Monday, September 1, 2014

Analysing a Netcat reverse shell using tcpflow

In the previous post we analyzed the netcat reverse shell session using tshark. Let's try something different. This time we will use tcpflow.

root@securitynik:~/security-nik# tcpflow -e -r netcat.pcap -v 

Once we execute the above command, a set of files will be created in our current directory.

root@securitynik:~/security-nik# tcpflow -e -r netcat.pcap -v 
tcpflow[4334]: tcpflow version 0.21 by Jeremy Elson <jelson@circlemud.org>
tcpflow[4334]: looking for handler for datalink type 1 for interface netcat.pcap
tcpflow[4334]: found max FDs to be 16 using OPEN_MAX
tcpflow[4334]: 010.000.000.100.01054-010.000.000.101.00080: new flow
tcpflow[4334]: 010.000.000.101.00080-010.000.000.100.01054: new flow
tcpflow[4334]: 010.000.000.100.01054-010.000.000.101.00080: opening new output file
tcpflow[4334]: 010.000.000.101.00080-010.000.000.100.01054: opening new output file

From the above, we see two files were created. If we cat each of these files we can see the contents of the packets. Let's try that.

root@securitynik:~/security-nik# cat 010.000.000.100.01054-010.000.000.101.00080
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\nc>dir
 Volume in drive C has no label.
 Volume Serial Number is 8C53-5EB0

 Directory of C:\nc

08/10/2014  07:07 PM    <DIR>          .
08/10/2014  07:07 PM    <DIR>          ..
12/28/2004  12:23 PM            12,166 doexec.c
07/09/1996  05:01 PM             7,283 generic.h
11/06/1996  11:40 PM            22,784 getopt.c
11/03/1994  08:07 PM             4,765 getopt.h
02/06/1998  04:50 PM            61,780 hobbit.txt
12/27/2004  06:37 PM            18,009 license.txt
09/17/2011  12:46 AM               300 Makefile
09/17/2011  12:52 AM            38,616 nc.exe
09/17/2011  12:52 AM            45,272 nc64.exe
09/17/2011  12:44 AM            69,850 netcat.c
09/17/2011  12:45 AM             6,885 readme.txt
              11 File(s)        287,710 bytes
               2 Dir(s)  11,115,757,568 bytes free

C:\nc>cmd
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


The above looks quite interesting. It even took less work that tshark :-)

Let's see what the second file has.
root@securitynik:~/security-nik# cat 010.000.000.101.00080-010.000.000.100.01054 
dir
cmd

Looks like the second file shows the commands which were executed.

within the 3 previous posts, we setup and detected NetCat reverse shell.

Reference:
http://linux.die.net/man/1/tcpflow

No comments:

Post a Comment