Original: Coding diary (wechat official ID: Codelogs), welcome to share, reprint please reserve the source.

scenario

Most of the time, we need to operate multiple machines in batches. The industry uses Ansible to do this, but using Ansible to operate multiple machines requires that you have SSH permission. Unfortunately, for developers, you do not have SSH permission for formal environment machines, so you can only log in to the machine through a specified entry. Understandable, after all, the formal environment is so important.

However, if your production environment has access to your development machine, you can access the machine through the reverse Shell, and then combine the reverse Shell with TMUX to operate multiple machines at the same time, which is what this article covers.

Positive and negative to the Shell

If you are familiar with the NC command, you must have heard that NC can build forward or reverse Shell, here will not explain the concept of forward or reverse Shell, explain not clear, directly on the NC forward Shell and reverse Shell examples.

Due to the ambiguity of the NC command itself, the NC command introduced in some articles is Ncat, and the NC command introduced in some articles is netcat. There are some differences between these two commands. Therefore, in this example, nCAT is directly used to avoid confusion.

The IP address of the developer is 192.168.0.10. The IP address of the server is 192.168.0.1

1. Use NCAT listening on the server
ncat -l 9999 -e /bin/bash
# Forward Shell, 2. Development machine connectionNcat 192.168.0.1 9999# reverse Shell, 1. Development machine using NCAT listening
ncat -l 9999
# reverse Shell, 2. Connect to serverNcat 192.168.0.10 9999 -e /bin/bashCopy the code

The effect is as follows:

  • Forward Shell: NCAT listens on port 9999 on the server. When the development machine uses NCAT to connect, the nCAT on the server will open a bash process to service the connection.
  • Reverse Shell: NCAT listens on port 9999 on the development machine. When the server connects with NCAT, nCAT on the server opens a bash process to service the connection.

In fact, the difference between forward and reverse shells is only the direction of establishing TCP connections. The Shell interaction process provided for NCAT is as follows: Ncat (client) <-> ncat(server) <-> bash After a command is entered and entered in the ncat(client) of the development machine, the command is sent to the Ncat (server) over the network. After the NCAT (server) receives the command, After the bash process executes the command, the command execution result is returned to nCAT (Server), and nCAT (server) is returned to nCAT (client) on the development machine through the network connection.

When using the reverse Shell, however, there are a number of inconvenients, such as using tail -f to view the log file. When you want to exit tail, Ctrl + C also exits the ncat process. This is the worst part. For example, Tab completion /Up Arrow history/vim/Ctrl + D /Ctrl + Z cannot be used, which is very uncomfortable. This type of Shell is usually called Weak Shell, but to get Strong Shell, socat is needed.

Obtain the Strong Shell from socat

Socat is similar to the nc command, but much more powerful. For example, socat can be used to obtain a complete Shell, as follows:

1. Use SOCAT listening on the server
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:9999,bind= 0.0.0.0 reuseaddr, fork# Forward Shell, 2. Development machine connection
socat file:`tty`,raw,echo= 0 TCP: 192.168.0.1:9999# reverse Shell, 1. Development machine using SOCAT listening
socat file:`tty`,raw,echo=0 tcp-listen:9999,bind= 0.0.0.0 reuseaddr, fork# reverse Shell, 2. Connect to server
socat exec:'bash -li'Pty, stderr setsid, sigint, sane TCP: 192.168.0.10:9999Copy the code

The effect is as follows:

The principle is similar to that of NCAT, except that SOCAT can provide tty and PTY, because things like Ctrl + C are themselves signals provided to Bash by a terminal tty, not characters, so in NCAT, without a TTY, Ctrl + C signals cannot be passed to bash programs on the server.

The Shell interaction provided by SOcat looks like this: tty <-> socat(client) <-> SOcat (server) <-> pty <-> bash

What is tty? I don’t understand this very well. I can simply think of the keyboard and the screen as TTY, and what is typed on the keyboard is input to TTY, and what is output from TTY is displayed on the screen.

Tmux enables simultaneous operation of multiple machines

Tmux is a terminal multiplexer, which is most commonly used to achieve split-screen. Since the reverse Shell can be obtained through SOCAT, the reverse Shell of each machine can be displayed on each split-screen of TMUX, and the command execution results of multiple reverse shells can be seen. At the same time, the tty operation of a special split-screen, Forwarding to multiple reverse shells at the same time, realizing the simultaneous operation of multiple machines, the effect is as follows:

The following is the command to implement the multi-machine operation:

# 1. Development machine listening
nohup socat tcp-listen:9999,bind= 0.0.0.0 reuseaddr, forkexec:'bash socatscript.sh' &
# 2. Connect on multiple servers
nohup socat exec:'bash -li'Pty, stderr setsid, sigint, sane TCP: 192.168.0.10:9999 &# 3. Enter the TMUX split screen
tmux a -t socatSession
Copy the code

This is the implementation of the script socatscript.sh

#! /bin/bash

SOCKDIR=$(mktemp -d)
SOCKF=${SOCKDIR}/usock
SESSION_NAME=${1:-socatSession}
WINDOW_NAME=${2:-socatWindown}

# create session and window
tmux has-session -t $SESSION_NAME
if [[ $? -eq 1 ]];then
    tmux new -s $SESSION_NAME -n $WINDOW_NAME -d "socat file:\`tty\`,raw,echo=0 exec:'ncat -lk 9998'"
fi
# split windown 0
tmux split-window -h -t 0 "socat file:\`tty\`,raw,echo=0 UNIX-LISTEN:${SOCKF},umask=0077"
tmux select-pane -t 0
tmux select-layout -t $WINDOW_NAME main-horizontal
tmux resize-pane -t 0 -y 2
# Wait for socket
while test ! -e ${SOCKF} ; do sleep 1 ; done
while ! $(ncat -z localhost 9998) ;do sleep 1; done;
# Use socat to ship data between the unix socket and STDIO.
socat -U STDOUT TCP:localhost:9998 &
exec socat STDIO UNIX-CONNECT:${SOCKF}
Copy the code

The main function is to create a new split screen on TMUX every time there is a reverse Shell connection, and display the reverse Shell on this new split screen. At the same time, provide a special split screen (the top one), the commands entered on this split screen, will be forwarded to the reverse Shell. If you find that the text in the reverse Shell cannot be displayed in full screen, you need to reset the current tty display width and height by using stty Rows 63 Columns 204.

Also, if you have access to an SSH machine and want to execute commands using tMUx split-screen mode, simply replace bash with SSH, as follows:

# 1. Development machine listening
nohup socat tcp-listen:9999,bind= 0.0.0.0 reuseaddr, forkexec:'bash socatscript.sh' &
# 2. Development machine, using SSH to connect to multiple machines
nohup socat exec:'sshpass -p "xxx" ssh [email protected]',pty,stderr,setsid,sigint,sane tcp:localhost:9999 &
# 3. Enter the TMUX split screen
tmux a -t socatSession
Copy the code

Don’t you have to install ansible?

conclusion

The socat command is so powerful that it’s worth a good look, and once you’ve done it, you’ll find that your understanding of various concepts has improved.

Content of the past

Curl curl curl curl curl curl curl curl curl curl