0

I am doing some pen testing on my wordpress server. I wanted to see what would happen if the attacker were to get a hold of my username and password for wordpress.

So I used the standard exploit in msfconsole wp_admin_shell_upload and set password and username.

What I do not understand is why my UFW does not block the established connection. ( My rules are set to block everything apart from port: 21,80 & 22)

But I can see a connection established on port 48846. Why is this not blocked and why am I able to send commands to remote machine via meterpreter and receive data?

Screenshots below:

Client: Client

Attacker: Attacker

schroeder
  • 123,438
  • 55
  • 284
  • 319
Linux
  • 1

2 Answers2

3

The connection of the reverse shell originates at the attacked system, i.e. it is an outgoing connection. You ufw rules only restrict incoming connections but allow arbitrary outgoing connections - and thus allow the reverse shell.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • But it still must block the commands from meterpreter since those are either way incoming. – Linux Aug 04 '20 at 20:59
  • Or do you mean once you established an outgoing connection to attacker, communication can happen both ways? – Linux Aug 04 '20 at 21:04
  • 1
    The connection is established. The content within that connection is not blocked because that's not the type of firewall you have. Every connection has data travelling both ways. – schroeder Aug 04 '20 at 21:08
  • @Linux: It is perfectly normal in a connection that data are exchanged in both directions. What these data mean (i.e. command or response) does not depend on how the connection was established, i.e. it might be that the target of the connection ("server") send the command and the origin of the connection (client) executes the command and sends the response. – Steffen Ullrich Aug 04 '20 at 21:13
  • @SteffenUllrich I see, are there any ways I can prevent this scenario from happening whilst being able to run a server? Would it be wise to lock down all outgoing as well apart from ssh & http port? – Linux Aug 04 '20 at 21:17
  • @Linux: Sure you could block all outgoing traffic. But this might impact the functionality of your server, i.e. no way to get automatic updates, no way to send mail etc. Anyway, your original question asked for an explanation why it is this way and this question is answered. Asking for improvements to your setup is a new question which also needs more details about the use case. – Steffen Ullrich Aug 04 '20 at 21:21
-2

I think that "ufw deny to eth0 from any" might do the trick but I haven't tested. It might completely isolate the box from the network or it might block any incoming connections from going back out. I'd guess that it depends what the box is being used for.

guest
  • 1