Powercat for Pentester
Powercat is a simple network utility designed to perform low-level network communication operations. It implements the well-known Netcat functionality in Powershell. Interestingly, traditional anti-virus solutions usually allow Powercat to execute without flagging it. Moreover, the utility’s installed size is just 68 KB. Its portability and platform independence make it an essential arrow in every red teamer’s quiver. In this article, we’ll demonstrate and learn the functionality of this tool.
Basic Options in Powercat
Powercat supports various options to play around with. We’ll cover the following in this article.
| -l | Listen for a connection |
| -c | Connect to a listener |
| -p | The port to connect to, or listen on |
| -e | Execute |
| -ep | Execute Powershell |
| -g | Generate Payload |
| -ge | Generate Encoded Payload |
| -d | Disconnect stream |
| -i | Input data |
Setting up Powercat
Powershell execution policy is a safety feature in Windows which determines which scripts can or cannot run on the system, therefore, we need to set the Powershell execution policy to “bypass.” This would allow all scripts to run without restriction. Thereafter, we need to download Powercat using wget.
Now that we have downloaded the Powercat script, we can import it directly into the current Powershell terminal. After importing, we are ready to use Powercat for various red teaming operations.
Port Scanning
Powercat includes the functionality to scan open ports efficiently. It does this by attempting a TCP connection to the defined ports. For example, if we want to check for running services on ports 21, 22, 80, or 443, we can use the following method:
Notably, we append the port numbers as a list variable. The client mode (-c flag) specifies the target for scanning. As shown in the screenshot below, if a port is open, Powercat successfully establishes a stream with the service. Additionally, the disconnect option (-d) tells Powercat to immediately close the stream after confirming it’s open. Therefore, this technique allows us to discover open ports effectively using Powercat.
File Transfer
File transfer is possible in Powercat by data input in the data stream and fetching it at the client end.
Let’s create a text file called “notes.txt” in the current folder. Here, input flag (-i) is used to input data in the stream. This can be used to move files, byte array object or strings too.
Now, we’ll first set up the listener at the client end. Let us use netcat in Linux for ease here. After setting it up, we’ll then use Powercat to transfer this text file.
Now, whatever was in notes.txt has been transferred to our destination. As you can see, the file is successfully created after a successful connection was terminated.
Bind Shell
Bind shell refers to the process where the attacker is able to connect to an open listener at the target machine and interact. To demonstrate this, we’ll set up a listener at the target using Powercat and then connect to it. There are two scenarios here:
- Netcat to Powercat: Here, the attacker is Kali and Windows has a listener running on it.
Attacker -> Kali
Victim -> Windows
In an ideal scenario, the attacker would deliver a code that gets executed to open a listener and then allow the attacker to further communicate with the victim by connecting to it.
And thus, we observe that the interactive session is now active on the attacker machine.
- Powercat to Powercat: The same could be achieved between two Powercat scripts too. On the listener, we set up port 9000 and the attacker to connect and deliver the cmd executable.
Listener: Ignite (Windows username)
Attacker: raj (Windows username)
As you can see that the attacker is successfully being able to connect to the listener and spawns an interactive session. We checked the identity using whoami.
Reverse Shell
Reverse shell refers to the process in which the attacker machine has a listener running to which the victim connects and then the attacker executes code.
- Netcat to Powercat: Here, Kali (netcat) is the attacker machine with the listener running on port 443 and Windows running Powercat (victim) shall connect to it.
Attacker: Netcat (Kali)
Victim: Ignite (Windows username)
This is achieved by first running netcat in listener mode on the attacker machine and then running powercat in client mode to connect.
As you can see, as soon as the victim enters the Powershell command, we get an interactive shell
- Powercat to Powercat: The same can be done with two Windows devices too.
Attacker: Ignite (Windows Username)
Victim: raj (Windows Username)
Let’s set up a listener on port 9000 first and then run powercat in client mode to connect to it.
As you can see, an interactive shell has been spawned by connecting to this listener.
But of course, the above Powercat command at the victim’s end is just a simulation of how gaining an interactive shell through remote code execution in real life would work.
Standalone shell
This option proves useful when we can execute a script on the target system. It allows an attacker to embed a reverse shell in a “.ps1” file and simply wait for its execution. For example, imagine a cron job is running that executes a writable script. In that case, an attacker could copy-paste a Powercat command to obtain a reverse shell—even if direct PowerShell execution is restricted.
Make sure the listener is running. We are using Kali as an attacker machine using netcat.
As you can see, there are multiple ways to get an interactive shell on the target machine using netcat.
Encoded Shell
To evade traditional security devices like Anti-Virus solutions, we can encode the shell that we used above. Powercat has a good feature to encode a command to Hexadecimal Array. This way, some of the basic security features can be bypassed. This is done by:
And then the shell can be run by using the powershell -E option which can execute an encoded string.
The string is then encoded value from above.
We had set up a listener in our attacker machine (kali) beforehand and were waiting for the connection. As you can see the shell is getting executed successfully.
Tunnelling
Tunnelling is the most efficient mechanism of maintaining stealth while doing red team operations or even in real-life scenarios. Powershell and Powercat can help us with tunnelling and hiding our identity next time we conduct a red team assessment.
Here, there are three machines. Here, the Attacker communicates with a machine with two LAN cards and attacks a machine running on an alternate subnet (192.168.146.0/24)
Now, let’s assume the attacker already has access to the tunnel machine. We’ll replicate the scenario using the Enter-PSSession command. This utility allows us to get an interactive Powershell terminal of the tunnel with the help of credentials.
After we input the credentials, we can see that an interactive PowerShell session has been spawned.
We run ipconfig as a validator command however, we made an interesting observation. This machine had two LAN cards configured and there was another adapter attached. It is possible that other machines are running on this subnet.
Scanning and Relaying with Powercat
To work on our observation, we’d need Powercat in this system. We download it using wget.
But before we can run this script, we need to change the execution policy again. Also, upon little searching, we found that 192.168.146.129 was alive and responding. Let’s scan this system using Powercat
As you can see, there were three ports open: 21,22,80
Now, if we set up a traffic relay here, our attacker system might be able to communicate and connect with SSH on the victim machine (192.168.146.129)
We’ll use Powercat to set up a traffic relay:
As you can see above, TCP traffic from port 22 on 192.168.146.129 is now being relayed by 192.168.146.128 (tunnel) on port 9090. Thus, from an external system, we use PuTTY to connect to the tunnel machine’s 9090 port which will connect us to the victim machine.
And just like that, we now have completed our tunnel and accessed our victim machine.
We can use Powercat to setup relay on port 80 too through which we’ll be able to access the website running on victim.
As evident, the victim is now accessible through this tunnel.
Powercat One Liner
Powercat’s reverse shell exists as a one-liner command too. Assume that we have code execution on the victim, we can use Powercat’s one-liner to get a reverse shell back on the listener running on the attacker’s machine. For this process, we need to download Powercat in a separate folder and run a web server.
Now, we’ll set up a listener on port 4444 in the attacker (kali) machine immediately. Meanwhile, we have code execution on the target and thus, we’ll use the following Powershell/Powercat one liner:
Soon as we hit enter, we’ll receive a reverse shell on the listener running in Kali.
Conclusion
In conclusion, we have demonstrated multiple Powercat functionalities in this article. Today, red teamers frequently use this tool in real-world red team assessments, and it’s becoming a staple in several cybersecurity certification programs. Hopefully, this article helps aspiring analysts, students, or professionals understand Powercat in a simple yet practical way.
HACK RF + NETHUNTER PHONE
SHOOTING AND PRACTICING ACCURACY WITH GUNS WITH HIGH RECOIL
USING WIGLE + WIFITE + ALFA ADAPTER IN ORDER TO TEST WIFI NETWORKS AND INTERCEPT HTTPS TRAFFIC
Daily practice and real-time application is key to perfection