Living off the land is a term, historically used, where one would forage for or utilise items or objects which exist in natural environment, which could harnessed for ones own survival or livelihood.
"I firmly believe that nature brings solace in all troubles." –Anne Frank
The above concept can also act as a guide when describing the term, "Living Off The Land Binaries". Within the context of penetration testing this term describes a technique that sees a penetration tester utilising the "native" tools or utilities, offered by a system being tested or being testing from, as a means of either conducting a penetration test or for moving laterally within an environment.
In some cases a penetration tester may find themselves in a position where their go-to tools and or repositories may not necessarily be available. This can occur based on a multitude of reasons including a locked down operating system from which to conduct the testing from or perhaps the tester may find themselves compromising a system that may not provide the benefit of external access. In these cases the penetration tester may find themselves having to conduct lateral movement techniques using an out-of-the-box way of thinking, using what they have at their disposal.
A very common and helpful tool which can be utilised upon engagement during the network reconnaissance phase is a tool named NMAP. NMAP is a network port and service scanner that allows a penetration tester the ability to scan a network for open ports and corresponding services. This allows the penetration tester the ability to discover potential attack vectors based on these results.
What happens though when this utility may not be available for reasons beyond the scope of this blog post ?
This is where out-of-the-box thinking can assist. In our example we will make use of commonly used utilities and tools to create a quick and dirty port scanner that can be used to obtain similar but rudimentary results.
Tools and Utilities
Quite often, by chaining utilities together and wrapping into a simple script, we can look to "Living Off The Land Binaries" to help facilitate a desired result. In our example we will be utilising the telnet utility, a python script to create a port list and where both of these will be neatly wrapped into bash script for execution.
Creating the port list
Utilising a simple python script we will create a list of ports between the range of 1 and 65535. This list will be used within our bash script as an input to the telnet utility.
python3 -c "for i in range(1, 65535): print(i)" > ports.txt
Telnet Utility
Telnet (short for "telecommunications network") is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. By default the telnet protocol utilises tcp port 23 and is nowadays classified as a non secure protocol, however we can capitalise on its functionality as it is also designed to establish tcp connections on arbitrary tcp ports.
Example Usage:
telnet <host> <port>
Bash Script
Our bash script takes a single argument, i.e the host that is being scanned. Within the logic of the script we simply iterate over the ports within the port list using a for loop, with the result being stored in a result variable. The result variable is then checked for a successful connection string, (indicating an open port) which is contained within the output. If a match is made our script will print a success message to the screen.
#!/bin/bash
printf " _____ _____ _ ___ ___ ___ ______ \n"
printf "|_ _| ___| | | \/ | / _ \ | ___ \ \n"
printf " | | | |__ | | | . . |/ /_\ \| |_/ / \n"
printf " | | | __|| | | |\/| || _ || __/ \n"
printf " | | | |___| |____| | | || | | || | \n"
printf " \_/ \____/\_____/\_| |_/\_| |_/\_| \n\n"
printf "[exploitsecurity.io]\n\n"
HOST=$1
if [ -z $1 ]; then
printf "[!] Required host missing\n"
printf "[*] Usage: $0 <host>\n"
exit
fi
printf "PORT\t\tSTATE\n"
for i in $(cat ports.txt);
do
result=$(echo "^]" | telnet $HOST $i 2>/dev/null | grep -i connected)
if [[ $result == *"Connected to"* ]]; then
printf "$i/tcp\topen\n"
fi
done;
Example Output
./nmap.sh localhost
Conclusion:
As has been described in this article the concept of "Living Off The Land Binaries" can assist in providing alternatives to otherwise non-existent tools or utilities. We have shown a simple example of how chaining together well-known or commonly used tools or utilities may help to provide a quick fix when pressed out in the field. The Security Team at Exploit Security hopes that this article has been informative. Stay Curious !
Comentarios