Netcat: Security’s Swiss Army Knife

Every once in a while, we get to stumble into tools that are simple and mundane yet are actually very useful. One such tool is Netcat, released in 1995, it still continues to be one of the most favorite tools for security (ranking #8 in the Sectool’s list for 2015).

At the most basic explanation, Netcat just establishes connection between two computers and allow data to be written across TCP and UDP transport layer protocols and the IP network layer protocol. This behaviour could bring up lots of possibilities! In this blog post, we will be seeing what we can do with Netcat.

For our purpose of demonstration, let’s setup up a Virtual Box running an Ubuntu Server 14.04. Just like any tools, Netcat has many benefits if used properly but grave effects if used poorly. Be sure to use it with caution and don’t use it to do malicious acts. Get consent first on machines that you’ll be targeting if they’re not yours.

A. Chat

Before we delve into how we can make chat servers with Netcat, let’s first see what makes up a chat scenario:

We first need to have a listener! This just listens to anybody who wants to speak with it and finally, we have the one who’ll make the connection. The connection will be successful as long as there is someone waiting at the other side.

So how do we make one with Telnet? Easy!

  1. On our Virtual Box, let’s set up the listening part with the following command:
    nc -l -p 7174

    Dissecting this command, we have the -l and -p flags specified. -l instructs our machine to listen and -p specifies the port on which it will listen to. Take note that when a client disconnects, the server would also stop listening. On Windows machines, the -L flag can be used instead of -l to make the connections persistent even in the event of disconnecting machines.

    We now have our VM machine waiting for connections:

    Screen Shot 2015-12-14 at 12.28.28 AM.png

  2. Then on our host machine, let us connect to the listening VM via:
    nc 192.168.1.101 7174

    where 192.168.1.101 is our VM’s IP as we found out when we did an ipconfig and 7174 is the port where it is listening at.

  3. Once connected, let’s try to send messages:Screen Shot 2015-12-14 at 12.31.41 AM.pngScreen Shot 2015-12-14 at 12.31.31 AM.png

    Yay! As we see above, communication is two-way. Both the VM and our host machine can send messages to one another.

Note that when we try to create two connections from our host machine to the listening VM, our second connection does not push through.

B. File Transfer

Here, we are going to execute a basic file transfer. This could be useful in cases where our server doesn’t have any FTP utilities or other transfer mechanisms.

  1. Say we have a file secret.txt in our VM that contains the following information:Screen Shot 2015-12-14 at 12.43.57 AM.png
  2. And we want this transferred to our host machine. We can set up the passage for file transfer by issuing the following command to our VM:
    nc -l -p 7174 < secret.txt
  3. To download this on our host machine, we can issue the following command and wait for download to finish.
    nc 192.168.1.101 7174 > secret.txt

    Once download finishes, the connection automatically closes.

    We can also make Netcat more verbose by adding the -v flag:

    nc -v -l -p 7174 < secret.txt

    Screen Shot 2015-12-14 at 12.52.08 AM.png

  4. To check if the file has indeed been successfully transferred:Screen Shot 2015-12-14 at 12.58.04 AM.png

C. Banner Grabbing

Sometimes, we want to know what services (and its versions) are running on a specific port. Netcat doesn’t alter the data stream so we’re sure we are not going to get unpredictable results.

  1. On our VM, we installed a web server at port 80. Let us keep the identity of the web server a secret for now. Let’s have Netcat tell us what it is.
    Screen Shot 2015-12-14 at 1.03.09 AM.png
    We just know that we have some service listening at port 80.
  2. On our host machine, let’s try connecting to our VM’s port 80 via Netcat:Screen Shot 2015-12-14 at 1.07.35 AM.pngFrom here, we can see that it is Nginx (with version 1.4.6) that’s running on our VM’s port 80.

D. Take Hold of a Remote Shell

In this section, we are going to see how we can obtain a remote shell on a target computer system. This is useful in case you want access to a remote computer.

Before we proceed, let’s first get to know the versions of Netcat. When you issue the netcat command alone, you may read that there is another version for Netcat: netcat-traditional:

Screen Shot 2015-12-14 at 1.17.21 AM.png

By default what we have is netcat-openbsd which is a “safer” version as it does not include other flags like -e which can execute programs on the remote machine.

For purposes of demonstration, we will be installing netcat-traditional:

sudo apt-get install netcat-traditional

Then we switch nc from being netcat-openbsd to netcat-traditional

sudo update-alternatives --config nc

Screen Shot 2015-12-14 at 1.25.07 AM.png

We now have netcat-traditional as our nc. We can check it by doing a netcat -h:

Screen Shot 2015-12-14 at 1.27.33 AM.png

Note that we have two additional flags , -c and -e, which are tagged as [dangerous!!].

Now we can prepare our listener! 🙂

  1. Set the listener on our VM
    sudo nc -lp 7174 -e /bin/bash

    With this command, we instruct Netcat to listen on port 7174 and then call /bin/bash on the connection to give our host machine access to a remote shell.

  2. Then we connect to our VM from our host machine
    nc 192.168.1.101 7174

    We connect to our VM the same way as before.

  3. Not much feedback is given regarding the status of our connection but trying to do a cd command, we get the following results.Screen Shot 2015-12-14 at 1.39.53 AM.png
  4. Let’s try to make a directory and a file on our VM via NetcatScreen Shot 2015-12-14 at 1.39.28 AM.png
  5.  Verify on our VM that our folder was indeed created:Screen Shot 2015-12-14 at 1.40.59 AM.png
  6. This capability of Netcat is very powerful as you almost already have full control of the VM’s command line. It is as if you are issuing commands on the actual VM itself. You can even add users with admin privileges, edit file permissions, create accounts, etc.

E. Port Scanning

Knowing an IP address of a computer is not enough if you wish to know which services run on it. Ports define the gateways on how these processes communicate with other processes and the world. Think of IP addresses as buildings and ports as the specific doors in the building.

For this purpose, Netcat can be used to determine which ports are open and what services are running on them.

Say we have a target machine with IP address 192.168.0.84 running Redis on port 6379:

Screen Shot 2015-12-14 at 7.37.04 PM

On an attacker’s perspective, we still don’t know which ports are open. With Netcat, we can scan a range of ports in the hopes that we hit an open one.

nc -zv -w 1 192.168.1.101  1-6390

For this command, we can see 2 new flags: -z and -w:

  • -z: Having this turned on puts Netcat on Zero-I/O mode which can make scans relatively faster.
  • -w 1: This tells Netcat to wait 1 second between scan attempts (i.e. server may take that long to respond)

Our last parameter tells the range of ports, Netcat will scan. Now let’s try to run this and we get the following results:

Screen Shot 2015-12-14 at 7.46.39 PM.png

Aha port 6379 is open! We can also do a randomize scan within the port range by adding a -r flag to our command above. This makes our scan less prone to being detected than scanning with consecutive port numbers (though some Intrusion Detection Systems can still detect port scans even if they are random!)

The command above asusmes that we know the IP of our target machine, but what if we don’t? With Netcat, we can still do a port scan for a range of addresses (with some script):

for i in {82..84}; do nc -zv -w 1 192.168.0.$i 6378-6381; done

Screen Shot 2015-12-14 at 8.10.16 PM.png

For our example, we just did a scan of IP Addresses: 192.168.0.82, 192.168.0.83, 192.168.0.84 and saw which are listening and what ports are open on each.

 

With these 5 use cases, we saw how powerful and flexible Netcat is as a tool! But as with any tool, be sure to use it responsibly and diligently! 🙂

Thanks for reading!

 

Reference/s: Netcat Starter by K.C. Yerrid

One thought on “Netcat: Security’s Swiss Army Knife

  1. Pingback: NMAP: Your Ultimate Port Scanner! | blog()

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s