Tuesday, 29 July 2008

Port Scanning with Netcat

In this short series on commands we are looking at the uses that netcat can provide. Today we start this with a less expected use; Port scanning. Yes, Netcat is not just for connections and sending files between machines. It is also quick and dirty port scanner.

Netcat will provide the functionality of both a TCP and UDP port scanner. It misses out on many of the refinements of NMAP, but when in a bind, it will do. It will do the standard 3-way TCP handshake as well as collecting UDP responses. Best yet, if you know what you are doing you can setup Netcat to fire off packets on one system and collect the responses on another. This sounds like another tool...

The options are for both linear sequential scans or there is also an option to randomise the scanning with ports choosen out of sequence. The later option is used as it is still less likely to be detected than you would expect.

BEST YET
Netcat allows the scan to come from ANY source port. For firewalls that allow (ANY - ANY) from TCP/UDP 53 (DNS) or TCP 80/443 (WWW) this makes testing through a firewall simple.

The command format is as follows:
nc -v -p 53 -w4 -z [Target IP address] [Starting port for the scan] - [End port for the Scan]

The options:

  • -v This tells netcat to provide verbose output. In this mode it will print the details of each connection that is successfully created (ie the 3-way handshake completes).
  • -w4 "w" is the wait time. In this case 4 seconds.
  • -z This tells Netcat to send only minimal data for a TCP handshake and nothing else. This is known as Zero I/O mode.
  • -p Is the Source port that is used. In this case we are scanning from port 53 as if we where a DNS server...
  • -r This is the option to randomise the scan.
The command above used TCP. Having a scan of UDP ports is just as simple, all we need do is add the "-u" option to select a UDP scan. A UDP based scan from UDP 53 to scan ports 1 to 1023 of address 192.168.1.100 would use the following format:
nc -v -p 53 -w4 -z 192.168.1.100 1 - 1023

On top of this, all the standard netcat options and ports are also available. We can port the output to a file (using > or >>), pipe the output to another programme (using the pipe: "").

Piping and execution
If a port is detected there are two options that are readily available. Piping was mention above where we send data all to another programme. Netx is selected execution. Using the "-e" option of netcat it is execute a programme on a successful connect.

This is handy if you are testing a particular port vulnerability. More on this will have to wait for another post. An example of this would be when a connection is made to a TCP port in the following command we run a DNS test script:
nc -v -p 53 -w4 -z -e /usr/bin/dns-test.sh 192.168.1.100 53

Each time in the previous example netcat connects to TCP 53 it will test the system using a script "/usr/bin/dns-test.sh". This can be any programme you choose.

Wait you say, this is testing a single hosts and is not too useful...

This is where the wonders of scripting come into play. Say we want to scan hosts 192.168.10.1 to 192.168.10.254 for web ports (TCP 80), we can use a simple script such as the following.

(for f in $(seq 1 254); do nc -v -w3 -z "192.168.10.$f" 80; done)

This simple script runs through each of the hosts. With a little thought you can start to make some quite elaborate scans with just a simple tool.

Pen Testing and Audit.
This comes in handy when engaged in a penetration test. In the exent that you find a shell, it may not be feasible to upload large amounts of data, but netcat is small (and also exists natively on many UNIX/LINUX systems). Next, there is a port of Netcat for Windows. This means that it can be loaded into a Windows network over a shell exploit.

Once on the internal host, you can extend what you have done by scanning the internal network - INSIDE the firewall.

Netcat - the testers best friend.

Sending to and from separate hosts
More on this another time... The idea here is to have netcat setup as a listener on the host that is collecting the data and for it to be running on a host that is spoofing * the source address.

We will also cover the "-w" option at a future date.

* After the series on Netcat I shall get to IP spoofing (then again I could just mention the "-s" address local source address option and the fact that netcat has the "-g" source-routing hop point options, No I do not think I will mention these yet :)

The "-wN" usage options defines the buffered send-mode taht selects one line every N seconds. Another option that can be considered is to hexdump (to stderr or to a specified file) of trasmitted and received data.

No comments: