WINDOWS 7 - REVERSE SHELL TCP ALLPORTS
- Layout for this process:
- So far we have considered blocking only some specific ports. However, in this case the OUTBOUND rule blocks a set or range of ports, for instance from 3000 to 6000:
- Now,
reverse_tcp_allports payload is converted into an executable
file. This module tries to connect back to the attacker on all
possible TCP ports, from 1 to 65535. In this way, the payload will
try sistematically to go port by port until it finds one open or
allowed by the firewall.
- Later,
we'll see the reason because LPORT is still 4444, although it is
inside the range of blocked ports by the firewall.
- Checking
that it is an executable file:
- Because
all connections on 3000 to 6000 are going to be blocked by the
firewall, the first allowed connection will be on port 6001. However,
because the attacker does not know it, he tries to redirect
connections to a well-known port like 4444. For achieving that goal
Iptables can be used.
- First,
all Iptables rules are cleared:
- Then,
connections on the range 3000:6000 plus 6001 are redirected to local
port 4444 (that is the reason because LPORT = 4444):
- The
attacker sets up a handler exploit, waiting the connection from the
victim:
- Also, a
web server is running on the attacker side:
- The client or victim connects, downloads and runs the executable reverse_tcp_allports.exe:
- A
meterpreter session is successfully achieved on the attacker side:
- It is interesting to compare netstat output from both sides. From the attacker perspective the connection is on local port 4444:
- On the other hand, from the victim's point of view, the connection comes from remote port 6001, as expected, because the ports from 3000 to 6000 are blocked by the firewall, and in that range only port 6001 was redirected towards port 4444 by Iptables:
