Why we say it as versatile. It is because it has various
features which makes it more and more powerful. It includes from port
scanning, transferring files, and port listening, to being a powerful BACKDOOR.
This was developed and given to the IT community for free by
a cool guy called as “HOBBIT” .
It is so useful for network administrators that it is also
shipped with some of the Linux Distros. But with the power there is also the
evil part which can mis-utilize these features for malicious activity.
Let us analyse a little of it and see what it can do with
its various bunch of commands.
I will be using BACKTRACK machine which comes with netcat
already installed. Also you can get it both for windows and Linux for free in the
internet.(Google it !!)
You can fire up netcat from any directory in backtrack as it
is located in the /bin directory.
The first command for any new tool that you are researching
on should be the help file :)
Here it goes:
netcat –h or nc –h
Fig 1: Showing use of help feature
Connecting to a Remote System
This can be compared with telnet utility. It operates by initiating
a TCP connection to the remote host.
netcat [options] host port
Fig 2: Connecting to remote system
With this command at
the background Netcat initiates a TCP connection to the host under test on the specified
port number. Please keep in mind the whole connection however stays unencrypted.
Post connecting it becomes easy to create and send request packets across to the webserver.
PORT SCANNING:
PORT SCANNING:
Port scanning is one of the functionality that Netcat offers on the go.We can port scan using the following command.
netcat -z -v mydomain.com 1-500
Fig 3: Port scanning a remote system
Note the switch ‘-z’ which is used to tell netcat that there is no need to initiate a connection rather the intent is only scanning the port.
It actually prevents sending any kind of data to a TCP
connection and very limited probe data to a UDP connection therefore making the scanning more fast to
only check which port is open.
The details of the other switches are as under:
‘-v’ is used for a
more verbose output.
‘-n’ switch is used to tell netcat to resolve the IP address
using DNS
If you want to use the UDP packet instead of TCp. You can do so with the use of switch ‘u’.
netcat -u host port
For range of ports follow the command below
netcat host startport-endport
FINGERPRINTING
Once we know the details about the ports , the next step
will be to do more fingerprinting on the services running. Netcat comes in
handy for fingerprinting very effectively.
Connect to the port you want to fingerprint. For eg port 80
or 21 with the following command:
nc –v –n 192.168.99.103 80
Once you are able to connect to the Webserver you can get the
details of the web server with a couple of commands.
For eg: You can craft an HTTP request like
GET / HTTP/1.0 Or HEAD / HTTP/1.0
Mind the gaps in the request header.
Fig 4: Fingerprinting with HTTP Command
Don’t panic. You have to press enter more than one time to get the results :)
Bingo here is an Apache server running on an UBUNTU
platform.
Similarly for FTP we can run
nc –v –n 192.168.99.103 21
Fig 5: Fingerprinting FTP server
This can be very useful for a penetration tester to proceed
further for his test. Fingerprinting is a major part in the RECONNAIANCE part
of nay Pentest.
For example if we know about the details of the version of
the server they are running, we can create a malformed packet to the server and
run exploits to overtake it. If this FTP server is vulnerable we can upload
Netcat to the server and create a backdoor.
Apart from all these features there are many other features of netcat. For example listening on a port for connections and packets. With this functionality we can create a Client Server architecture between the victim and attacker. Netcat can also be used as webserver to HTML files and render it in a web browser.
netcat -l 8286
In the next article of Netcat we wiill see on how it can be used as BACKDOOR :)
No comments:
Post a Comment