Académique Documents
Professionnel Documents
Culture Documents
NETCAT
The Swiss Army Knife of TCP/IP
Many uses including backdoors, port scanning,
port listening, simple file sharing, and simple
chat
Integrates well with Covert Tunneling
Implements easily into programs and scripting
NETCAT ON TARGET
****Netcat*****
root@bt:~# nc -lp 8000
hello
hi
this is a basic netcat conversation
ok
goodbye
see you later
NETCAT ON ATTACKER
****Netcat Chat****
rich@netbookremix:~$ nc 192.168.1.121 8000
hello
hi
this is a basic netcat conversation
ok
goodbye
see you later
^C
****Netcat Shell****
whoami
root
ifconfig
eth0
collisions:0 txqueuelen:1000
lo
collisions:0 txqueuelen:0
HTTPTUNNEL
****Netcat over Httptunnel (Target)****
root@bt:~# hts -F localhost:8000 80
root@bt:~# nc -lp 8000
SSH
****Normal SSH****
rich@netbookremix:~$ ssh root@192.168.1.121
root@192.168.1.121's password:
CRYPTCAT
****Cryptcat****
root@bt:~# cryptcat -lp 9000
hello
hi
this conversation is a basic cryptcat conversation
that means its encrypted right?
yes sir
goodbye
see you later
FIREWALL RULES
Prevent unwanted traffic
Close and stop unnecessary ports and services
Prevent ACK tunneling by examining the way a
connection is initialized
Set connection timeouts
Enable content filtering
Use Intrusion Detection Systems
Use Proxies with Authentication
Don't allow HTTP-CONNECT queries
Use Anti-virus and anti-malware programs
Inspect log files regularly, monitor traffic, a build
statistics of both [10]
WIRESHARK
WIRESHARK
WIRESHARK
WIRESHARK
PCAPDUMP.RB
Programmed in Ruby
Uses Ruby pcap, and pcaplet libraries
Command line tool to ease in viewing pcap files
To be used on already captured pcap files
User can see plain text information being sent
over the network faster
Tool I created to learn more about pcap files and
to help understand network protocols
rich@netbookremix:~/presentation$ ruby
pcapdump.rb -r alltestshub.pcap
PCAPDUMP.RB
DATA--->
---------------------------------------------------------------
hello
DATA--->
---------------------------------------------------------------
hi
DATA--->
---------------------------------------------------------------
DATA--->
ok
---------------------------------------------------------------
DATA--->
---------------------------------------------------------------
goodbye
DATA--->
PCAPDUMP.RB
DATA---> ifconfig
--------------------------------------------------------------23:02:49.117790 192.168.1.121:8000 > 192.168.1.115:34829 .AP...
DATA---> eth0
Link encap:Ethernet HWaddr 00:0c:76:32:56:61
inet addr:192.168.1.121 Bcast:192.168.1.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2452 (2.4 KB) TX bytes:1855 (1.8 KB)
Interrupt:23 Base address:0xcc00
DATA---> hello
--------------------------------------------------------------23:04:38.660736 192.168.1.121:80 > 192.168.1.115:56256
.AP...
CATCHING SSH
DATA---> ^wx?0JJf{~diffie-hellman-group-exchange-sha256,diffiehellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1sshrsa,ssh-dssaes128-cbc,3des-cbc,blowfish-cbc,cast128cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128ctr,aes192-ctr,aes256-ctraes128-cbc,3des-cbc,blowfish-cbc,cast128cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128ctr,aes192-ctr,aes256-ctrihmac-md5,hmac-sha1,umac-64@openssh.com,hmacripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96ihmac-md5,hmacsha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha196,hmac-md5-96none,zlib@openssh.com,zlibnone,zlib@openssh.com,zlib--------------------------------------------------------------
DATA--->
IiL7+ec~x^+
'+"d{
w3SX]vj6&Fb?J`[
G&Q
sUceL
Be rA('\ --------------------------------------------------------------
DATA--->
DATA--->
3f_8=M--------------------------------------------------------------
CONCLUSION
Some things to think about
These tests were performed on a local network
They can be expanded to simulate an attack on a
large network
Pcap files can get very large, very quickly
Dont run Wireshark for extended periods of time
All of the tests were captured in about 15
minutes using one pcap file
Using pcapdump to save the output to a text file
(in this case) creates a fairly large file