Search and Find
Service
Front Cover
1
Netcat Power Tools
4
Technical Editor
6
Contributing Authors
7
Contents
10
Chapter 1: Introduction to Netcat
16
Introduction
17
Installation
18
Windows Installation
18
Linux Installation
20
Installing Netcat as a Package
21
Installing Netcat from Source
22
Confirming Your Installation
25
Netcat’s Command Options
26
Modes of Operation
26
Common Command Options
27
Redirector Tools
33
Basic Operations
34
Simple Chat Interface
34
Port Scanning
35
Transferring Files
36
Banner Grabbing
38
Redirecting Ports and Traffic
39
Other Uses
40
Summary
41
Solutions Fast Track
42
Introduction
42
Installation
42
Options
42
Basic Operations
42
Frequently Asked Questions
43
Chapter 2: Netcat Penetration Testing Features
46
Introduction
47
Port Scanning and Service Identification
47
Using Netcat as a Port Scanner
47
Banner Grabbing
49
Scripting Netcat to Identify Multiple Web Server Banners
50
Service Identification
51
Egress Firewall Testing
51
System B - The System on the Outside of the Firewall
52
System A - The System on the Inside of the Firewall
54
Avoiding Detection on a Windows System
55
Evading the Windows XP/Windows 2003 Server Firewall
55
Example
56
Making Firewall Exceptions using Netsh Commands
56
Determining the State of the Firewall
57
Evading Antivirus Detection
59
Recompiling Netcat
59
Creating a Netcat Backdoor on a Windows XP or Windows 2003 Server
61
Backdoor Connection Methods
62
Initiating a Direct Connection to the Backdoor
62
Benefit of this Method
63
Drawbacks to this Method
63
Initiating a Connection from the Backdoor
64
Benefits of this Connection Method
65
Drawback to this Method
65
Backdoor Execution Methods
65
Executing the Backdoor using a Registry Entry
65
Benefits of this Method
67
Drawback to this Method
67
Executing the Backdoor using a Windows Service
67
Benefits of this Method
69
Drawback to this Method
69
Executing the Backdoor using Windows Task Scheduler
69
Benefit to this Method
71
Backdoor Execution Summary
71
Summary
72
Solutions Fast Track
72
Port Scanning and Service Identification
72
Egress Firewall Testing
72
Avoid Detection on a Windows System
72
Creating a Netcat Backdoor on a Windows XP or Windows 2003 Server
73
Frequently Asked Questions
74
Chapter 3: Enumeration and Scanning with Netcat and Nmap
76
Introduction
77
Objectives
77
Before You Start
77
Why Do This?
78
Approach
79
Scanning
79
Enumeration
80
Notes and Documentation
81
Active versus Passive
82
Moving On
82
Core Technology
82
How Scanning Works
82
Port Scanning
83
Going behind the Scenes with Enumeration
86
Service Identification
86
RPC Enumeration
87
Fingerprinting
87
Being Loud, Quiet, and All That Lies Between
88
Timing
88
Bandwidth Issues
89
Unusual Packet Formation
89
Open Source Tools
89
Scanning
90
Nmap
90
Nmap: Ping Sweep
90
Nmap: ICMP Options
91
Nmap: Output Options
92
Nmap: Stealth Scanning
92
Nmap: OS Fingerprinting
93
Nmap: Scripting
94
Nmap: Speed Options
95
Netenum: Ping Sweep
98
Unicornscan: Port Scan and Fuzzing
98
Scanrand: Port Scan
99
Enumeration
100
Nmap: Banner Grabbing
100
Netcat
102
P0f: Passive OS Fingerprinting
103
Xprobe2: OS Fingerprinting
103
Httprint
104
Ike-scan: VPN Assessment
106
Amap: Application Version Detection
107
Windows Enumeration: Smbgetserverinfo/smbdumpusers/smbclient
107
Chapter 4: Banner Grabbing with Netcat
112
Introduction
113
Benefits of Banner Grabbing
113
Benefits for the Server Owner
114
Finding Unauthorized Servers
114
Benefits for a Network Attacker
116
Why Not Nmap?
118
Basic Banner Grabbing
119
Web Servers (HTTP)
119
Acquiring Just the Header
121
Dealing With Obfuscated Banners
122
Apache ServerTokens
124
Reading the Subtle Clues in an Obfuscated Header
125
HTTP 1.0 vs. HTTP 1.1
125
Secure HTTP servers (HTTPS)
127
File Transfer Protocol (FTP) Servers
131
Immense FTP Payloads
133
E-mail Servers
135
Post Office Protocol (POP) Servers
135
Simple Mail Transport Protocol (SMTP) Servers
136
So, Back to the Banner Grabbing
137
Fingerprinting SMTP Server Responses
139
How to Modify your E-mail Banners
140
Sendmail Banners
141
Microsoft Exchange SMTP Banners
143
Microsoft Exchange POP and IMAP Banners
144
Secure Shell (SSH) Servers
145
Hiding the SSH Banner
147
Banner Grabbing with a Packet Sniffer
147
Summary
152
Solutions Fast Track
154
Benefits of Banner Grabbing
154
Basic Banner Grabbing
155
Banner Grabbing with a Packet Sniffer
155
Frequently Asked Questions
156
Chapter 5: The Dark Side of Netcat
158
Introduction
159
Sniffing Traffic within a System
160
Sniffing Traffic by Relocating a Service
161
Sniffing Traffic without Relocating a Service
166
Rogue Tunnel Attacks
171
Connecting Through a Pivot System
175
Transferring Files
180
Using Secure Shell
180
Using Redirection
181
Man-in-the-middle Attacks
182
Backdoors and Shell Shoveling
183
Backdoors
183
Shell Shoveling
185
Shoveling with No Direct Connection to Target
185
Shoveling with Direct Connection to Target
188
Netcat on Windows
189
Summary
191
Chapter 6: Transferring Files Using Netcat
194
Introduction
195
When to Use Netcat to Transfer Files
195
Sometimes Less Really is Less
196
Security Concerns
196
Software Installation on Windows Clients
197
Where Netcat Shines
197
Speed of Deployment
198
Stealth
198
Small Footprint
199
Simple Operation
199
Performing Basic File Transfers
200
Transferring Files with the Original Netcat
200
Closing Netcat When the Transfer is Completed
201
Other Options and Considerations
202
Timing Transfers, Throughput, etc…
203
Tunneling a Transfer Through an Intermediary
204
Using Netcat Variants
205
Cryptcat
205
GNU Netcat
207
SBD
208
Socat
209
Socat Basics
209
Transferring Files with Socat
210
Encryption
211
Mixing and Matching
212
Ensuring File Confidentiality
213
Using OpenSSH
213
Installing and Configuring Secure Shell
214
Configuring OpenSSH Port Forwarding
216
Using SSL
217
Configuring Stunnel
217
Using IPsec
220
Configuring IPSec on Windows
221
Configuring IPSec on Linux
227
Ensuring File Integrity
232
Hashing Tools
232
Using Netcat for Testing
234
Testing Bandwidth
234
Testing Connectivity
235
Summary
236
Solutions Fast Track
236
When to Use Netcat to Transfer Files
236
Performing Basic File Transfers
236
Using Netcat Variants
236
Ensuring File Confidentiality
237
Ensuring File Integrity
237
Using Netcat for Testing
237
Frequently Asked Questions
238
Chapter 7: Troubleshooting with Netcat
240
Introduction
241
Scanning a System
242
Testing Network Latency
245
Using Netcat as a Listener on Our Target System
246
Using a Pre-existing Service on Our Target System
249
Using a UDP Service
249
Using a TCP Service
250
Application Connectivity
251
Troubleshooting HTTP
252
Troubleshooting FTP
258
Troubleshooting Active FTP Transfers Using Netcat
260
Troubleshooting Passive FTP Transfers using Netcat
263
Summary
266
Index
268
All prices incl. VAT