Introduction to Netcat
Netcat: Reading from and writing to a network connection through protocols like Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) are always considered a great step for both a security administrator or an attacker. Both of these categories of individuals utilize whatever data they get for a completely different purpose than the other.
Netcat provides an efficient means of investigating a network from the back-end side –servers– and further establish any new connection inside networks using the aforementioned protocols. It has the capability to be run on its own or through scripts or other programs.
Netcat versions releases and supported operating systems
Year 1996 witnessed the release of the final version of Netcat. It was stably released in 2007 by Hobbit. This version is 1.10 and all of the versions run on Unix operating systems. Not to forget that Netcat operates under the umbrella of two licenses. While the GNU version follows the GNU General Public License (GPL), the OpenBSD version adheres to BSD license.
In fact, the Portable Operating System Interface (POSIX) can hold both the GNU and OpenBSD versions. Especially IPv6 and Transfer Layer Security (TLS) are supported by the one of OpenBSD.
Moreover, Windows/Cygwin and FreeBSD are capable to hold a reimplementation of Netcat specified for such platforms. If you have a MacBook or another apple device having a MAC OS X operating system, then MacPorts is the solution. A Netcat variant can be installed through such package management system. Even a particular version targets users of Microsoft Windows.
Sun Solaris 11 is another operating system implemented by Netcat developers. In the meanwhile, OpenBSD Netcat is the bersion on which such version is based.
Embedded system devices are not overlooked by Netcat on the other hand. Not only does there exist a version for iPhone users, but also a version named Netcat 4 wince is aimed at the operating system of Windows Embedded Compact (Windows CE).
What is Socart? Basically, Netcat has another variant which is entirely complex; it is called Socart. A lot more options are offered by Socat for any desired task than of other Netcat versions. Socat was implemented on OpenSSL, which thereafter adopted a composite Diffie-Heliman parameter after hardcoding it. Originally, back in 2016 its security advisory was proposed by Santiago Zanella-Beguelin and Microsoft Vulnerability Research.
A vulnerability of backdoor software was introduced as a result of a great doubt of sabotage happening. Where does this coming from? Fundamentally, maybe a prime number was switched with or replaced by a composite.
Another version released for Netcat is called Cryptcat. It is specialized mainly for encryption since several transported encryption features are included in this Cryptcat version.
Network Mapper (Nmap) security scanner contained within itself another implementation Netcat and granted it Ncat as a new name, where it represented another cross-platform the same as Nmap. This was back in 2005, and several features were added to it such as
- It is allowed to redirect connections of TCP/UDP
- Connection Brokering is also supported
- Both from the server and the client sides is supported SOCKS4
- Processes of Ncat has the ability to be chained
- Proxy chaining is also aided by Ncat; this feature is often reoffered to as HTTP CONNECT proxying.
- Even Secure Socket Layers (SSL) has the privilege to get listened to or connected to by Ncat
- Filtration of Internet Protocol (IP) address/connection is also supported.
What does Netcat offer?
What makes Netcat a good security tool? In fact, there are a plenty of features offered and provided by Netcat to its users
- Establish or read any connection going through any ports as long as they are TCP or UDP.
- Connections can be established through other programs.
- Any port could be scanned in a randomized manner for being open to be exploited.
- All local source ports are up to be exploited or utilized for any purposes.
- A user has the ability to define a network tunneling mode and specify all the used/listening ports, source, and the remote host.
- Check Domain Name System (DNS) forward lookup and reverse as well. Warnings are shown thereafter.
- Even the source address which is configured inside a local network can be utilized
- Tel-net options responder could be chosen as an option
- There is another built-in feature which allows for loose-source routing
- Standard inputs are recognized through command line arguments.
- There is another feature which specifies the frequency of lines sent per seconds. It is called Slow-send mode
- Transmitted and received data are displayed in a hexadecimal format via a feature called Hex dump
- TSL is reinforced by BBD’s Netcat.
Code Snippets of Debian 8.6 (2017)
- If we need to get connected into example.org for instance, here is a screenshot of the command used. And we need to use TCP port 8080 for this sake.
- Listening is also allowed to TCP port 8080. It is illustrated by the following image.
- TCP port 8080 can also be redirected into another host port. The following command line screenshot displays direction from a local machine into port 80 on a host machine.
- If /bin/bash is intended to get accessed freely through TCP port 8081, we can type a command similar to the following one.
- It is usually desired to restrict the access on a local network and further restrict the number of connected users at the same time. The following code snippet shows how a shell can be bound to TCP port 8081. Also, local network hosts are limited to get access to them, while the maximum number of those who can connect is three at a time.
- The following code snippet shows another aforementioned feature of SOCKS4 server. It shows how to get connected to smtphost:25 through such server. This is performed on port 1080 as shown below.
- A local host port 8888 could also contain a proxy. Following command establishes a proxy server of HTTP on this port.
- A file could be sent from a client, which is referred to as host2 to a server, which is recognized as host1. Following command presents a guide to get a file transmitted from host2 to host1 through port 9899 using TCP.
- Ncat could play a role as a one file transfer which is able to transmit a file from host1 to host2, the opposite direction to the last point’s direction.
How to transfer encrypted files?
A file which is aimed to get transferred to a remote machine through a tunnel of secure channel (ssh) could be simply secured, contained, and then protected (scp), requiring a new other connection to get established. Or there is actually another method, a smart one to be honest. A current connection is reused in this manner.
- For a SSH to get in, we can add the following
- The following command could be used the remote device
- The following command is on the other hand for utilization on the local one.
How to grab banner via Netcat?
- The following screenshot shows how to display the processes performed behind port 80 and 21.
- We may need to get a malicious URL for the sake of exploiting the vulnerability of File Traversal in unpatched IIS servers.
- We use Netcat to scan for the vulnerabilities
- When the vulnerability is shown, we get Netcat uploaded onto the IIS server
- We use Netcat as a backdoor for this purpose, which is out of the scope of this article. It will be explained in another article on infsecaddicts.com
Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/