Let Me out Of Your .NET Work: Server Build

Wednesday, September 19, 2012

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

In a previous post I told you about letmeoutofyour.net, but how does it work?

Things we need to accomplish on the server:

  1. Listen on all ports
  2. Answer for all hostnames and subdomains
  3. Answer for all HTTP verbs, file and folder requests

ONE: Listen on all ports

(I used Linux, so this guide is for such, modifications to other OSs is up to the reader)

First you have to get rid of all other services. That’s harder than you would first assume, because you have to admin the box some how. You could toss SSH on a really high port, or have some kind of backend management, or just remove things from running on a multi-IP’d box. It would be impossible in this post to describe every way this is done so I’ll leave it to you to research.

Once you have everything gone, install and start Apache or your favorite web server for Linux. Then run this very simple command that I stole from a commenter on the “Forcing Payloads Through Restrictive Firewalls” post:

iptables -t nat -I PREROUTING -p tcp -m state --state NEW -d 192.168.1.1 -j DNAT --to 192.168.1.1:80

Where ‘192.168.1.1’ is the IP address of your box. IPv4 NATing just allowed you to listen on every single port by forwarding them all to port 80. That simple. Don’t make the mistake I did and forget to set up alternative management before you set that rule, because if you don’t you’ll be forced to find one.

TWO: Answer for all hostnames and subdomains

This is pretty easy, DNS has the concept of a wildcard hostname. You simply put an asterisk * in the place of where you would normally put a WWW however you manage your DNS and you’re good.

You will also want to add a second record, an ‘@’ is used to reference the domain without a host or subdomain. So the first records makes it answer for things like http://blah.letmeoutofyour.net and the second for http://letmeoutofyour.net/ – Pretty simple ya?

THREE: Answer for all HTTP verbs, file and folder requests

This is pretty simple as well. Apache’s mod_rewrite to the rescue. Here are the rules:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(.*)
RewriteRule .* index.html [QSA,L]
RewriteCond %{DOCUMENT_ROOT} !-f
RewriteRule ^(.*)$ index.html [QSA,L]

You can either apply this in an .htaccess file or directly in the site configs, up to you.

And that’s it. It all seems really simple, but took me a good amount of time putting it all together. Next up, binaries and call backs that use this to wriggle their way out of networks.

P.S.

This setup throws web scanners through a loop, and if you wanted to be REALLY nasty you could have a bit of php make the index page be an endless 302 or have w00w00t linked to a random page / folder which is generated each time it’s requested.

Cross-posted from Room362

Possibly Related Articles:
10655
Network->General
Information Security
Encryption Hacking SSH Penetration Testing Network Security Domain Pentesting Port Scanning
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.