Contact Form

Name

Email *

Message *

Reciprocal hacking: Windows/Linux

Today we're going to have some fun with netcat.

We're going to use it to hack a Linux machine from Windows and a Windows machine from Linux.

a) Hacking Linux from Windows

I'm going to create a bash script, which we can consider a proof of concept, that opens up a backdoor on port 1234 by launching a bash shell.


Of course, we need to assign execute permissions to our script. 

The script opens up the 1234 port waiting for a connection.


Moving to the Windows machine, Linux commands are normally not run, because Windows doesn't know what they are.

We're going to launch netcat in order to connect to our Linux machine (the syntax is nc IP_address 1234,  where IP_address is  the IP address of our Linux virtual machine and 1234 is the port we want to connect to).

After a while, we have a connection or our Linux machine. So, we have a shell on Windows and you can notice I am the root user (by the way, that's why logging as a root user should always be disabled on physical Linux machines).

You'll notice that we don't have a prompt, because that's not an interactive shell.

However, we can get an interactive shell by using a one-liner Python trick (notice the # sign in the resulting prompt, pointing out I'm logged in as root).


So now I can run Linux commands, I can list directories and, as my identity corresponds to root, I pwned the machine,  so I can do whatever I want with it.

Most importantly, I can view the /etc/shadow file and dump all the password hashes, which can be later cracked with Cain.

b)  Hacking Windows from Linux

We're now going to create a batch file in Windows alike the bash script we created previously, which, however, will open up a command prompt on port 1234.


If we run this batch file, our Windows machine will listen for a connection. 


At this point, moving to our Kali Linux machine, we can launch netcat and this time we're going to have a command prompt in our Linux shell. 

So I can run Windows commands, such as ipconfig.

In the end, I totally pwned my Windows virtual machine, thanks to this simple trick.

Resources

Comments

Related Posts Plugin for WordPress, Blogger...