Eric, There is much fun to be had with reverse pipes and ssh tunnels in a similar vein. This is also why i prefer vtun over ssh for tunneling.
And that RPC shell exploit is pretty nasty with regards to bypassing firewalls and real-time access. I think that there will be greater emphasis put on real-time stack level IDS in the near future as these sorts of attacks grow more frequent. chris On Wed, 6 Aug 2003, Robinson, Eric R. wrote: > Date: Wed, 6 Aug 2003 17:03:07 -0700 > From: "Robinson, Eric R." <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: [RLUG] Just Call Me Script Daddy > > We are having some fun with reverse command shells here at NDOT. I found > some sample exploit code on the Internet and compiled it with Visual C++. > > I started a netcat session on my Linux machine, then ran my new executable > on the Windows box. Bingo! It connected to the Linux machine and rendered up > a Windows command shell. The executable hid itself from the Windows process > list, so it was not visible in Task Manager or even to third-party tools > such as pslist from SysInternals. > > I am using this fun little experiment to demonstrate to folks here at NDOT > how a simple executable could be used to bypass our firewall and give a > remote intruder real-time access to the NDOT network. > > I have been studying security for a few years, but this is only the second > or third time I have compiled exploit code. (I also compiled the recent > Windows RPC shell exploit, which supposedly works against all flavors of > Windows, although it only worked against about 10% of the machines I > tested.) > > I guess this officially makes me a script kiddy, although I am 42, so > perhaps script "daddy" would be more accurate. :-) > > Of course, this sort of thing will be old hat to many of you. Does anyone > else in the list do this kind of experimentation? It would be fun to compare > notes. > > -- > Eric Robinson > -- Christopher Neitzert http://www.neitzert.com/~chris 775.853.5314 - [EMAIL PROTECTED] - pgp key on request _______________________________________________ RLUG mailing list [EMAIL PROTECTED] http://www.rlug.org/mailman/listinfo/rlug
