Examples
RDP connection over QSRN
ADB access over QSRN
Usage:
- SSH from Workstation B to Workstation A through any firewall/NAT
- Log in to Workstation A from Workstation B through any firewall/NAT
- Transfer files from Workstation B to Workstation A
- Port forward. Access 192.168.6.7:22 on Workstation’s A private LAN from Workstation B:
- In a new terminal on Workstation B execute:
- Execute any command (nc -e style) on Workstation A
Another example: Spawn a new docker environment deep inside a private network
Access the docker environment deep inside the private network from anywhere in the world:
Listen in on a remote computer microphone for 10 seconds
Access entirety of Workstation A’s private LAN (Sock4/4a/5 proxy)
Mount a remove folder using sshfs and qs-netcat
Pro Tips
- Hide your arguments (argv)
Pass the arguments by environment variable (QS_ARGS) and use a bash-trick to hide qs-netcat binary in the process list:
- SSH login to remote workstation
or
- Retain access after reboot The easiest way to retain access to a remote system is by using the automated deploy script. Alternatively the following can be used to achieve the same: Combine what you have learned so far and make your backdoor restart after reboot (and as a hidden service obfuscated as rsyslogd). Use any of the start-up scripts, such as /etc/rc.local:
Not all environment variables are set during system bootup. Set some variables to make the backdoor more enjoyable: TERM=xterm-256color and SHELL=/bin/bash and HOME=/root. The startup script (/etc/rc.local) uses /bin/sh which does not support our exec -a trick. Thus we use /bin/sh to start /bin/bash which in turn does the exec -a trick and starts qs-netcat. Puh. The qs-netcat process is hidden (as rsyslogd) from the process list. Read how to enable rc.local if /etc/rc.local does not exist.
Alternatively install qs-netcat as a systemd service.
Alternativly and if you do not have root privileges then just append the following line to the user’s ~/.profile file. This will start qs-netcat (if it is not already running) the next time the user logs in. There are many other ways to restart a reverse shell after system reboot: