During penetration testing if you’re lucky enough to find a remote command execution vulnerability, you’ll more often than not want to connect back to your attacking machine to leverage an interactive shell.

Below are a collection of reverse shells that use commonly installed programming languages, or commonly installed binaries (nc, telnet, bash, etc). At the bottom of the post are a collection of uploadable reverse shells, present in Kali Linux.

Setup Listening Netcat

Your remote shell will need a listening netcat instance in order to connect back.

Set your Netcat listening shell on an allowed port

Use a port that is likely allowed via outbound firewall rules on the target network, e.g. 80 / 443

To setup a listening netcat instance, enter the following:

NAT requires a port forward

If you’re attacking machine is behing a NAT router, you’ll need to setup a port forward to the attacking machines IP / Port.

ATTACKING-IP is the machine running your listening netcat session, port 80 is used in all examples below (for reasons mentioned above).

bash-reverse-shells”>Bash Reverse Shells

PHP Reverse Shell

Netcat Reverse Shell

Telnet Reverse Shell

Remember to listen on 443 on the attacking machine also.

Perl Reverse Shell

windows-reverse-shell”>Perl Windows Reverse Shell

Ruby Reverse Shell

Java Reverse Shell

Python Reverse Shell

Gawk Reverse Shell

kali-web-shells”>Kali Web Shells

The following shells exist within Kali Linux, under /usr/share/webshells/ these are only useful if you are able to upload, inject or transfer the shell to the machine.

kali-php-web-shells”>Kali PHP Web Shells

mobile-side-scroller”>

COMMAND DESCRIPTION
/usr/share/webshells/php/
php-reverse-shell.php
Pen Test Monkey – PHP Reverse Shell
/usr/share/webshells/
php/php-findsock-shell.php
/usr/share/webshells/
php/findsock.c
Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c (be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80
/usr/share/webshells/
php/simple-backdoor.php
PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple-
backdoor.php?cmd=cat+/etc/passwd
/usr/share/webshells/
php/php-backdoor.php
Larger PHP shell, with a text input box for command execution.
Tip: Executing Reverse Shells

The last two shells above are not reverse shells, however they can be useful for executing a reverse shell.

kali-perl-reverse-shell”>Kali Perl Reverse Shell

mobile-side-scroller”>

COMMAND DESCRIPTION
/usr/share/webshells/perl/
perl-reverse-shell.pl
Pen Test Monkey – Perl Reverse Shell
/usr/share/webshells/
perl/perlcmd.cgi
Pen Test Monkey, Perl Shell. Usage: http://target.com/perlcmd.cgi?cat /etc/passwd

kali-cold-fusion-shell”>Kali Cold Fusion Shell

mobile-side-scroller”>

COMMAND DESCRIPTION
/usr/share/webshells/cfm/cfexec.cfm Cold Fusion Shell – aka CFM Shell

kali-asp-shell”>Kali ASP Shell

mobile-side-scroller”>

COMMAND DESCRIPTION
/usr/share/webshells/asp/ Kali ASP Shells

kali-aspx-shells”>Kali ASPX Shells

mobile-side-scroller”>

COMMAND DESCRIPTION
/usr/share/webshells/aspx/ Kali ASPX Shells

kali-jsp-reverse-shell”>Kali JSP Reverse Shell

mobile-side-scroller”>

COMMAND DESCRIPTION
/usr/share/webshells/jsp/jsp-reverse.jsp Kali JSP Reverse Shell

You might want to read :

1- Kali Linux Hackers Cheat Sheet  http://www.ethicalhackx.com/kali-linux-hacking-commands-list

 

1 COMMENT

  1. At this point, I thought about trying to use some programming languages to do the shell connection. Python was unfortunately not installed in the machine (192.168.209.144:8080/phptax/data/ourcode.php?cmd=which python) but Perl actually existed (192.168.209.144:8080/phptax/data/ourcode.php?cmd=which perl) so by having this Perl reverse shell snippet from ethicalhackx:

What Do You Think on This ? Say Here