SecurityDocs: Comment on NetCat Tutorial

Simple File Transfer

Here, using the –l switch, we are able to specify that netcat should go into ‘listen mode’ i.e. to listen on the specified port. Using –p 1111 we are able to specify that we are using port 1111. To summarize, netcat will sit and listen for TCP connections on port 1111 and print any data it receives out to the screen.

In another window we start netcat as:

netcat 127.0.0.1 1111

This will connect to host 127.0.0.1 (Locally) on port 1111.

We are now able to have a full two way data transmission, in Window 1:

netcat -l -p 1111
This message was typed in WINDOW1

This message was typed in WINDOW2

This message was typed in WINDOW1

This message was typed in WINDOW2

Now I'm going to end communication with ^C (Ctrl-C)

Lets say we wanted to simply transmit a plaintext file.

In one window, we will start netcat as:

netcat -l -p 1111 > outputfile

This will run netcat with the same parameters specified above, except it will redirect all text received into ‘outputfile’.

echo > infile << EOF

> This is a test file.

> I am going to attempt to transmit this.

> Using Netcat.

> EOF

cat outputfile

This is a test file.

I am going to attempt to transmit this.

Using Netcat.
And here we can confirm that it has. The –q 10 in the command line will quit after EOF (Otherwise netcat will hang waiting for more input for cat and we will have to terminate it manually). The parameter ‘10’ causes it to quit after 10 seconds anyway.

Tar

On one side: tar zcfp - /path/to/directory | nc -w 3 127.0.0.1 1234

The tar statement before the pipe tar’s and compresses (using gzip) every file within that directory, before printing its output to stdout (The screen). It is then caught by the pipe, and piped to nc which in this example, connects to 127.0.0.1 on port 1234 and sends it the data which would normally hit the screen. The –w 3 switch causes nc to allow for a 3 second timeout (In the event of a temporary disconnection or similar).

On the other side: nc -l -p 1234 | tar xvfpz –

This will listen on port 1234 for a connection, and will pass any data received to tar. Using the option ‘v’ we can print out filenames to screen:

UDP

Simple Socket Reply

As an example:

while true; do echo "Leave me alone" | netcat -l -p 1234 –w10; done

Consider this line. Firstly lets examine

echo “Leave me alone” | netcat –l –p 1234 –w 10
What we are doing here, is listening in on port 1234 with a wait time of 10 seconds. If/when we receive a connection, pipe the results of echo “Leave me alone” to netcat. The –w 10 is necessary, as otherwise any connection made in will remain open forever. We can also optionally add a –v in to the netcat command line which will give us verbose information, i.e. who is connecting.

Every time a connection times out (either with the –w 10 command line switch, or because a connection has been made and then closed), netcat will exit. As this is not what we)

Program Execution

nc –e

We have already discussed the basics of redirection with netcat. Netcat has a –e switch which we can use to execute a program on connection. There are a couple of viable and legitimate uses for this, i.e. running as nc –e –v … called by the inetd wrapper, which we can use to view traffic and information on users connecting to wrapped daemons, however the most common use which we will explore here is using it to redirect to and from /bin/bash or similar shell, for both good and bad.

One method could be this:

nc -v -e '/bin/bash' -l -p 1234 -t

listening on [any] 1234 ...

connect to [127.0.0.1] from localhost [127.0.0.1] 51210
In one window, and a simple ‘telnet localhost 1234’ in another window:
telnet 127.0.0.1 1234

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

echo Test

Test

^]

telnet>

Scanning

The scanning features of netcat can be used against yours or your friend’s networks to get useful information about which hosts have certain ports open. You can also send a precompiled data file to each. For example:

echo EXIT | nc -w 1 127.0.0.1 20-250 500-600 5990-7000

Will scan 127.0.0.1 on ports 20-250, 500-600 and 5990-7000. Every port that it finds is open, it will pipe the output of echo “EXIT” being the word “EXIT” to that port.

The results are as follows:

And now with UDP scanning: nc -v -w 1 127.0.0.1 –u 20-250 500-600 5990-7000 we receive:

adam@adamp:~$ nc -u -v -w 1 127.0.0.1 20-250 500-600 5990-7000

localhost [127.0.0.1] 250 (?) open

adam@adamp:~$

-v was to put netcat into verbose mode, and –u was telling netcat to fall into UDP mode.

Spoofing

“Your TCP spoofing possibilities are mostly limited to destinations you can source-route to while locally bound to your phony address. Many sites block source-routed packets these days for precisely this reason. If your kernel does oddball things when sending source-routed packets, try moving the pointer around with -G. You may also have to fiddle with the routing on your own machine before you start receiving packets back. Warning: some machines still send out traffic using the source address of the outbound interface, regardless of your binding, especially in the case of localhost. Check first. If you can open a connection but then get no data back from it, the target host is probably killing the IP options on its end [this is an option inside TCP wrappers and several other packages], which happens after the 3-way handshake is completed. If you send some data and observe the "send-q" side of "netstat" for that connection increasing but never getting sent, that's another symptom.

Spoofing is a useful technique, as is source routing.

Source routing is almost obsolete now, and the majority of routers filter out source routed packets. Source routing in a nutshell is basically setting the route that the packet will take at the source, and storing that information along with the packet. Normally, each router makes its own mind up as to where a packet will get routed, and follows its predefined routing tables. If we have access to all routers between our device and the target device (which can be one machine if you’re talking about your local LAN server), then we are able to modify the routing entries on those devices, bind a phoney address to our machine and source route packets to the intended destination.

Spoofing is where we modify the source address of a packet so that the recipient believes it came from a different address. There are two problems with this;

1. 
   A number of clever ISP routers will drop packets with incorrect source addresses.
   
2. 
   If the destination host does get to receive your spoofed packet, it will send data back to the spoofed address (instead of ours). This does have a number of uses however in the example of ICMP ping flooding a host and spoofing the source address to Microsoft.com (as a theoretical example).
   

Simple Response Service

echo -e "GET http://www.google.com HTTP/1.0nn" | nc –w 5 www.google.com 80

We make a connection to google.com on port 80 (Web server port), and put in an HTTP request for http://www.google.com.

At this point, we are presented with the HTML spurted out by the web server. We can pipe this to “| less” or similar or even our favourite HTML interpreter.

Take a look at this example, and you will see what we have done here. In one instance we have created an HTML file ‘webfrontend’ and we now pipe that HTML to any incoming connection to netcat on port 1111. We then make a connection on the larger window, using lynx http://127.0.0.1:1111 and we have made ourselves a tiny http server, possibly could be used as a holding page server or something similar.

Advanced Proxying

Now we'll set up a server netcat to listen on port 1111. We'll also set up a client netcat to talk to the real web server on port 81. By getting them to pass all data they receive to each other, together they form a proxy; something that sits in the middle of a network connection. Here are the commands we use:

mknod backpipe p

nc -l -p 1111 0backpipe

Because bash pipes only carry data in one direction, we need to provide a way to carry the responses as well. We can create a pipe on the local filesystem to carry the data in the backwards direction with the mknod command; this only needs to be run once.

Requests coming into the proxy from the client arrive at the first nc, listening on port 1111. They get handed off to the "tee" command, which logs them to the inflow file, then continue on to the second nc command which hands them off to the real web server. When a response comes back from the server, it arrives back at the second nc command, gets logged in the second tee command to the outflow file, and then gets pushed into the backpipe pipe on the local filesystem. Since the first netcat is listening to that pipe, these responses get handed to that first netcat, which then dutifully gives them back to the original client. While the above example is for watching tcp streams going to and from a web server, the above technique is useful for watching any tcp connection. In fact, since nc also works with udp packets - something telnet can't do - it should be possible to even set up udp proxies this way.

NetCat Command Cheat Sheet

The following are the most useful uses of netcat:
For windows nc –d can be used to detach from the console.

nc –l –p [port]	will create a simple listening tcp port. Add –u to put into UDP mode.
nc –e [program]	To redirect stdin/stdout from program.
nc –w [timeout]	To set a timeout before netcat automatically quits. (Used within a loop usually)
program | nc	To pipe output of program to netcat
nc | program	To pipe output of netcat to program
nc –h	Help sheet
nc –v	To put into verbose mode, or use –v –v to put into ultra-verbose mode!
nc –g or nc –G	Source routing flags
nc –t	Use telnet negotiation (If connecting to a telnetd or acting as a telnetd for telnet clients).
nc –o [file]	Hex dump traffic to file
nc –z	No I/O (Used for scanning ports)

Yüklə 50,4 Kb.

Dostları ilə paylaş: