Netcat

Netcat

We have referred to and used Netcat throughout this book. One of Netcat's greatest strengths is not its omnipotent feature set, but rather its ability to be scripted both on Windows and UNIX platforms. For this reason alone, Netcat deserves further discussion.

As mentioned in earlier chapters, Netcat acts as a raw HTTP negotiator, requesting information from a Web server without all the overhead of a traditional browser. In fact in many cases, Netcat can replace completely a browser for Web hacking. In other words, Netcat can do just about anything (e.g., pull back information from a Web server, attempt source disclosure techniques, and inject characters in SQL statements, using both GET and POST commands). And because it is a command-line tool, it can be easily automated.

To start, let's use Netcat to pull back the default Web page on a server:

C:\> nc 192.168.0.5 81

GET / HTTP/1.0<cr><lf>

<cr><lf>

HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Content-Location: http://192.168.0.5/Default.htm

Date: Sat, 27 Apr 2002 18:00:28 GMT

Content-Type: text/html

Accept-Ranges: bytes

Last-Modified: Sat, 06 Apr 2002 06:48:32 GMT

ETag: "a0f7751137ddc11:8fa"

Content-Length: 5

Hello

In the code fragment shown, the boldface text is typed into the command line after the initial Netcat command is run. Note that the <cr><lf> entry isn't actually those characters. Rather it represents the act of hitting the Enter key at the end of the line, which must be done twice before the command is sent to the Web server. In addition, for brevity's sake a single line in the default.asp page on the target server is the word "Hello." Hence we see what has been returned from the Web server: the HTTP/1.1 header detail and then the word "Hello."

To automate Netcat in this scenario you need to know some scripting, either batch (Windows), Perl (Windows or UNIX), or shell (UNIX). But not to worry, we will show you how. Let's use the preceding example retrieving the default Web page through Netcat and create a separate text file with a series of Web servers to hit. We call the file targets.txt and put in the following Web servers:

         www.example.com

         www.example2.com

         www.example3.com

         www.example4.com

         www.example5.com

Next we create an http.txt file with our GET nudge string:

GET / HTTP/1.0<cr><lf>

<cr><lf>

Now we can redirect http.txt to a Netcat command and perform a GET request on all the example Web servers in rapid succession with a simple Windows "for" loop:

for /f %I in (targets.txt) do type http.txt | nc %I 80

We use the /f parameter to read from a targets.txt file, and the do specifies the action to take: Output the contents of our GET nudge string (http.txt) to our Netcat command. The "for" loop repeats until all the entries in the targets.txt file have been processed. With that command line, we will receive every default Web page on port 80 of the target servers. We could include that line in a Windows batch file (.bat) and accomplish much more, such as processing the output searching for keywords such as "scripts" or "action" or "applet."

This simple example is but a taste of the world of scripting and Netcat. Remember that nearly everything we have shown you in this book can be scripted in some way with Netcat and a scripting language.