Reverse Shells + Bind + Web
Listen
Typical
netcat
-l
listen-v
verbose-n
No DNs resolution-p <port>
port
Payloads
More at PayloadAllTheThings
Also at HighOn.Coffee
great one: https://www.revshells.com/
Bash
Powershell
Sanitization/Stabilization/Upgrading TTY
After connecting, often the shell is unstable and can be weird to use.
Then CTRL + Z
to go back to local shell
Then we should have a stable shell but not using all screen.
On a local shell:
On remote shell:
Bind Shell
Bash
Python
Powershell
Web shell
This is also covered in File Inclusion
PHP
JSP
ASP
Default webroots:
ASP shells
Laudanum, One Webshell to Rule Them All
You can get it here. Laudanum is built into Parrot OS and Kali by default.
The Laudanum files can be found in the /usr/share/laudanum
directory. For most of the files within Laudanum, you can copy them as-is and place them where you need them on the victim to run. For specific files such as the shells, you must edit the file first to insert your attacking
host IP address
Add your IP address to the allowedIps
variable on line 59
.
Antak Webshell
Antak is a web shell built-in ASP.Net included within the Nishang project. Nishang is an Offensive PowerShell toolset that can provide options for any portion of your pentest.
Modify the file
PHP Shells
Considerations when Dealing with Web Shells
When utilizing web shells, consider the below potential issues that may arise during your penetration testing process:
Web applications sometimes automatically delete files after a pre-defined period
Limited interactivity with the operating system in terms of navigating the file system, downloading and uploading files, chaining commands together may not work (ex.
whoami && hostname
), slowing progress, especially when performing enumeration -Potential instability through a non-interactive web shellGreater chance of leaving behind proof that we were successful in our attack
Also, we must document every method we attempt, what worked & what did not work, and even the names of the payloads & files we tried to use. We could include a sha1sum or MD5 hash of the file name, upload locations in our reports as proof, and provide attribution.
Last updated