Minggu, 24 April 2011

Netcat

As you will see throughout this book, a plethora of network security and hacker tools are at your disposal. In most cases, each tool is used to focus on a specific goal. For example, some tools gather information about a network and its hosts. Others are used directly to exploit a vulnerability. The most beneficial and well-used tools, however, are usually those that are multifunctional and appropriate for use in several different scenarios. Netcat and Cryptcat are such tools.


NETCAT

Simply stated, Netcat makes and accepts TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) connections. That's it! Netcat writes and reads data over those connections until they are closed. It provides a basic TCP/UDP networking subsystem that allows users to interact manually or via script with network applications and services on the application layer. It lets us see raw TCP and UDP data before it gets wrapped in the next highest layer such as FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol), or HTTP (Hypertext Transfer Protocol).

Note : Technically, Netcat doesn't make UDP connections because UDP is a connectionless protocol. Throughout this chapter, when we refer to making a UDP connection using Netcat, we're referring to using Netcat in UDP mode to start sending data to a UDP service that might be on the receiving end.


Netcat doesn't do anything fancy. It doesn't have a nice graphical user interface (GUI), and it doesn't output its results in a pretty report. It's rough, raw, and ugly, but because it functions at such a basic level, it lends itself to being useful for a whole slew of situations. Because Netcat alone doesn't necessarily obtain any meaningful results without being used in tandem with other tools and techniques, an inexperienced user might overlook Netcat as being nothing more than a glorified telnet client. Others might not be able to see the possibilities through the command-line arguments detailed in the lengthy README file. By the end of this chapter, however, you'll appreciate how Netcat can be one of the most valuable tools in your arsenal.

Implementation

Most modern Linux-based and BSD systems now include Netcat as part of the operating system's default utility set. Even Cygwin now includes Netcat as an install option. This is a testimony to Netcat's usefulness. If your system already has Netcat installed, or you can easily find the RPM or package from which to install it, then skip to the command-line section to learn how to start using it. Take note that most of these pre-installed versions do not support the –e option to execute commands over the socket, although you can pipe commands into it without that option. So, if Netcat isn't present or you want access to that additional piece of functionality, then you need to download and install the tool from source code.

Download
Netcat can be obtained from many sources, and even though many Unix distributions come with Netcat binaries already installed, it's not a bad idea to obtain the Netcat source code and compile it yourself. By default, the Netcat source doesn't compile in a few options that you might want. By downloading the source and building it yourself, you can control exactly which Netcat capabilities you'll have at your disposal. Netcat can be downloaded from many sites; one of the more reliable ones is http://www.vulnwatch.org/netcat/.

Note The GNU Netcat project is a rewrite of the original tool. It shares the command-line options but only compiles on Unix-like systems such as Linux, the BSD family, Solaris, and MacOS X. It doesn't compile natively for Windows. This version can be downloaded from http://netcat.sourceforge.net/.


Install
We won't cover the details of downloading, unpacking, and building most of the tools discussed in this book. But because Netcat is the first tool introduced, and because it has some compile-time options that might be of interest to you, it's important that we go into the nitty-gritty details.

Once you've downloaded the nc110.tgz file, create a directory and extract the files:

[root@originix tmp]# ls nc110.tgz
[root@originix tmp]# mkdir nc
[root@originix tmp]# cd nc
[root@originix nc]# tar zxf ../nc110.tgz
[root@originix nc]#


Note Unlike most "tarballs" (archives created with the Unix tar utility), most Netcat archives don't include a convenient subdirectory. It might seem trivial now, but if all your tarballs and subdirectories have been downloaded into one directory, and you discover that Netcat has placed all its files in the root download directory, it can be a bit of a pain to clean it all up.


Now you're ready to compile. Following are two compile-time options of importance:

  • GAPING_SECURITY_HOLE As its name suggests, this option can make Netcat dangerous in the wrong hands, but it also makes Netcat extremely powerful. With this option enabled, an instance of Netcat can spawn off an external program. The input/output (I/O) of that program will flow through the Netcat datapipe. This allows Netcat to behave like a rogue inetd utility, allowing you to execute remote commands (like starting up a shell) just by making a TCP or UDP connection to the listening port. This option is not enabled by default because there is so much potential for abuse or misconfiguration. Used correctly, however, this option is a critical feature.
  • TELNET Normally, if you use Netcat to connect to a telnet server (using nc servername 23), you won't get very far. Telnet servers and clients negotiate several options before a login prompt is displayed. By enabling this option, Netcat can respond to these telnet options (by saying no to each one) and allow you to reach a login prompt. Without this feature, you'd have to script out a solution of your own to respond to the telnet options if you were looking to do something useful with Netcat and telnet.


The significance of these options probably isn't apparent to you yet, but you'll see why we bring these up when you take a look at some examples used later in the chapter.

To enable either of these options, you'll need to add a DFLAGS line to the beginning of the makefile:

# makefile for netcat, based off same ol' "generic makefile".
# Usually do "make systype" -- if your systype isn't defined, try "generic"
# or something else that most closely matches, see where it goes wrong, fix
# it, and MAIL THE DIFFS back to Hobbit.


### PREDEFINES

# DEFAULTS, possibly overridden by recursive call:
# pick gcc if you'd rather, and/or do -g instead of -O if debugging
# debugging
# DFLAGS = -DTEST --DDEBUG

DFLAGS = -DGAPING_SECURITY_HOLE --DTELNET
CFLAGS = -O

You can include one or both of these options on the DFLAGS line.

If you want to play along with the following examples, you'll need to make this modification. However, before you make changes, make sure that you either own the system you're working on or have completely restricted other users' access to the executable you're about to build. Even though it's easy enough for another user to download a copy of Netcat and build it with these options, you'd probably hate to see your system get hacked because someone used your "specially-built" Netcat as a backdoor into the system.

Now you're ready to compile. Simply type make systemtype at the prompt, where systemtype (strangely enough) is the flavor of Unix that you're running (that is, linux, freebsd, solaris, and so on—see the makefile for other operating system definitions). When finished, you'll have a happy little "nc" binary file sitting in the directory.

For Windows users, your Netcat download file (nc11nt.zip) also comes with source, but because most people don't have compilers on their Windows systems, a binary has already been compiled with those two options built in by default. So simply unzip the file and you've got your "nc.exe" ready to go.

Command Line
The basic command line for Netcat is nc [options] host ports, where host is the hostname or IP address to scan and ports is either a single port, a port range (specified "m-n"), or individual ports separated by spaces.

Now you're almost ready to see some of the amazing things you can do with Netcat. First, however, take an in-depth look at each of the command-line options to get a basic understanding of the possibilities:

  • -d Available on Windows only, this option puts Netcat in stealth mode, allowing it to detach and run separately from the controlling MS-DOS command prompt. It lets Netcat run in listen mode without your having to keep a command window open. It also helps a hacker better conceal an instance of a listening Netcat from system administrators.

  • -e <command> If Netcat was compiled with the GAPING_SECURITY_HOLE option, a listening Netcat will execute command any time someone makes a connection on the port to which it is listening, while a client Netcat will pipe the I/O to an instance of Netcat listening elsewhere. Using this option is extremely dangerous unless you know exactly what you're doing. It's a quick and easy way of setting up a backdoor shell on a system (examples to follow).

  • -g <route-list> Using this option can be tricky. Netcat supports loose source routing (explained later in the section "Frame a Friend: IP Spoofing"). You can specify up to eight –g options on the command line to force your Netcat traffic to pass through certain IP addresses, which is useful if you're spoofing the source IP address of your traffic (in an attempt to bypass firewall filters or host allow lists) and you want to receive a response from the host. By source routing through a machine over which you have control, you can force the packets to return to your host address instead of heading for the real destination. Note that this usually won't work, as most routers ignore source routing options and most port filters and firewalls log your attempts.

  • -G <hop pointer> This option lets you alter which IP address in your –g route list is currently the next hop. Because IP addresses are 4 bytes in size, this argument will always appear in multiples of four, where 4 refers to the first IP address in the route list, 8 refers to the second address, and so on. This is useful if you are looking to forge portions of the source routing list to make it look as if it were coming from elsewhere. By putting dummy IP addresses in your first two –g list slots and indicating a hop pointer of 12, the packet will be routed straight to the third IP address in your route list. The actual packet contents, however, will still contain the dummy IP addresses, making it appear as though the packet came from one location when in fact it's from somewhere else. This can help to mask where you're coming from when spoofing and source routing, but you won't necessarily be able to receive the response because it will attempt to reverse route through your forged IP addresses.
  • -i <seconds> The delay interval, which is the amount of time Netcat waits between data sends. For example, when piping a file to Netcat, Netcat will wait seconds seconds before transmitting the next line of the input. When you're using Netcat to operate on multiple ports on a host, Netcat waits seconds seconds before contacting the next port in line. This can allow users to make a data transmission or an attack on a service look less scripted, and it can keep your port scans under the radar of some intrusion-detection systems and system administrators.

  • -l This option toggles Netcat's "listen" mode. This option must be used in conjunction with the –p option to tell Netcat to bind to whatever TCP port you specify and wait for incoming connections. Add the –u option to use UDP ports instead.
  • -L This option, available only on the Windows version, is a stronger "listen" option than -l. It tells Netcat to restart its listen mode with the same command-line options after a connection is closed. This allows Netcat to accept future connections without user intervention, even after your initial connection is complete. Like –l, it requires the –p option.

  • -n Tells Netcat not to do any hostname lookups at all. If you use this option on the command line, be sure not to specify any hostnames as arguments.

  • -o <hexfile> Performs a hex dump on the data and stores it in hexfile. The command nc –o hexfile records data going in both directions and begins each line with < or > to indicate incoming and outgoing data respectively. To obtain a hex dump of only incoming data, you would use nc –o <hexfile. To obtain a hex dump of only outgoing data, you would use nc –o >hexfile.

  • -p <port> Lets you specify the local port number Netcat should use. This argument is required when using the –l or –L option to use listen mode. If it's not specified for outgoing connections, Netcat will use whatever port is given to it by the system, just as most other TCP or UDP clients do. Keep in mind that on a Unix box, only root users can specify a port number less than 1024.

  • -r Choose random local and remote port numbers. This is useful if you're using Netcat to obtain information on a large range of ports on the system and you want to mix up the order of both the source and destination ports to make it look less like a port scan. When this option is used in conjunction with the –i option and a large enough interval, a port scan has a slightly better chance of going unnoticed. In practice, Netcat serves as a poor port scanner compared to dedicated scanners, so you're unlikely to use or need this option.

  • -s Specifies the source IP address Netcat should use when making its connections. This option allows hackers to do some pretty sneaky tricks. First, it allows them to hide their IP addresses or forge someone else's, but to get any information routed to their spoofed address, they'd need to use the –g source routing option. Second, when in listen mode, many times you can "pre-bind" in front of an already listening service. All TCP and UDP services bind to a port, but not all of them will bind to a specific IP address. Many services listen on all available interfaces by default. Syslog, for example, listens on UDP port 514 for syslog traffic. However, if you run Netcat to listen on port 514 and use –s to specify a source IP address as well, any traffic going to that specified IP will go to the listening Netcat first! Why? If the socket specifies both a port and an IP address, it gets precedence over sockets that haven't bound to a specific IP address. We'll get into more detail on this later (see the "Hijacking a Service" section) and show you how to tell which services on a system can be prebound.
  • -t If compiled with the TELNET option, Netcat will be able to handle telnet option negotiation with a telnet server, responding with meaningless information, but allowing you to get to that login prompt you were probably looking for when using Netcat to connect to TCP port 23. This is another option that is rarely necessary and, unless you know of a situation where this is necessary, you needn't bother with it during compile time.

  • -u Tells Netcat to use UDP instead of TCP. Works for both client mode and listen mode. UDP mode isn't reliable for port scanning, but it works well enough for simple packet communication when TCP won't work. Some tricks for making UDP scans more reliable are found later in this chapter.

  • -v Controls how much Netcat tells you about what it's doing. Without –v, Netcat only reports the data it receives. A single –v will let you know what address it's connecting or binding to and if any problems occur. A second –v will let you know how much data was sent and received at the end of the connection.

  • -w <seconds> Controls how long Netcat waits before giving up on a connection. It also tells Netcat how long to wait after an EOF (end-of-file) is received on standard input before closing the connection and exiting. This is important if you're sending a command through Netcat to a remote server and are expecting a large amount of data in return (for example, sending an HTTP command to a web server to download a large file).

  • -z If you care only about finding out which ports are open, you should probably be using nmap (see Chapter 4). This option tells Netcat to send only enough data to discover which ports in your specified range actually have something listening on them. In other words, it just tries to connect, then immediately disconnects if successful. It won't keep the connection open.



Now you have an idea of the things Netcat can do. Before we dive into some practical examples of using Netcat, we'll cover one of Netcat's descendants.

Ref : E-book Anti-Hacker Tool Kit, Third Edition

0 komentar:

Posting Komentar