Monday, September 1, 2014

Analysing a Netcat reverse shell using tshark

In the previous post we captured the traffic from our Netcat reverse shell.
root@securitynik:~# tcpdump -nnvvi eth0 port 80 -w netcat.pcap

If we look at the capture, we see this looks like regular web traffic
root@securitynik:~/security-nik# tshark -n -r netcat.pcap | more
  1   0.000000   10.0.0.100 -> 10.0.0.101   TCP 62 1054 > 80 [SYN] Seq=1798455989 Win=64240 Len=0 MSS=1460 
SACK_PERM=1
  2   0.000046   10.0.0.101 -> 10.0.0.100   TCP 62 80 > 1054 [SYN, ACK] Seq=2472702830 Ack=1798455990 Win=2
9200 Len=0 MSS=1460 SACK_PERM=1
  3   0.000353   10.0.0.100 -> 10.0.0.101   TCP 60 1054 > 80 [ACK] Seq=1798455990 Ack=2472702831 Win=64240 
Len=0
  4   0.054371   10.0.0.100 -> 10.0.0.101   HTTP 144 Continuation or non-HTTP traffic
  5   0.054401   10.0.0.101 -> 10.0.0.100   TCP 54 80 > 1054 [ACK] Seq=2472702831 Ack=1798456080 Win=29200 
................ 

There is nothing that looks suspicious from the above capture. However, if we look into the packet, there are more interesting things to be seen. Let's see what we get when we follow the TCP stream:

tshark -n -r netcat.pcap -z "follow,tcp,ascii,10.0.0.100:1054,10.0.0.101:80"
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.100 and tcp.srcport eq 1054) and (ip.dst eq 10.0.0.101 and tcp.dstport eq 80)) o
r ((ip.src eq 10.0.0.101 and tcp.srcport eq 80) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 1054))
Node 0: 10.0.0.100:1054
Node 1: 10.0.0.101:80
90
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\nc>

4
dir

201

dir
 Volume in drive C has no label.
 Volume Serial Number is 8C53-5EB0

 Directory of C:\nc


08/10/2014  07:07 PM    <DIR>          .

08/10/2014  07:07 PM    <DIR>          ..
12/28/2004  12:2
636
3 PM            12,166 doexec.c
07/09/1996  05:01 PM             7,283 generic.h
11/06/1996  11:40 PM            22,784 getopt.c
11/03/1994  08:07 PM             4,765 getopt.h
02/06/1998  04:50 PM            61,780 hobbit.txt
12/27/2004  06:37 PM            18,009 license.txt
09/17/2011  12:46 AM               300 Makefile
09/17/2011  12:52 AM            38,616 nc.exe
09/17/2011  12:52 AM            45,272 nc64.exe
09/17/2011  12:44 AM            69,850 netcat.c
09/17/2011  12:45 AM             6,885 readme.txt
              11 File(s)        287,710 bytes
               2 Dir(s)  11,115,757,568 bytes free

C:\nc>

4
cmd

5

cmd

90

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\nc>



From the above we can see that the shell was sent outside and the user on the remote host was able to do a "dir".

Reference:
https://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html

1 comment: