PowerSSH

Spawns a SSH server on windows.

PowerSSH.ps1 is a PowerShell tool that provides an SSH shell (no installation required) from Windows to an attacker machine.

It can bypass the Windows Defender on the recent version of Windows 11, allowing remote access to a machine in under 10 seconds.

First, it downloads all the necessary files for establishing an SSH connection to an attacker's machine. By using these file we will forwards the SSH listener port to one of our local ports (On attacker machine).
The script then downloads the official binary of SSH from https://github.com/PowerShell/Win32-OpenSSH/, which is 1.5 MB in size.
Finally, it spawns an SSH server on localhost. Since we have already forwarded the SSH server port to our attacker machine, we can connect to it using SSH localhost with a private key.

The technique was originally discovered by XCT, who uploaded a script in Rust. I have made several modifications to the script.

I've converted the script to PowerShell, making it easier to execute during a pentest. For example, you can program it on a Rubber Ducky USB and execute it in under 10 seconds on a victim host.
I've added an AMSI bypass technique to the script.
I've included anti-sandbox detection to identify whether the script is running in a sandbox environment or not.
I've added functionality for connecting multiple victim hosts to our computer using a random port each time the script runs.
The script will send the (Username, Current Time, Port Number) to our server, which we will store for logging purposes.

Last updated 1 year ago

Spawns a SSH server on windows.

PowerSSH.ps1 is a PowerShell tool that provides an SSH shell (no installation required) from Windows to an attacker machine.

It can bypass the Windows Defender on the recent version of Windows 11, allowing remote access to a machine in under 10 seconds.

First, it downloads all the necessary files for establishing an SSH connection to an attacker's machine. By using these file we will forwards the SSH listener port to one of our local ports (On attacker machine).
The script then downloads the official binary of SSH from https://github.com/PowerShell/Win32-OpenSSH/, which is 1.5 MB in size.
Finally, it spawns an SSH server on localhost. Since we have already forwarded the SSH server port to our attacker machine, we can connect to it using SSH localhost with a private key.

The technique was originally discovered by XCT, who uploaded a script in Rust. I have made several modifications to the script.

I've converted the script to PowerShell, making it easier to execute during a pentest. For example, you can program it on a Rubber Ducky USB and execute it in under 10 seconds on a victim host.
I've added an AMSI bypass technique to the script.
I've included anti-sandbox detection to identify whether the script is running in a sandbox environment or not.
I've added functionality for connecting multiple victim hosts to our computer using a random port each time the script runs.
The script will send the (Username, Current Time, Port Number) to our server, which we will store for logging purposes.

Last updated 1 year ago