In the previous post we captured the traffic from our Netcat reverse shell.
root@securitynik:~# tcpdump -nnvvi eth0 port 80 -w netcat.pcap
If we look at the capture, we see this looks like regular web traffic
root@securitynik:~/security-nik# tshark -n -r netcat.pcap | more
1 0.000000 10.0.0.100 -> 10.0.0.101 TCP 62 1054 > 80 [SYN] Seq=1798455989 Win=64240 Len=0 MSS=1460
SACK_PERM=1
2 0.000046 10.0.0.101 -> 10.0.0.100 TCP 62 80 > 1054 [SYN, ACK] Seq=2472702830 Ack=1798455990 Win=2
9200 Len=0 MSS=1460 SACK_PERM=1
3 0.000353 10.0.0.100 -> 10.0.0.101 TCP 60 1054 > 80 [ACK] Seq=1798455990 Ack=2472702831 Win=64240
Len=0
4 0.054371 10.0.0.100 -> 10.0.0.101 HTTP 144 Continuation or non-HTTP traffic
5 0.054401 10.0.0.101 -> 10.0.0.100 TCP 54 80 > 1054 [ACK] Seq=2472702831 Ack=1798456080 Win=29200
................
There is nothing that looks suspicious from the above capture. However, if we look into the packet, there are more interesting things to be seen. Let's see what we get when we follow the TCP stream:
tshark -n -r netcat.pcap -z "follow,tcp,ascii,10.0.0.100:1054,10.0.0.101:80"
===================================================================
Follow: tcp,ascii
Filter: ((ip.src eq 10.0.0.100 and tcp.srcport eq 1054) and (ip.dst eq 10.0.0.101 and tcp.dstport eq 80)) o
r ((ip.src eq 10.0.0.101 and tcp.srcport eq 80) and (ip.dst eq 10.0.0.100 and tcp.dstport eq 1054))
Node 0: 10.0.0.100:1054
Node 1: 10.0.0.101:80
90
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\nc>
4
dir
201
dir
Volume in drive C has no label.
Volume Serial Number is 8C53-5EB0
Directory of C:\nc
08/10/2014 07:07 PM <DIR> .
08/10/2014 07:07 PM <DIR> ..
12/28/2004 12:2
636
3 PM 12,166 doexec.c
07/09/1996 05:01 PM 7,283 generic.h
11/06/1996 11:40 PM 22,784 getopt.c
11/03/1994 08:07 PM 4,765 getopt.h
02/06/1998 04:50 PM 61,780 hobbit.txt
12/27/2004 06:37 PM 18,009 license.txt
09/17/2011 12:46 AM 300 Makefile
09/17/2011 12:52 AM 38,616 nc.exe
09/17/2011 12:52 AM 45,272 nc64.exe
09/17/2011 12:44 AM 69,850 netcat.c
09/17/2011 12:45 AM 6,885 readme.txt
11 File(s) 287,710 bytes
2 Dir(s) 11,115,757,568 bytes free
C:\nc>
4
cmd
5
cmd
90
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\nc>
From the above we can see that the shell was sent outside and the user on the remote host was able to do a "dir".
Reference:
https://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html
goooood <3
ReplyDelete