超强2000平台下Shell程序ACKcmd后门分析-骇客基地-黑客入门

简介
-=-=-=-=--=
ACKcmd是提供Win2000下远程命令Shell的一种后门，它使用TCP来传输，但是不同于一般正常的TCP连接有三次握手，ACKcmd仅使用了TCP ACK数据包，所以一般情况下可以穿越防火墙及躲避IDS的检测。

ACKcmd采用client/server结构，在目标机器上运行AckCmdS.exe植入后门，入侵者在客户端运行命令AckCmdC <target ip>即可获得一个远程的Shell。

分析
-=-=-=-=--=
我们现在用sniffit来观察ACKcmd的数据是怎样传输的。入侵者在192.168.0.29，连入目标机器192.168.0.2：

E:\Tools>ackcmdc 192.168.0.2

AckCmd 1.1 - The Ack Command Prompt for Windows 2000
           - (c) 2000, Arne Vidstrom, arne.vidstrom@ntsecurity.nu
           - For instructions see http://ntsecurity.nu/toolbox/ackcmd/

Type "quit" and press Enter to quit

AckCmd> net name    <------ 输入命令

名称
-------------
SERVER2000
ADMINISTRATOR
命令成功完成。

AckCmd> quit        <------ 退出

sniffit抓到的包如下：

TCP Packet ID (from_IP.port-to_IP.port): 192.168.0.29.80-192.168.0.2.1054
   SEQ (hex): 6060606   ACK (hex): 6060606
   FLAGS: -A----   Window: 4000
Packet ID (from_IP.port-to_IP.port): 192.168.0.29.80-192.168.0.2.1054
45 E 00 . 00 . 38 8 00 . 00 . 00 . 00 . 80 . 06 . B9 . 50 P C0 . A8 . 00 . 1D .
C0 . A8 . 00 . 02 . 00 . 50 P 04 . 1E . 06 . 06 . 06 . 06 . 06 . 06 . 06 . 06 .
70 p 10 . 40 @ 00 . E6 . C6 . 00 . 00 . 02 . 04 . 05 . B4 . 01 . 01 . 04 . 02 .
6E n 65 e 74 t 20   6E n 61 a 6D m 65 e

TCP Packet ID (from_IP.port-to_IP.port): 192.168.0.2.1054-192.168.0.29.80
   SEQ (hex): 6060606      FLAGS: ---R--
Packet ID (from_IP.port-to_IP.port): 192.168.0.2.1054-192.168.0.29.80
45 E 00 . 00 . 28 ( 04 . A8 . 00 . 00 . 80 . 06 . B4 . B8 . C0 . A8 . 00 . 02 .
C0 . A8 . 00 . 1D . 04 . 1E . 00 . 50 P 06 . 06 . 06 . 06 . 06 . 06 . 06 . 06 .
50 P 04 . 00 . 00 . 11 . EB . 00 . 00 .

TCP Packet ID (from_IP.port-to_IP.port): 192.168.0.2.1054-192.168.0.29.80
   SEQ (hex): 6060606   ACK (hex): 6060606
   FLAGS: -A----   Window: 4000
Packet ID (from_IP.port-to_IP.port): 192.168.0.2.1054-192.168.0.29.80
45 E 00 . 00 . CD . 04 . A9 . 00 . 00 . 80 . 06 . B4 . 12 . C0 . A8 . 00 . 02 .
C0 . A8 . 00 . 1D . 04 . 1E . 00 . 50 P 06 . 06 . 06 . 06 . 06 . 06 . 06 . 06 .
70 p 10 . 40 @ 00 . 1C . C1 . 00 . 00 . 02 . 04 . 05 . B4 . 01 . 01 . 04 . 02 .
0D . 0A . C3 . FB . B3 . C6 . 20   20   20   20   20   20   20   20   20   20
20   20   20   20   0D . 0A . 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D -
2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D -
2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D -
2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D -
2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D - 2D -
2D - 2D - 2D - 2D - 2D - 0D . 0A . 53 S 45 E 52 R 56 V 45 E 52 R 32 2 30 0 30 0
30 0 20   20   20   20   20   20   0D . 0A . 41 A 44 D 4D M 49 I 4E N 49 I 53 S
54 T 52 R 41 A 54 T 4F O 52 R 20   20   20   0D . 0A . C3 . FC . C1 . EE . B3 .
C9 . B9 . A6 . CD . EA . B3 . C9 . A1 . A3 . 0D . 0A . 0D . 0A .         &nb

[1] [2] 下一页


	黑客首页　\|　服务指南　\|　软件发布　\|　关于我们　\|　本站声明　\|　隐私声明　\|　诚征英才　\|　网站地图　\|　友情链接　\|
	中国·黑客·骇客·基地　请使用IE6.0版本, 分辩率1024×768进行浏览 www.hookbase.com 站长：利客　Email:hookbase@163.com Copyright © 2004-2009 All Rights Reserved. 粤ICP备05000985号