Tis the setting of the scan speed. -TThe parameter list of is as follows:
| Parameter name | What the parameters represent |
|---|---|
nmap T0 | Very slow scan, used for IDS (Intrusion Detection System) evasion |
nmap T1 | Slow scans, between 0 and 2, can also evade some IDS |
nmap T2 | Reduce scanning speed, usually not needed |
nmap T3 | Default scanning speed |
nmap T4 | It may flood the target and may trigger a firewall if there is one. |
nmap T5 | Extremely fast scanning, sacrificing accuracy for speed |
After using Nmap to scan the target machine, we know the open ports. Next, we use Metasploit to perform a penetration test on the target machine. In the following example, we use Distccthe vulnerability to attack the target host. In the command line terminal, enter the command msfconsoleto open the Metasploit terminal, and enter the following command in the Metasploit terminal: (Note: It takes a long time for msfconsole to open the terminal, about one minute, mainly because it is loading various attack modules, so the running time is relatively slow):
# Use the corresponding attack module
# Set the IP address of the attack host
# Enter the attack command
msf > use exploit/unix/misc/distcc_exec
msf > set RHOST 192.168.122.102
msf > exploit
At this point, the attack has been completed, and a session channel has been established between the attacking machine and the target machine. Enter whoamithe command in the command line terminal, and you can get feedback showing daemonthe user name. The user does not have root privileges. In the general process of maintaining access, we need to obtain the root privileges of the computer, and then upload the attacker’s Trojan program in the subsequent backdoor creation process. How to exploit vulnerabilities to attack the server will not be introduced here. For more practical attacks using vulnerabilities of target machines, students can learn another training camp in the laboratory building:
Kali server attack practice: https://www.shiyanlou.com/courses/698
5. Escalate privileges on the target Linux system
5.1 Exploiting vulnerabilities to elevate privileges and prepare for subsequent Trojan uploads
When you infiltrate the target machine and obtain permissions, sometimes it may not be root permissions. At this time, we need to escalate permissions. In the command line terminal, enter /usr/bin/nmap --versionto view the version information of Namp. The old version of Namp has a vulnerability, which can be used to escalate the permissions of the current user. Enter the following command in the command line terminal:
# The first line of code starts in interactive mode
/usr/bin/nmap --interactive
nmap > !sh
/usr/bin/nmap --interactiveThe means to start in interactive mode. There is a vulnerability in the old version of Nmap. As long as you enter , !shyou can elevate your privileges. This privilege escalation command only exists in the old version of Nmap. The reason is that the code design of Nmap is unreasonable.
After obtaining root privileges, enter idthe command in the command line, and you can see that there is one more ID than before the privilege escalation euid=0(root). In the Linux system, each process has two IDs, namely the user ID and the effective user ID. UID generally indicates the creator of the process (which user created it), while EUID indicates the access rights of the process to files and resources (which user has the same permissions as the process).
6. Introduction to tools for maintaining connections
6.1 Introduction to tools for maintaining connections
The above describes how to use the pre-installed tool Metasploit in Kali Linux to attack the target machine, obtain the target machine’s permissions, establish a command channel, and then use the old version vulnerability of the Nmap version in the target machine to escalate permissions and obtain root permissions. Generally speaking, the first thing to do in a penetration attack is to collect information, including the target machine’s operating system version, open network service ports, and software information using the service.
Then analyze the collected information to see if there are any corresponding version vulnerabilities. Then use these old version vulnerabilities to conduct penetration attacks, obtain the target machine’s permissions, and achieve the purpose of controlling the target machine. This training camp is a practical backdoor technology, and is more focused on maintaining access after successful penetration, such as using PWNAT to create a NAT-NAT communication tunnel, and explaining the principle of DNS2TCP maintaining TCP connections in DNS data streams.
For those who want to learn more about how to use Kali to conduct penetration attacks on target machines, you can take another training camp in the laboratory building, “Practical Kali Server Attack”, which specifically introduces how to use various modules in Kali to attack software vulnerabilities.
7. Backdoor Trojan Introduction
7.1 Introduction to Backdoor Trojans
Backdoor Trojans are also called Trojan horses. They are a type of hacker tool based on remote control. In the computer field, backdoor Trojans refer to a backdoor program that hackers use to steal other users’ personal information or even remotely control the other party’s computer. They are then spread through various means or tricked into executing the program to steal passwords and other data.
Similar to viruses, Trojan programs are highly secretive and are started when the operating system starts. A complete Trojan horse program consists of two parts: the server (server part) and the client (controller part). The server is implanted in the opponent’s computer, and the hacker uses the client to enter the computer running the server.
After the server of the Trojan program is running, a process with a name that is easy to confuse users will be generated. It will secretly open ports and send data to designated locations (such as online game passwords, instant messaging software passwords, and user Internet passwords, etc.). Hackers can even use these open ports to enter the computer system.
In this training camp, there will be three experiments that specifically introduce how to create a Trojan horse and upload the generated Trojan horse to the target machine to infect the target machine. In this experiment, the key parts of the Trojan horse source code will be explained, and the operation process of the Trojan horse and how to maintain the connection with the attacker will be understood.
8. Conclusion
8.1 Summary of this Lesson
This experiment mainly explains how to use Kali Linux to attack the target machine Metasploitable2 in the laboratory building environment, and mainly introduces the use of MSF terminal. First, use Nmap to scan the target machine to collect information, judge the open ports, and analyze whether there may be vulnerabilities.
After synthesizing the information, determine the possible vulnerabilities of the target machine and try to conduct penetration attacks. If the target host can be compromised, the target machine’s permissions can be obtained. In many cases, the target machine obtained may not have the highest permissions, so this is when the permissions are elevated.
To escalate privileges, we need to analyze the exploitable vulnerabilities in the target machine again. In this experiment, we use the low version of the target machine’s nmap vulnerability to escalate privileges on the Linux target. If the target machine’s Nmap has been upgraded to the latest version, this vulnerability does not exist, and we need to find other vulnerabilities to escalate privileges.
After demonstrating the target machine’s privilege escalation, we then introduced the tools for maintaining the connection and what the backdoor Trojan is. The following experiments mainly focus on the introduction of the tools for maintaining the connection after the penetration is successful, and the next experiment of this training camp, how to make your own Trojan program.
9. Homework
9.1 Homework
After completing this experimental course, please complete the following homework. If you have any questions, you can ask them at any time in the Q&A section of the laboratory building and communicate with teachers and classmates.
- Start the Kali virtual machine in the laboratory building and use the scanning tool Nmap to scan the target machine.
- According to the content in Section 4.2, use the Kali virtual machine to perform a penetration attack on the target machine.
- According to Section 5.1, after the penetration attack is successful, the target machine is privileged and root user privileges are obtained.