In the previous post we analyzed the netcat reverse shell session using tshark. Let's try something different. This time we will use tcpflow.
root@securitynik:~/security-nik# tcpflow -e -r netcat.pcap -v
Once we execute the above command, a set of files will be created in our current directory.
root@securitynik:~/security-nik# tcpflow -e -r netcat.pcap -v
tcpflow[4334]: tcpflow version 0.21 by Jeremy Elson <jelson@circlemud.org>
tcpflow[4334]: looking for handler for datalink type 1 for interface netcat.pcap
tcpflow[4334]: found max FDs to be 16 using OPEN_MAX
tcpflow[4334]: 010.000.000.100.01054-010.000.000.101.00080: new flow
tcpflow[4334]: 010.000.000.101.00080-010.000.000.100.01054: new flow
tcpflow[4334]: 010.000.000.100.01054-010.000.000.101.00080: opening new output file
tcpflow[4334]: 010.000.000.101.00080-010.000.000.100.01054: opening new output file
From the above, we see two files were created. If we cat each of these files we can see the contents of the packets. Let's try that.
root@securitynik:~/security-nik# cat 010.000.000.100.01054-010.000.000.101.00080
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\nc>dir
Volume in drive C has no label.
Volume Serial Number is 8C53-5EB0
Directory of C:\nc
08/10/2014 07:07 PM <DIR> .
08/10/2014 07:07 PM <DIR> ..
12/28/2004 12:23 PM 12,166 doexec.c
07/09/1996 05:01 PM 7,283 generic.h
11/06/1996 11:40 PM 22,784 getopt.c
11/03/1994 08:07 PM 4,765 getopt.h
02/06/1998 04:50 PM 61,780 hobbit.txt
12/27/2004 06:37 PM 18,009 license.txt
09/17/2011 12:46 AM 300 Makefile
09/17/2011 12:52 AM 38,616 nc.exe
09/17/2011 12:52 AM 45,272 nc64.exe
09/17/2011 12:44 AM 69,850 netcat.c
09/17/2011 12:45 AM 6,885 readme.txt
11 File(s) 287,710 bytes
2 Dir(s) 11,115,757,568 bytes free
C:\nc>cmd
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
The above looks quite interesting. It even took less work that tshark :-)
Let's see what the second file has.
root@securitynik:~/security-nik# cat 010.000.000.101.00080-010.000.000.100.01054
dir
cmd
Looks like the second file shows the commands which were executed.
within the 3 previous posts, we setup and detected NetCat reverse shell.
Reference:
http://linux.die.net/man/1/tcpflow
No comments:
Post a Comment