Splunk scripted input for opening a backconnect shell on a remote forwarder
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin
default
etc
LICENSE
README.md

README.md

TA-Shell

Splunk scripted input for opening a backconnect shell on a remote forwarder

This app uses a variant of a python shellwritten by DaveK from TrustedSec in 2012, leveraged as a scripted input to have it execute the python code that will spawn a shell as the user splunk is running as.

This is useful when you need to make configuration changes to a host you have Deployment server access to, but not SSH/Remote management.

All configuration is handled in ./etc/shell.conf

Please modify the config prior to intall, by default this is configured to use the following:

[global]
lhost: 127.0.0.1
lport: 9997

To create the listener on the box you wish to connect back to run:

 nc -vv -l -p 9997

Upon a successful connection you will see

$ nc -vv -l -p 9997
listening on [any] 9997 ...
connect to [server] from ip24-252-37-155.om.om.cox.net [24.252.37.155] 64190
[*] Connection Established!

Ctrl+c to break connection