Shells

Reverse Shell

We are starting a listener on our machine and we are triggering a connection from the target machine to ourselves.

Useful for internal engagements or when we have access to the firewall we are behind
Sometimes they don't work for various reasons
https://www.revshells.com/

Bind Shell

Opposite of a reverse shell, we connect to the target machine

Useful if we are able to open a port on the target firewall

Making our shell more friendly

Usually a reverse shell will not be very friendly, no prompt, no autocomplete or clear, sometimes the echo is weird etc. There are a few days to fix this:

If Python is available on the machine, we can spawn a pty shell:

python -c 'import pty; pty.spawn("/bin/bash")'

After doing this, there are a few quality of life changes you can make

background the shell ctrl+z
stty raw -echo
fg [enter] [enter]
- this will bring you back into the shell
export TERM=xterm

If you find that python is not on the machine, you can still get a shell that's a little better:

script /dev/null -c bash

Windows

Many times on Windows, the AV will block these attemps - we can try to disable it with the following in Powershell:

Set-MpPreference -DisableRealtimeMonitoring $true

Metasploit

We can use the psexec module in metasploit and then provide username and password or username and hash
When using this module, set your payload appropriately
- for this instance we used windows/x64/meterpreter/reverse_tcp

psexec.py

this tool is a bit quieter and harder to detect:

$ psexec.py [domain]/[user]:'[password]'@[target]

Can use hashes as well with the -hashes [hash] flag

wmiexec.py

Uses the same syntax as psexec

smbexec.py

Uses the same syntax as psexec

IN ALL OF MY ATTEMPTS WITH WINDOWS 11 ALL OF THESE ATTEMPTS WERE CAUGHT.

Even using a Group Policy to turn off Windows Defender Antivirus, disabling Tamper mode, restarting the machines, Windows Defender came back on after some time and caught the attempts.

Payloads

msfvenom is a great tool for building payloads
darkarmour is also great for building payloads and obfuscating them: https://github.com/bats3c/darkarmour

Many prebuild payloads can be found at the following repositories:

GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTFGitHub

GitHub - samratashok/nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.GitHub

PreviousDNS Enumeration NextPayloads

Last updated 1 month ago

hashtagReverse Shell

hashtagBind Shell

hashtagMaking our shell more friendly

hashtagWindows

hashtagMetasploit

hashtagpsexec.py

hashtagwmiexec.py

hashtagsmbexec.py

hashtagIN ALL OF MY ATTEMPTS WITH WINDOWS 11 ALL OF THESE ATTEMPTS WERE CAUGHT.

hashtagPayloads