Categories
Uncategorised

Remote Shells | one way connection

Breach the formidable NAT and proxies

The goal of this new technique is to illustrate the simplicity of exploit execution for command and control capabilities.

Though there are several techniques. But all are prevented by robust configurations and patched systems.

Ingredients

  • Client Malware
  • Internet facing webpage

Scenario

Here we are assuming that the victim has internet access; though filtered

, NATed, behind firewall(s) and load balancing proxies. The thing under assumption is that victim can access https://attacker.com/commands.txt (at application layer; say a browser) and of course the victim system should be able to execute the malware.

The thing I’m trying to evade is having dedicated TCP connections, typical of a bind / reverse shell. Let’s say there can be no proper outgoing communication channel as per strict policies.


The attack

As stated earlier, initial malware has to be executed and deployed successfully. It could be a macro enabled document or executable. My research does not contain malware evasion or AV bypass, though the type of payload required is not suspicious and should be easy to deploy.

Now the malware contains dropper code. The malware has to do two things.

  • Set a trigger / cron job that executes after certain time and
  • Execute code at https://attacker.com/commands.txt in memory without saving it as a stagger or static file on secondary storage.

That’s it!

Now all we have to do is update the text file with updated comments. I prefer .ps1 extension for the commands file since my malware is mostly PowerShell based. But you could choose whatever fits the scenario as this is a concept.

Just note that the victim is behind NAT from attackers perspective; is still vulnerable; because the victim can open attacker.com and read any file hosted as it is on internet. This research provides red-teamers with added weapon in their arsenel. I’ll soon be publishing a technical PoC for this with GPL 3.0.

If you want to learn more, or if you are interested in helping with the project, head over to the GitHub.

8 replies on “Remote Shells | one way connection”

Your way of describing all in this paragraph is truly nice,
every one be able to without difficulty be aware of it,
Thanks a lot.

I’ve been browsing online more than 2 hours today, yet I never found any interesting article like yours.
It is pretty worth enough for me. Personally, if all website owners and bloggers
made good content as you did, the internet will be a lot more useful
than ever before. This is a topic which is near to my heart…
Take care! Where are your contact details though? Wow, this piece of writing is good, my sister
is analyzing such things, thus I am going to convey her.

Excellent blog you have got here.. It’s difficult to find high quality writing like yours nowadays.
I honestly appreciate people like you! Take care!!

Greate post. Keep posting such kind of information on your page.
Im really impressed by it.
Hello there, You have done a great job. I’ll definitely digg it and for my
part recommend to my friends. I’m confident they will be benefited from this site.

Good day! Would you mind if I share your blog with my zynga group?
There’s a lot of folks that I think would really enjoy your content.
Please let me know. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *