The connect scan is performed when Nmap is executed with user privileges or when IPv6 addresses are scanned. TCP null scan. The -sN option instructs Nmap to send packets that have none of the SYN, RST, and ACK flags set. When the TCP port is closed, a RST packet is sent in return. When the TCP port is open or filtered, there is no response. 16.1 TCP and IP 3 16.2 The TCP/IP Protocol Stack 5 16.3 The Network Layer (also known as the Internet 14 Layer or the IP Layer) 16.4 TCP, The Transport Layer Protocol for Reliable 25 Communications 16.5 TCP versus IP 34 16.6 How TCP Breaks Up a Byte Stream That 36 Needs to be Sent to a Receiver 16.7 The TCP State Transition Diagram 38. TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session. In theory, a TCP/IP connection is established as shown below −. To hijack this connection, there are two possibilities −.
In our previous tutorial we had discussed on SSH pivoting and today we are going to discuss RDP pivoting.
From Offensive Security
Pivoting is a technique to get inside an unreachable network with help of pivot (center point). In simple words, it is an attack through which an attacker can exploit that system which belongs to the different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then the attacker will able to target the client system for the attack.
Lab Setup requirement:
Attacker machine: Kali Linux
Pivot Machine (server): window operating system with two network interface
Target Machine (client): window 7 (Allow RDP service)
Use exploit MS17-010 or multi handler to hack the pivot machine and bypass its UAC to achieve admin privileges.
Hence if you will count then currently attacker has hold 2 sessions, 1st for meterpreter shell and 2nd for bypass UAC of the server.
Check the network interface through the following command:
From the given image you can observe two networks interface in the victim’s system 1stfor IP 192.168.0.27 through which the attacker is connected and 2nd for IP 192.168.100.100 through which clients (targets) are connected.
Since the attacker belongs to 192.168.0.1 interface and client belongs to 192.168.100.0 interface, therefore, it is not possible to directly make an attack on client network until unless the attacker acquires the same network connection. In order to achieve 192.168.100.0 network attacker need to run the post exploitation “autoroute”. Sound editing software for pc.
This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. The default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.
Reverse TCP vs Bind TCP shell
First of all let's clarify what is a reverse TCP shell, What's a bind shell and how they work. In both of these situations, there is an Attacker mashing and a victim server. In a reverse shell, we open a connection from the victim server to the attacker's mashing. We set up a listener on the attacker's mashing. It waits for an incoming connection from the victim. When it receives the TCP connection it serves as a shell to access the victim server.
A bind shell works in a different way. The payload will bind a shell to a specific port on the victim server. So the attacker can use his mashing to connect back to the victim server.
Generating the exploit using Msfvenom
First, we use msfvenom for create our shell. This tool is packed with the Metasploit framework and can be used to generate exploits for multi-platforms such as Android, Windows, PHP servers, etc.
Following is the syntax for generating an exploit with msfvenom. Vectoraster 7 4 6.
Connected By Tcp Hacking
Here we have supplied many arguments to msfvenom tool. Let's see what they do. At the moment we don't use any encoding. In later we can use them.
Hear -p stands for payload. It tells which payload we want to use. Here we used meterpreter as the payload. You can get the list of available payloads by using the command msfvenom --list payloads. In the above example, we used a php payload since we are going to build a Web shell.
-o This is an output format. We have specified shell.php. So our output file will be saved as shell.php.
In the following list we can see some payload types we use often.
Web servers
Connected By Tcp Hackers
Most Web servers run PHP as there server-side language. We can build a PHP web shell with MSFvenom by using 'php/meterpreter_reverse_tcp' as the payload. Since we are uploading it to a PHP server the extension of the shell should be 'PHP'.
What about a JSP server. We can build a web shell as a JSP file and try to upload it. So we want to use 'java/jsp_shell_reverse_tcp' as our payload and the output file type should be '.jsp'.
Linux platforms
If we want to attack a Linux server we can use 'linux/x86/meterpreter/reverse_tcp' as our payload. Also we an use '.elf' as the output file.
Windows mashings
For Windows, we can use meterpreter as the payload. So we should select 'windows/meterpreter/reverse_tcp'. As you know the extension should be '.exe'.
Android devices
We know that Android is the world's most popular mobile operating system. Metasploit has various payloads for Android. vCommonly we use 'android/meterpreter_reverse_tcp' to attack Android devices. The output file type should be '.APK'.
Tcp Connected Gateway
LHOST is the IP of attacker mashing. It should be our public IP. Because a reverse shell is connected from victim mashing to our mashing.
LPORT is any opened port on our mashing.
You can see we have generated our shell as a php file. Now we can use any method like RFI , FUV etc to upload this to a server. I'll use web for pentester vulnerable mashing. Before we execute our shell we want to set a listener for catch our connection.
Now we start metasploit framework. There some options to use Metasploit like msfcli, msfweb interface , armitage , msfconsole, etc. Most of times we use msfconsole for this. Bliss the game for lovers crack.
Yes, a beautiful interface. This is an interactive shell and we can use it easily. First, we want to set a handler for our connection. The handler is responsible for handle reverse connections. Here we have used multi/handler . You can set it with use exploit command.
Now we have to set some extra options. Any time in msfconsole you can find which options you want to set by entering the command show options.
In the above pic, we can see we need to set LHOST and LPORT. Let's set them. Both of them are the same as what we used in generating our shell.
OK now is the time to attack. We use the command run to start the process.
It is waiting for an incoming connection. Now we can execute our shell on a web server.
Yes. It worked. we got our metepreter shell. Now we can do many things. I'll post another tutorial on meterpreter. Till then you can see what to do with command help . :-)