Other Networking Tools (, , ARP) Netcat

• A utility for writing and reading data to and from TCP or UDP connections • Used for network debugging and investigation • Two primary operation modes: Server and Client • Features/uses: - port listening - port scanning - transfer - as a backdoor (nefarious intentions) • Syntax: nc [options]

CPSC 526 Tutorial: Winter 2015. Common Netcat Line Options

-l : listening mode for inbound connections: e.g. nc –l will put Netcat into server or listening mode - : close the end of file (EOF) from standard input (stdin) -d : enables Netcat to be detached from the console and run in background mode -e filename: specify filename to execute after connecting. -n : no name resolution -p port : local port number (port numbers can be individual or ranges: lo-hi [inclusive]) -s addr: local source address - :verbose output -u :udp mode

CPSC 526 Tutorial: Winter 2015. Operation Modes

• As server: "listens for inbound traffic“ • As client: "connects to somewhere (server)“ • Server mode connection: nc -l -p portnumber. E.g.: nc -l -p 10905 • Client mode connection: nc hostname portnumber. E.g.: nc localhost 10905 • We set up a client-server connection as follows: Open a terminal and set up the server with: nc -l -p 10905. Open another terminal and set up the client with: nc localhost 10905. Let the client and the server now exchange data.

CPSC 526 Tutorial: Winter 2015. Port Scanning

• A port: analogous to a doorway through information goes in and out of a computer (application- level communication) • Port scanning can show us the port states (whether a port is open or closed) • Port scanning is done in the client mode • Basic syntax: nc -v hostname port • You can Specify a range of port numbers: E.g., to check all ports that are open and can receive traffic: nc [options] [IP address] 1 - 65535. Applicable options: -n -v -u, etc; -u for udp.

CPSC 526 Tutorial: Winter 2015. File Transfer • The client can pick up a resource (e.g., file) from the server • First, initiate the file transfer from the "server“. Server setup : nc -l -p portnumber < {filename} • Next, set up the client to pick up the file: nc [hostname/] 1234 > {filename} • Close the connection • Simple demo: To see how the file transfer process works, we use Netcat to transfer a file from a "server" to a "client": open two terminals, one as server and the other as client. On the client terminal, create an empty called ( test). As client, to the test folder. At the server end, enter the command nc -l -p 1234 < {filename}. Now on a listening mode, the server is set for the file to be picked up by the client. At the client side, enter the command nc localhost 1234 > {filename}. CTRL-C to close connection. on the client to see that the file has now been transferred to the previously empty folder (test)

• The security issue: files (sensitive information) can be transferred (stolen) from the network via permitted ports (e.g. port 80 - HTTP) , effectively by-passing defense mechanisms such as network boundary firewalls.

CPSC 526 Tutorial: Winter 2015. Use as a Backdoor

• We will use Netcat as a backdoor to access and execute a program remotely • This is made possible by the -e option • “Remote” in our demo context means that we will be able to access a folder and execute programs, from another folder, by virtue of our client-server connection • At the server end (Terminal 1), a backdoor as follows: nc -l -p 12345 -e /bin/sh • At the client end (Terminal 2), remotely connect to the server as follows, to execute programs via the backdoor: nc 127.0.0.1 12345 • With connection established between the client and the server, we can now remotely execute command line programs on the server, from the client. • Simple demo: To see how the backdoor works: Set up Netcat on the server (terminal 1) as a backdoor: nc -l -p 12345 -e /bin/sh. On the client terminal (terminal 2/ "remote system"), cd to the test directory. Then, set up the client as follows: nc 127.0.0.1 12345. With client-server connection now in place, run the ls program. What do we see on the client? Execute other command line programs.

• Close the connection: CTRL-C

CPSC 526 Tutorial: Winter 2015. Class Activity - Netcat

• Set up a server connection (listening mode) on a terminal. Using localhost as the hostname, set up a client connection on another terminal. Let the "client" and the "server" communicate on port 9999 by exchanging text. • Set up another client-server connection, replacing hostname with the IP address (?) of localhost. See if this also works. • Scan the http and https ports on www.google.com. What is the port state, with each connection? • File transfer: based on the earlier file transfer demo, use Netcat to transfer a file from an existing directory on your system to the Desktop. • Backdoor: based on our backdoor demo, access an existing directory on your system from the Desktop and run command line programs.

CPSC 526 Tutorial: Winter 2015. Netstat

• Shows incoming and outgoing connections happening across the network • Useful for network troubleshooting • Useful for performance management • Shows the amount of traffic on the network • Syntax: netstat [options]

CPSC 526 Tutorial: Winter 2015. Common Netstat Command Line Options

-a : displays all active connections (including the ports -TCP or UDP- on which the system is listening) -n : do not resolve names -t : show only tcp connections -c : continuously output connection information -u : show only udp connections -l : listening mode -p : show processes alongside the sockets they are using -s : show statistics by protocol -r : show the contents of the IP routing table -i : show network interfaces and their statistics

CPSC 526 Tutorial: Winter 2015. Some Common Uses

• Listing only TCP connections (netstat -a -t) • Listing only UDP connections (netstat -a -u) • Listing all (TCP and UDP) network connections (netstat -a) • Listing only listening connections (netstat -t -n -l) • Displaying kernel routing information (netstat -r -n) • Printing information about network interfaces (netstat -i). To get detailed output, use the -e switch (netstat -i -e: similar to .) • Getting process id/name and user id ( netstat -n -l -p -t) • Printing out network statistics - e.g., total no. of packets received and transmitted by protocol .(netstat -s) • Continuously display tcp connections (netstat -c -t)

CPSC 526 Tutorial: Winter 2015. Class Activity - Netstat

• Run your browser and go to www.google.com. Then, using the appropriate options, dislay all tcp connections, where the source and destination IP addresses and ports are visible. [Hint: no name resolution.] • Display continuous tcp output, where the source and destination IP addresses and ports are visible. • Display continuous udp output, where the source and destination IP addresses and ports are visible. On a different terminal, simultaneously do a of www.google.com to see actual udp packets. • Display continuous udp and tcp output together, where the source and destination IP addresses and ports are visible. [Generate tcp and udp traffic as appropriate.]

CPSC 526 Tutorial: Winter 2015. ARP

• Another useful command line-based network management tool. • Explore its options here: http://www.computerhope.com/unix/arp.htm

CPSC 526 Tutorial: Winter 2015.