Re: Server initiated remote shell

From: auto241065@hushmail.com
Date: 09/22/01


Message-Id: <200109220142.f8M1g4k22199@mailserver1.hushmail.com>
From: auto241065@hushmail.com
To: pen-test@securityfocus.com
Subject: Re: Server initiated remote shell
Date: Fri, 21 Sep 2001 18:42:04 -0700


What do you mean when you say you can execute a program on an internal host but there is no way in? I'm not clear if you talking about so-called "firewall-piercing", or do you want to lure someone behind the firewall to visit a malicious web site that will provide you with a shell on their box?

In the first case corkscrew (http://www.agroman.net/corkscrew/), which tunnels SSH through HTTP proxies, is one of many tools. For the second way, look at the many Microsoft IE and Outlook bugs for windows clients and you should be able to figure something out. Actually many times all you need is a little bit of javascript. If its a unix client, its a little harder. I generally find there really is "another way in". If not, netscape and gdb should give you some ideas, depending on the platform, but you may have to bust out a wee bit of asm. Also try java, see if you can symlink somethink important to a temp file, stuff like that.

Also you use forms to post to URLs using ports other than 80, and craft it in such a way to send arbitrary data to these ports.

----- Original Message -----
>Hi,
>
>Lets suppose that I can execute a program on an inside
>host on a network protected by a firewall. There is no
>way in. But there is a way out to www browsing on port
>80.
>
>So the client could connect to any Internet address on
>port 80. What program should it execute to provide me
>with a shell? Of course I'm in Internet with a
>listener. What listener?
>
>The firewall is a real statefull firewall so no TCP
>ACK or ICMP encapsulations.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: Unusual ports found in nmap scan
    ... Unusual ports found in nmap scan ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: FW: baby pen-test question
    ... It's better to begin with those ports (TCP, ... Or if you are lucky enough to find an ONC RPC rexd or pcnfsd server running, ... Do a real *vulnerability* scan if at all possible, not one that says 'you may have ... This list is provided by the SecurityFocus Security Intelligence Alert Service. ...
    (Pen-Test)
  • Re: Identify OS?
    ... based on the ports open? ... I'd try and get that vague banner changed. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • BO2k Port?
    ... Doing an audit on a gov agency with a Raptor Firewall. ... ports closed and ports have to be specifically opened to allow traffic. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Scanning for blank admin passwords on a windows box
    ... SNMP queries scan for "interesting" ports, ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)