Tuesday, September 9, 2014

NetCat a walktrough

Netcat commonly known as the Hackers Swiss knife is a versatile tool. It uses TCP and UDP protocols to check on the services running on your ports.

Why we say it as versatile. It is because it has various features which makes it more and more powerful. It includes from port scanning, transferring files, and port listening, to being a powerful BACKDOOR.

This was developed and given to the IT community for free by a cool guy called as “HOBBIT” .

It is so useful for network administrators that it is also shipped with some of the Linux Distros. But with the power there is also the evil part which can mis-utilize these features for malicious activity.

Let us analyse a little of it and see what it can do with its various bunch of commands.
I will be using BACKTRACK machine which comes with netcat already installed. Also you can get it both for windows and Linux for free in the internet.(Google it !!)
You can fire up netcat from any directory in backtrack as it is located in the /bin directory.

The first command for any new tool that you are researching on should be the help file :)

Here it goes:

netcat –h or nc –h     

Fig 1: Showing use of help feature

Connecting to a Remote System

This can be compared with telnet utility. It operates by initiating a TCP connection to the remote host.

netcat [options] host port                                    

Fig 2: Connecting to remote system
With this command at the background Netcat initiates a TCP connection to the host under test on the specified port number. Please keep in mind the whole connection however stays unencrypted.
Post connecting it becomes easy to create and send request packets across to the webserver.

Port scanning is one of the functionality that Netcat offers on the go.We can port scan using the following command.

netcat -z -v mydomain.com 1-500                               

Fig 3: Port scanning a remote system
Note the switch ‘-z’ which is used to tell netcat that there is no need to initiate a connection rather the intent is only scanning the port.

It actually prevents sending any kind of data to a TCP connection and very limited probe data to a UDP connection therefore making the scanning more fast to only check which port is open. 

The details of the other switches are as under:

-v’  is used for a more verbose output.

-n’ switch is used to tell netcat to resolve the IP address using DNS

Some other simple commands are as under:

If you want to use the UDP packet instead of TCp. You can do so with the use of switch ‘u’.

netcat -u host port                                          

For range of ports follow the command below

netcat host startport-endport                                


Once we know the details about the ports , the next step will be to do more fingerprinting on the services running. Netcat comes in handy for fingerprinting very effectively.

Connect to the port you want to fingerprint. For eg port 80 or 21 with the following command:

nc –v –n 80                                   

Once you are able to connect to the Webserver you can get the details of the web server with a couple of commands.

For eg: You can craft an HTTP request like

GET / HTTP/1.0 Or HEAD / HTTP/1.0                             

Mind the gaps in the request header.

Fig 4: Fingerprinting with HTTP Command
Don’t panic. You have to press enter more than one time to get the results :)

Bingo here is an Apache server running on an UBUNTU platform.

Similarly for FTP we can run

nc –v –n 21                                    

Fig 5: Fingerprinting FTP server
This can be very useful for a penetration tester to proceed further for his test. Fingerprinting is a major part in the RECONNAIANCE part of nay Pentest.

For example if we know about the details of the version of the server they are running, we can create a malformed packet to the server and run exploits to overtake it. If this FTP server is vulnerable we can upload Netcat to the server and create a backdoor.

Apart from all these features there are many other features of netcat. For example listening on a port for connections and packets. With this functionality we can create a Client Server architecture between the victim and attacker. Netcat can also be used as webserver to HTML files and render it in a web browser.

For listening on a specific port the switch '-l' is used.

netcat -l 8286                                                

This command will feature the port 8286 to listen for any TCP connections.

In the next article of Netcat we wiill see on how it can be used as BACKDOOR :)

No comments:

Post a Comment