does netcat's SSL feature prevent the victim from tracking the hacker in any way?
#1
I'm not ready to start learning hacking so the answer will be of zero use to me short-term, but I am curious because I saw a tutorial somewhere on netcat and I saw the SSL was a feature included in netcat, as well as reverse shells.

In a program like netcat, wouldn't an encryption feature like TLS/SSL be extremely useful in covering one's tracks while using a reverse shell? Or does it just not affect the anonymity and privacy of reverse shells specifically due to only being usable for other features of netcat such as the chat room feature to encrypt chat rooms?
Reply
#2
Alright. I don't fully understand your second paragraph. It might be friday night, and i might be a bit tipsy, but I just don't get what you're asking.

But anyways. SSL is useful for many reasons. It encrypts the traffic between your two endpoints, whatever they may be. This means that people monitoring the connection or network won't see the traffic by default. This *may* help reduce your likelihood of detection. However that really depends on their security and what they're looking for. An SSL connection communicating over weird ports might be enough to trigger an alert.

Also keep in mind that if you are running netcat on a remote system, then a certificate is on the remote machine. So someone doing forensics can likely get it and decrypt your traffic. So it's not like, the be-all of security. It's just one tool in your tool kit. If you have reason for wanting to encrypt your traffic, do it.
Reply
#3
(04-18-2020, 04:21 AM)MuddyBucket Wrote: Alright. I don't fully understand your second paragraph. It might be friday night, and i might be a bit tipsy, but I just don't get what you're asking.

But anyways. SSL is useful for many reasons. It encrypts the traffic between your two endpoints, whatever they may be. This means that people monitoring the connection or network won't see the traffic by default. This *may* help reduce your likelihood of detection. However that really depends on their security and what they're looking for. An SSL connection communicating over weird ports might be enough to trigger an alert.

Also keep in mind that if you are running netcat on a remote system, then a certificate is on the remote machine. So someone doing forensics can likely get it and decrypt your traffic. So it's not like, the be-all of security. It's just one tool in your tool kit. If you have reason for wanting to encrypt your traffic, do it.

Let me rephrase it:

Could encryption tunnels in netcat be used to help with anonymity or privacy while generating a reverse shell?

If someone manages to obtain a reverse shell on my computer using netcat, and I want to track them but they use netcat's built in SSL encryption, does it make it harder to find our what they are doing or their identity?

See what I mean?
Reply
#4
(04-18-2020, 06:26 PM)QMark Wrote: Let me rephrase it:

Could encryption tunnels in netcat be used to help with anonymity or privacy while generating a reverse shell?

Privacy? Yes, you'll have a private tunnel. Encypted.
Anonymity? Nope, encryption only protects the information; doesn't hide or protect you.
Reply
#5
(04-18-2020, 09:27 PM)Insider Wrote:
(04-18-2020, 06:26 PM)QMark Wrote: Let me rephrase it:

Could encryption tunnels in netcat be used to help with anonymity or privacy while generating a reverse shell?

Privacy? Yes, you'll have a private tunnel. Encypted.
Anonymity? Nope, encryption only protects the information; doesn't hide or protect you.

Ok. Let’s say the hacker uses Tor, MAC spoofing, etc on top of it. Couldn’t that complement the anonymity tools by preventing security professionals from performing forensics in order to figure out who performed the initial attack?
Reply
#6
(04-18-2020, 11:10 PM)QMark Wrote:
(04-18-2020, 09:27 PM)Insider Wrote:
(04-18-2020, 06:26 PM)QMark Wrote: Let me rephrase it:

Could encryption tunnels in netcat be used to help with anonymity or privacy while generating a reverse shell?

Privacy? Yes, you'll have a private tunnel. Encypted.
Anonymity? Nope, encryption only protects the information; doesn't hide or protect you.

Ok. Let’s say the hacker uses Tor, MAC spoofing, etc on top of it. Couldn’t that complement the anonymity tools by preventing security professionals from performing forensics in order to figure out who performed the initial attack?

I don't see how changing your MAC adress is going to help you. Mac isn't transmitted outside layer 2. However yeah it would be useful if you're using a compromised network or public wifi.

And Tor? Yeah sure. But you need a way for the target to connect back to your tunnel. To forward the ports through tor, it would probably be a good idea to create a hidden service on your computer. Set up netcat to listen on that hidden service.

But then your target would need tor as well to connect to the hidden service. Unless they're using som tor2web proxy, which I'm pretty sure only works for http traffic. (And also most tor2web proxies are kind of shady since they are in the position to tamper "mitm").

Another option for you would be to find a VPN provider that allows port forwarding.
Reply
#7
(04-18-2020, 11:10 PM)QMark Wrote: Ok. Let’s say the hacker uses Tor, MAC spoofing, etc on top of it. Couldn’t that complement the anonymity tools by preventing security professionals from performing forensics in order to figure out who performed the initial attack?

Source of the attack is going to be the same regardless of whether the traffic is encrypted. Encryption by itself isn't going to hide that source. Tor might obfuscate that. But a sufficiently motivated and resourceful actor may be able to backtrace that. Tor by itself isn't 100% secure. 

Your reference to MAC Spoofing is exactly why I recommend hackers have knowledge of networking. If you understood networking and what role mac addresses play in a network, you wouldn't have mentioned this. This is how people who do illegal things, and don't know how things work or how to secure themselves, get caught. 

If you have tool on someone elses computer. such as netcat - and it's discovered, you're fucked. doesn't matter if you're using SSL or not. They probably have the certificate and can decrypt the traffic. SSL only helps if they're doing any forensics/network analysis on the network traffic before they've found your host. If they've recorded that data though, and then find your host, they can go back and decrypt it.
Reply
#8
(04-18-2020, 11:53 PM)Insider Wrote:
(04-18-2020, 11:10 PM)QMark Wrote:
(04-18-2020, 09:27 PM)Insider Wrote:
(04-18-2020, 06:26 PM)QMark Wrote: Let me rephrase it:

Could encryption tunnels in netcat be used to help with anonymity or privacy while generating a reverse shell?

Privacy? Yes, you'll have a private tunnel. Encypted.
Anonymity? Nope, encryption only protects the information; doesn't hide or protect you.

Ok. Let’s say the hacker uses Tor, MAC spoofing, etc on top of it. Couldn’t that complement the anonymity tools by preventing security professionals from performing forensics in order to figure out who performed the initial attack?

I don't see how changing your MAC adress is going to help you. Mac isn't transmitted outside layer 2. However yeah it would be useful if you're using a compromised network or public wifi.

And Tor? Yeah sure. But you need a way for the target to connect back to your tunnel. To forward the ports through tor, it would probably be a good idea to create a hidden service on your computer. Set up netcat to listen on that hidden service.

But then your target would need tor as well to connect to the hidden service. Unless they're using som tor2web proxy, which I'm pretty sure only works for http traffic. (And also most tor2web proxies are kind of shady since they are in the position to tamper "mitm").

Another option for you would be to find a VPN provider that allows port forwarding.

Ok, so if I were to use netcat over VPN then the encryption of the reverse shell might add something useful.

(04-19-2020, 12:57 AM)MuddyBucket Wrote:
(04-18-2020, 11:10 PM)QMark Wrote: Ok. Let’s say the hacker uses Tor, MAC spoofing, etc on top of it. Couldn’t that complement the anonymity tools by preventing security professionals from performing forensics in order to figure out who performed the initial attack?

Source of the attack is going to be the same regardless of whether the traffic is encrypted. Encryption by itself isn't going to hide that source. Tor might obfuscate that. But a sufficiently motivated and resourceful actor may be able to backtrace that. Tor by itself isn't 100% secure. 

Your reference to MAC Spoofing is exactly why I recommend hackers have knowledge of networking. If you understood networking and what role mac addresses play in a network, you wouldn't have mentioned this. This is how people who do illegal things, and don't know how things work or how to secure themselves, get caught. 

If you have tool on someone elses computer. such as netcat - and it's discovered, you're fucked. doesn't matter if you're using SSL or not. They probably have the certificate and can decrypt the traffic. SSL only helps if they're doing any forensics/network analysis on the network traffic before they've found your host. If they've recorded that data though, and then find your host, they can go back and decrypt it.

So then how do hackers cover up reverse shells? Just via VPN? Also, are you saying that because MAC addresses are the physical address and because only your router knows your MAC address and not servers over the Internet, that MAC spoofing doesn't matter when it comes to reverse shells over the Internet?

What about over a wifi network?
Reply
#9
(04-19-2020, 09:30 PM)QMark Wrote: So then how do hackers cover up reverse shells? Just via VPN?

Your question is too vague. Cover up from what? Keeping them from being able to trace you down? An antivirus? A guy doing random checks for suspicious activity? A NIDS? A NIPS? A HIDS? A HIPS? Encrypting your traffic *might* help with a NIDS or NIPS. But it might not. Recon is key. Encrypting your traffic won't do much for an Antivirus/HIDS/HIPS. To beat an antivirus/HIDS/HIPS you might use something to disguise your code. But how that's done will depend entirely on how you've gotten a reverse shell and what kind of security appliance they have running. That's usually the point of recon. And sometimes you just don't successfully cover up and your reverse proxy is found.


(04-19-2020, 09:30 PM)QMark Wrote: Also, are you saying that because MAC addresses are the physical address and because only your router knows your MAC address and not servers over the Internet, that MAC spoofing doesn't matter when it comes to reverse shells over the Internet?

What about over a wifi network?

Bingo. Only the last hop knows your MAC address. That includes wifi networks.

If you're using a public network, the only reason you'd want to spoof your mac address for hiding your identity, is so that *if* you were caught and arrested, there's no direct evidence that it was your machine. And that still only works if you changed your mac address between the time you did something illegal, and when they caught you. cause if they have you're laptop, and they have you doing something illegal through a network, thats as much evidence against you as if you hadn't been spoofing. But if they've found out what network you used to connect to the net, you're doing things wayyy too dangerously.

I mean, there are other reasons for spoofing a mac address such as networks with mac filtering, or bypassing download limits or time limits on public networks.
Reply
#10
I think your question is already answered, but I'll give my input anyway. SSL doesn't make you more anonymous. Think of it this way: you pass a message to your friend in class, but use a secret code only the two of you know. In the note it has your signature in it. He knows it came from you, but anyone else who passed the note between you two can't read the contents. But people who pass it do know where it came from and where it's going.

Insider Wrote:I don't see how changing your MAC adress is going to help you. Mac isn't transmitted outside layer 2. However yeah it would be useful if you're using a compromised network or public wifi.

Edited: what I said was incorrect. My bad Smile
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How far does wifi pineapple reach? QMark 4 6,245 03-14-2019, 02:42 PM
Last Post: MuddyBucket
  Defeating TLS with SSL-Logs. QMark 3 4,741 08-29-2018, 11:19 AM
Last Post: illmanors
  /prevent-memcached-ddos kms 1 3,279 03-08-2018, 11:30 PM
Last Post: Insider