Member-only story
Vanilla PowerShell Reverse Shell Using SMTP
Lately, as you may have noticed, I’ve been delving into the world of custom PowerShell reverse shells. I’ve been challenging myself to create tools that don’t rely on external dependencies, especially on the client side. Instead, my focus has been on using unconventional protocols and methods to establish remote connections.
My most recent experiment led to the creation of a reverse shell that communicates through custom headers and response messages in SMTP (Simple Mail Transfer Protocol). By embedding data the data, I was able to craft a working reverse shell. It’s a method that aims to fly under the radar a bit, and I’m excited to test how security measures will handle this.
Not a member? Read this article for free on my site.
In this article, I’ll walk you through the theory and share the proof of concept code that achieves a ping-pong exchange between the client and the server.
Note that this article is written for educational purposes and is intended only for legal penetration testing and red teaming activities, where explicit permission has been granted. If you wish to test any of the scripts provided, please refer to the disclaimer at the end of this article.
But before we dive into the proof of concept code, let’s take a quick look at the final result: a functional reverse shell, powered by embedding data within SMTP communication using headers and status codes.
The Theory
Before I could start writing code I had to figure out where to embed my data, as I didn’t want to use the e-mail subject or body. After all, the client is the one initiating the connection and also needs to be able to receive data.
As stated in the SMTP RFC, it’s possible to embed a lot of data in each header line:
The maximum total length of a text line including the is 1000 octets (not counting the leading dot duplicate for transparency). This number may be increased by the use of SMTP Service Extensions.
