Re: command-line reverse connection tunnel?

From: Roy Keene (sf@rkeene.org)
Date: 02/21/03

  • Next message: Pete Herzog: "Professional Security Testing Seminar"
    Date: 20 Feb 2003 23:17:39 -0000
    From: Roy Keene <sf@rkeene.org>
    To: pen-test@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <001501c2a7cc$a914b9f0$5f81b242@ethics01>

    I wrote a suite of Tcl scripts to accomplish this goal a few years ago, it has been listed on SecurityFocus for a long time as reverseutils.

    http://www.securityfocus.com/tools/784

    I've recently added another set of commands to the utility set, the ability to do TCP over a CGI (for example if you have a webserver behind some kind of complicated firewall setup -- like I do), but it only works well enough for me to use it in emergencies and thusly is not include in that (old) package.

    >Received: (qmail 10185 invoked from network); 20 Dec 2002 15:18:31 -0000
    >Received: from outgoing3.securityfocus.com (205.206.231.27)
    > by mail.securityfocus.com with SMTP; 20 Dec 2002 15:18:31 -0000
    >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
    > by outgoing3.securityfocus.com (Postfix) with QMQP
    > id 7BCC9A30A6; Fri, 20 Dec 2002 08:12:25 -0700 (MST)
    >Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <pen-test.list-id.securityfocus.com>
    >List-Post: <mailto:pen-test@securityfocus.com>
    >List-Help: <mailto:pen-test-help@securityfocus.com>
    >List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
    >Delivered-To: mailing list pen-test@securityfocus.com
    >Delivered-To: moderator for pen-test@securityfocus.com
    >Received: (qmail 26998 invoked from network); 20 Dec 2002 01:43:26 -0000
    >Message-ID: <001501c2a7cc$a914b9f0$5f81b242@ethics01>
    >Reply-To: "Nick Jacobsen" <nick@ethicsdesign.com>
    >From: "Nick Jacobsen" <nick@ethicsdesign.com>
    >To: <pen-test@securityfocus.com>
    >Subject: command-line reverse connection tunnel?
    >Date: Thu, 19 Dec 2002 18:07:57 -0800
    >Organization: Ethics Design
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="iso-8859-1"
    >Content-Transfer-Encoding: 7bit
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Mailer: Microsoft Outlook Express 6.00.2800.1106
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
    >X-OriginalArrivalTime: 20 Dec 2002 02:10:51.0134 (UTC) FILETIME=[04DA39E0:01C2A7CD]
    >
    >As to the subject, I don't know how else to describe what I need in simple
    >words :)
    >
    >I am hoping one of you might have an idea on how to implement the following,
    >keeping in mind that everything MUST be done using a command-line only. I
    >have a machine ("SERVER1") behind a firewall that lets in only port 80, on
    >which there is an HTTP server, but lets out all traffic. I need to connect
    >my machine ("CLIENT") to that server's Remote Desktop, which runs on port
    >3389. I have command line access to the remote machine by sending a reverse
    >command prompt. So, the question is, what tools are out there that would
    >let me create a tunnel as follows:
    >
    >SERVER1 ----> CLIENT1(port whatever) <---- CLIENT1(Listener port 3389)
    >CLIENT1(RDP client program) -----> CLIENT1(port 3389) <- Existing Pipe ->
    >SERVER1(port 3389)
    >
    >To explain, I need a program on SERVER1 that creates a connection to
    >CLIENT1. the connection that is created to CLIENT1 then needs to listen on
    >port 3389. When CLIENT1 recieves a connection, it needs to pass it through
    >the existing pipe, and SERVER1 needs to connect to itself on port 3389.
    >
    >Sort of confusing, I know, and any other suggestions would be welcome, with
    >the stipulation that, again, SERVER1 can only accept outside connections
    >from port 80, but can make connection to any computer.
    >
    >Thanks,
    >Nick Jacobsen
    >Ethics Design
    >nick@ethicsdesign.com
    >
    >
    >----------------------------------------------------------------------------
    >This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    >Service. For more information on SecurityFocus' SIA service which
    >automatically alerts you to the latest security vulnerabilities please see:
    >https://alerts.securityfocus.com/
    >
    >

    ----------------------------------------------------------------------------

    Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
    box?
    CORE IMPACT does.
    http://www.securityfocus.com/core