by Ed Skoudis
Many pen testers know how to create a reverse backdoor shell with Netcat. But, what do you do if you have a Netcat that doesn't support the —e or —c options to run a shell? And, what if your target doesn't support /dev/tcp? In this article, I'll show you a nifty little work-around using some command-line kung fu with shell redirects.
Netcat is fantastic little tool included on most Linuxes and available for Windows as well. You can use Netcat (or its cousin, Ncat from the Nmap project) to create a reverse shell as follows:
First, on your own pen test machine, you create a Netcat listener waiting for the inbound shell from the target machine:
skodo@pentestbox# nc —nvlp 443
Here, I'm telling Netcat (nc) to not resolve names (-n), to be
[Editor's note: Volume Shadow copies on Windows completely rock. They give administrative tools (and penetration testers) access to all kinds of wonderful things on Windows, including recently deleted files, files with a lock on them, and much more. They are almost like a nifty side channel into the guts of the Windows file system, making it ripe for exploration, research, and pwnage with a heavy does of plundering mixed in for good measure. Mark Baggett has been one of the main gents (along with Tim Tomes) leading the charge in researching how pen testers can use Volume Shadow copies. In this post, Mark shows how you can use Python to interact with Volume Shadow copies, so you can explore them in-depth. After describing how to list, create, and access such copies from Python, he provides a nifty Python script called vssown.py that does all the work for you. I'm hoping that the info Mark provides here inspires readers to start more aggressive analysis of Volume Shadow
[Editor's note: In this article, Tim Medin walks us through a few steps of a recent pen test he did, wherein he exploits phpMyAdmin. The best part of this write up is that he shows the mindset of a pen tester as he methodically attacks the target system step by step. In the process, he provides some good insight into exploiting PHP flaws via a MySQL instance running on a Windows target as well. Nice! --Ed.]
A wee time ago on a pen test not far, far away, I was looking for that first toehold; the first shell that split the test wide open; my entry into the target; the toe in the door; the camel's nose in the tent; the first part of the whatever that gets into there wherever that it shouldn't be in the first place. I kicked off an nmap sweep using the http-enum script, in hopes of finding an interesting web server with an even more interesting set of directories. Here is my command:
$ nmap -sT -T3 -PS80,443,8000,8443,8800 -p 80,443,8000,8443,8080 ...
by Ed Skoudis
Over the weekend, I was thinking about the wonderful psexec capabilities of tools like Metasploit, the Nmap Scripting engine smb-psexec script, and the psexec tool itself from Microsoft Sysinternals. It's my go-to exploit on Windows targets, once I have gained SMB access and admin credentials (username and password, or username and hash for pass-the-hash attacks). It works on a fully patched Windows environment, giving you code execution with local system privileges of a program or Metasploit payload of your choice. That's especially helpful in a penetration test once you gain access to an internal network that is relatively well patched. We talk a lot about how to leverage this capability creatively and effectively in my SANS 560 course on Network
[Editor's Note: Mark Baggett has a really clever and useful set of penetration testing tips in this blog entry on post-exploitation techniques to plunder suspended guest virtual machines for credentials. It's a nifty idea, eminently useful in an ethical hacking project, and Mark highlights exactly the tools, steps, and commands needed. Nice stuff, Mark! --Ed.]
Privilege Escalation through Suspended VMs
by Mark Baggett
You, my penetration testing friend, have just successfully exploited a target organization administrator's workstation in your latest ethical hacking project. However, it appears that target system personnel are doing all the right things. The domain administrator does not use his administrative accounts on the compromised workstation and they have patched their computers against all known privilege-escalation attacks. The result is that your shell is running under the context of the current non-administrative