In this video guide, we’ll be covering the basics of using Netcat, the Network Utility tool. the Network Utility tool. Netcat is used by penetration testers to interact with a device or service that has a TCP or UDP port open. It can be used for port scanning, and in place of telnet clients. It can also be used for Banner Grabbing, which is where we try to find out what information is available about the service. Banner grabbing allows us to know what it is we’re attempting to interact with, such as a web server, an FTP Client or a Simple mail transfer protocol (SMTP) Client.

In this demonstration, we’ll go through the basics of Netcat in 3 steps:

Step 1: Prodding and sanity checking with Netcat The first thing we want to do with Netcat is to start prodding a website. We’re going to use a test IP address that we’ve scanned in Nmap – IP Address 10.1.1.102. we also want to make sure that everything Nmap has scanned is correct, so we’re also going to use Netcat to run a Sanity check on what we’ve already discovered (to double check our results and make sure they’re correct). The first thing we’re going to do is look at Port 25, the SMTP port. We already know it’s open from our Nmap scan. we also want to make sure that everything Nmap has scanned is correct, so we’re also going to use Netcat to run a Sanity check on what we’ve already discovered (to double check our results and make sure they’re correct). The first thing we’re going to do is look at Port 25, the SMTP port. We already know it’s open from our Nmap scan. To launch Netcat, open the terminal and type Netcat. We’re also going to turn on Verbosity by typing hyphen VVV; this will allow us to see everything the scan finds in the terminal. We need to point Netcat to the IP address and then specify the port we want Netcat to use. So we also type 25, the SMTP port. After a brief period, Netcat will produce its findings. It’s responded that the service is on bee-box, and an Ubuntu Server, its SMTP. As this is a type of protocol, it has its own command type. The first thing we’re going to do is introduce ourselves to the web app as Bee-Box, with the Helo command.

Step 2: Enumeration with SMTP We’re now going to attempt to enumerate, which is when we try and find information such as usernames and passwords. As we know it’s a Ubuntu server, we can attempt to route as a default user. We’ll try using the VRFY (verify) command. From this, we can see that a root exists to the SMTP client in bee-box. We’ll also try a user which might not exist – in this case, VRFY lol. It shows that this user doesn’t exist. We now know that we can establish a connection to the webapps mail client via SMTP.

Step 3: Banner Grabbing We’ll now exit the SMTP server and use Netcat to Banner grab. We’ll try this on the HTTP port, so port 80. We’ll type netcat, turn on verbosity, and point it at port 80. It’s showing that port 80 is open and, like SMTP, HTTP is a protocol that has its own language. In this case, we’re going to use the “Get” request, a HTTP verb. The Get request happens every time you open up a webpage, even on a normal browser – your browser will use Get to try and retrieve a webpage from the internet. We’ll run this command to try and get to the top level page of this site, using HTTP version 1.0 Once we select enter twice, it will connect to it, and then disconnect from it. In this case, it’s showing that the page does exist at the top level. We’ve got a 200 OK from the banner, we can see that it is using Apache 2.2.28 (a type of server) and one of the Apache modules has fast CGI enabled. We can also see that it has PHP enabled, showing that there’s an extremely buggy web app sitting on it! We’ve managed to find out a lot of information using Netcat. Not only have we double checked that all of the ports NMap said were open are open, we’ve also managed to find out the types of server the website is sitting on and the versions of these sites, and managed to enumerate the web application.

In this video, we’ve covered what Netcat is, how to launch it, how to prod and sanity check with it, how to enumerate with it and how to banner grab.