Network Analysis – Web Shell
Last updated
Last updated
Port scanning is done for TCP ports.
In order to see the port scan activity, we have to to go Statistics > Conversations > TCP
.
Let's sort Port B
in an ascending order.
We can see that the last port scanned is 1024.
We can filter the packets using the following filter:
The packets that we filtered are TCP packets with the SYN flag set.
Two more tools were used to perform reconnaissance against open ports, what were they?
The application/tool and its version can be identified using the User-Agent
header.
Using the following filter we can filter out packets sent to the suspicious agent and the User-Agent header.
As we can see the first tool is GoBuster which is enumerating all the directories.
In order to find the second tool, we have to scroll down until we find an encoded URI.
The second tool is SQLmap.
The HTTP POST method is used to upload data to a server. We can filter for these packets using the following filter:
Scrolling down, we can see a POST request made for a upload.php
file.
The Referer
header in the packet tells us the address from which a resource has been requested.
Let's follow the TCP stream for the same packet by going to Follow > TCP Stream
.
As we can see the Content-Disposition
header is set to form-data
with the dbfunctions.php
as the filename.
In the same TCP Stream we can see an if statement that takes cmd
as the parameter.
The commands to the uploaded file are sent using GET requests. We can use the following filter to separate out these packets.
There were three commands executed: id
, python code
and whoami
.
We need to open the packet with the python script.
Once formatted, the script looks as follows:
It creates a socket object s
and connects to the specified IP address ("10.251.96.4") and port (4422).
It then uses subprocess.call
to execute the /bin/sh
shell with the "-i" flag, which opens an interactive shell session, effectively allowing the user to control the remote server.
This is inline with the characteristics of a reverse shell.
We saw that the reverse shell connects to port 4422.