NETCAT / 0 - Introduction

NETCAT INTRODUCTION

- Netcat is a networking utiltiy for reading and writing directly to TCP/UDP ports. Also known as the Swiss Army Knife for hackers, it can be used both on Windows and Linux systems. Netcat can be run either as a client (reading from a port) or as a server (writing to a port), which converts it into a powerful and versatile tool that allows hackers and ethical penetration testers to perform several tasks.  

https://en.wikipedia.org/wiki/Netcat

http://nc110.sourceforge.net/

https://sourceforge.net/projects/nc110/


- There are two versions of Netcat:

nc: described above.

ncat: improved version of nc that adds two features of security: encryption and authentication. In this way the penetration tester can avoid being detected by IDS (Intrusion Detection System) and also exposition to undesired possible observers.

- Along this section we will see how to use Netcat by performing different exercises:

          1 - Chat between two hosts

          2 - Reverse shell

          3 - Bind shell

          4 - Connection to a TCP/UDP port and analysis  with Wireshark

          5 - Transfer of files

          6 - Ncat: encryption and authentication



- Regarding Linux, Netcat is usually preinstalled and configure by default, for instance at Kali Linux distro. For installing Netcat in Windows systems, any user can find several webs along the Internet where free downloads are available.


- Help and available options for both versions of Netcat in a Windows system:

- Help and available options for both versions of Netcat in a Linux system:








- Layout topology used for these exercises:

METASPLOIT - Port Forwarding

METASPLOIT - PORT FORWARDING 

- Layout for this exercise:





- In this attack Kali wants to access a web server on the Linux victim machine, using XP system as a pivot..

- First of all, a meterpreter session is achieved by exploiting the XP machine:




- We learn that XP has got two interfaces. The second interface is connected to the inner network 10.0.0.0/24:






- The active meterpreter session is number 1:




- Using session 1 to add a route to 10.0.0.0/24:




- Printing the route:




- Scanning 10.0.0.0/24 from the active meterpreter session 1:




- Once discovered 10.0.0.2 a TCP port scanning is performed, from port 1 to 500:











- Now, portforwarding is enabled to access the victim (IP 10.0.0.2 on port 80) from local port 9999. In this way the attacker would receive on localhost:9999 the web service from 10.0.0.2:80:




- Actually, a local listening port has been created on 9999. The forwarding connection will forward web services from 10.0.0.2:80 to localhost:9999, although attacker and victim are not directly connected because they are in different networks. The meterpreter session performs the connection in the background:




- The attack is successful when connecting the attacker's browser to localhost:9999:

METASPLOIT - Double Pivoting

DOUBLE PIVOTING

- Layout for this exercise:




- First, the XP system must be exploited, because it is the closest to the attacker, being located in the same network 192.168.0.0/24.
It will used as the first pivot, for further attacks to other inside networks.

- Scanning available ports and services at pivot 1 XP::




- Let's try to attack XP on port 445, using the ms08_067_netapi exploit:




- Setting XP's IP as the RHOST:




- Launching the exploit,  a successful meterpreter session is achieved:






















- Now, post exploitation shows that XP is connected to an inner network 20.0.0.0/24:




- Scanning for machines inside 20.0.0.0/24, a new 20.0.0.2 is discovered.
This is the pivot 2 to be used at the attack against the final victim:




- Backgrounding the session 1:




- So far, there is only one active meterpreter session 1:




- A route to the inner network 20.0.0.0/24 is added using session 1:




- Printing the route:




- Backing:




- Nex step would be to exploit the intermediate machine, whose IP is 20.0.0.2. For that purpose, let's discover open and available ports:




- Let's try to attack port 80 using a vulnerability at Bad Blue application, web server usually working on that port:




- Setting the remote host to the new discovered system:




- In this case, the meterpreter payload is set to bind_tcp, because otherwise (reverse_tcp) the final victim would not know how to go back to the attacker:




- Launching the exploit a second meterpreter session is opened. We learn that the pivot 2 is a Windows 7 system:




- Also, it is interesting to notice that W7 has got two interfaces, one the 20.0.0.2 and the other connected to the innermost network 10.0.0.0/24, with IP 10.0.0.1:








- Let's discover other machines inside the network 10.0.0.0/24. As a  result, we learn that the final victim has got the IP 10.0.0.2:




- Backgrounding the meterpreter session 2:




- Backing to the original msfconsole prompt:




- Now, there are 2 active meterpreter sessions:



- A second route is needed to access the innermost network 10.0.0.0/24, using meterpreter session 2:








- Now, the last step would be to attack the final victim, with IP 20.0.0.2. To achieve this goal we need to know what ports are open and available to be attacked, running this auxiliary script:




- Let's try to attack port 21, usually devoted to FTP service, for instance using the exploit vsftpd_234_backdoor:




-Launching the exploit, the attack is successful because a third session shell is opened at the innermost victim:




- So finally there are 3 open and active sessions for the whole process:




- It is interesting to view how netstat shows all the connections from each computer. From the attacker's point of view:






- From the Linux innermost computer's point of view:




- From the XP's point of view:




- From W7's point of view: