net stop winvnc winvnc remove in Software

Maker QR Code in Software net stop winvnc winvnc remove

To remove any remaining Registry keys, use the NTRK REGEXE utility, as shown previously:

We ve discussed a few command shell based remote control programs in the context of direct remote control connections However, consider the situation in which an intervening entity such as a firewall blocks direct access to a target system Resourceful attackers can find their way around these obstacles using port redirection We also discuss port redirection in 14, but we ll cover some NT-specific tools and techniques here Once attackers have compromised a key target system, such as a firewall, they can use port redirection to forward all packets to a specified destination The impact of this type of compromise is important to appreciate, as it enables attackers to access any and all systems behind the firewall (or other target) Redirection works by listening on certain ports and forwarding the raw packets to a specified secondary target Next we ll discuss some ways to set up port redirection manually using netcat, rinetd, and fpipe

Figure 5-9

Popularity: Simplicity: Impact: Risk Rating: 5 7 10 7

If netcat is available or can be uploaded to the target system behind a firewall, it is possible to gain a remote command prompt over any desired port We call this shell shovel-

5:

ing because it essentially flips a functional command shell back to the attacker s machine Assume the next example is run at a remote command prompt on the target machine:

If the attackercom machine is listening with netcat on TCP 80 and 25, and TCP 80 is allowed inbound and 25 outbound to/from the victim through the firewall, then this command shovels a remote command shell from the victim to it Figure 5-10 shows the attacker s system in this example: the top window shows the input window listening on port 80 sending the ipconfig command, and the bottom window shows the output received from the remote victim machine on port 25

Popularity: Simplicity: Impact: Risk Rating: 5 9 10 8

It can be a bit bewildering to set up port redirection using three netcat sessions configured manually, as shown earlier To save some brain damage, there are numerous utilities available on the Internet that were built specifically to perform port redirection A great example is rinetd, the Internet redirection server, from Thomas Boutell at http://wwwboutellcom/rinetd/indexhtml It redirects TCP connections from one IP address and port to another It thus acts very much like datapipe (see 14), and it comes in a Win32 (including 2000) version as well as Linux Rinetd is extraordinarily simple to use simply create a forwarding rule configuration file of the format

and then fire up rinetd c <config_filename> Like netcat, this tool can make Swiss cheese out of misconfigured firewalls

Fpipe is a TCP source port forwarder/redirector from Foundstone, Inc, of which the authors are principals It can create a TCP stream with an optional source port of the user s choice This is useful during penetration testing for getting past firewalls that permit certain types of traffic through to internal networks Fpipe basically works by indirection Start fpipe with a listening server port, a remote destination port (the port you are trying to reach inside the firewall), and the (optional) local source port number you want When fpipe starts, it will wait for a client to connect on its listening port When a listening connection is made, a new connection to the destination machine and port with the specified local source port will be made

Figure 5-10

Using netcat on both the attacker (shown here) and target systems, a shell can be shoveled to the attacker s system Here, commands entered into the top window are executed on the remote system, and results are displayed in the bottom window

creating a complete circuit When the full connection has been established, fpipe forwards all the data received on its inbound connection to the remote destination port beyond the firewall and returns the reply traffic back to the initiating system This makes setting up multiple netcat sessions look positively painful Fpipe performs the same task transparently Next we demonstrate the use of fpipe to set up redirection on a compromised system that is running a telnet server behind a firewall that blocks port 23 (telnet) but allows port 53 (DNS) Normally, we could not connect to the telnet port directly on TCP 23, but by setting up an fpipe redirector on the host pointing connections to TCP 53 toward the telnet port, we can accomplish the equivalent Figure 5-11 shows the fpipe redirector running on the compromised host Simply connecting to port 53 on this host will shovel a telnet prompt to the attacker The coolest feature of fpipe is its ability to specify a source port for traffic For penetration testing purposes, this is often necessary to circumvent a firewall or router that

5: