The majority of these techniques were learned in Ed Skoudis' amazing Security 504 and 560 classes available through SANS. I want to end this post by stating that I am not the originator of techniques #1, 2, 3, 5, or 7.
#NETCAT REVERSE SHELL SIMPLE DOWNLOAD#
The attacker issues one command which moves to the /tmp directory (because it is typically world writable), uses wget to download a malicious php reverse_tcp backdoor (which the attacker hosts on a web server that he controls), and executes the backdoor via the interactive console. The last technique makes use of the php interactive console. PHP reverse shell via interactive console: In the background, the script is making the request to the web server, parsing the response, and presenting it to you. You merely pass the script the vulnerable url with the injectable field replaced with the '' tag and it presents you with a clean interface for entering commands. Rather than manually enter commands into a proxy or browser url, I wrote small python script which gives you the feel of a shell, without spawning anything in reverse from the target. This applies to Remote Command Execution vulnerabilities only. Commands are entered into one the of the attackers listeners and feedback is received on the other. This technique uses two telnet sessions connected to remote listeners to pipe input from one telnet session to /bin/bash, and pipe the output to the second telnet session. This is clearly the ugliest of the techniques. I'm not sure why you'd use this technique, but it's an option, so here it is nonetheless. dev/tcp not available either? Just use telnet with technique #2. It's not always available, but can be quite handy when it is. It takes the /dev/tcp socket programming feature and uses it to redirect /bin/bash to a remote system. I love "hacks" that use features of the operating system against itself. Sounds confusing right? The following image should clear things up. Create a FIFO file system object and use it as a backpipe to relay standard output from commands piped from netcat to /bin/bash back into netcat. When the GAPING_SECURITY_HOLE is disabled, which means you don't have access to the '-e' option of netcat, most people pass on using netcat and move to something else. It is based on the common technique used to build netcat relays. This is a little trick that Ed Skoudis tweeted about in November of last year, but I haven't seen it widely publicized. netcat with GAPING_SECURITY_HOLE disabled: Fire up a listener on the attacker machine on a port which is reachable from the target and connect back to the listener with netcat. Starting from the easiest and most common, here are some of the techniques which can be used to gain reverse shell on the target system. There are many instances of this scenario. Whether it be via a Remote Command Execution vulnerability in a website, or some sort of php injected XSS which causes a privileged user to run commands on the target system. The scenario is this: You have the ability to run a simple command, or cause a user to run a simple command, on the target system. Well, not to worry my friends, there are many techniques for spawning shells, specifically reverse shells, from linux, and one or more of these techniques is bound to be available no matter which distro you're looking at. Which means when engaging these different flavors during a pentest, what works against one linux target to get an interactive shell, may not work against another.
There are many distributions of linux, and they all do things a little different regarding default security and built-in tool sets.
0 kommentar(er)
