Other Networking Tools (Netcat, Netstat, ARP) Netcat • A utility for writing and reading data to and from TCP or UDP connections • Used for network debugging and investigation • Two primary operation modes: Server and Client • Features/uses: - port listening - port scanning - file transfer - as a backdoor (nefarious intentions) • Syntax: nc [options] CPSC 526 Tutorial: Winter 2015. Common Netcat Command Line Options -l : listening mode for inbound connections: e.g. nc –l will put Netcat into server or listening mode -c : close at the end of file (EOF) from standard input (stdin) -d : enables Netcat to be detached from the console and run in background mode -e filename: specify filename to execute after connecting. -n : no name resolution -p port : local port number (port numbers can be individual or ranges: lo-hi [inclusive]) -s addr: local source address -v :verbose output -u :udp mode CPSC 526 Tutorial: Winter 2015. Operation Modes • As server: "listens for inbound traffic“ • As client: "connects to somewhere (server)“ • Server mode connection: nc -l -p portnumber. E.g.: nc -l -p 10905 • Client mode connection: nc hostname portnumber. E.g.: nc localhost 10905 • We set up a client-server connection as follows: Open a terminal and set up the server with: nc -l -p 10905. Open another terminal and set up the client with: nc localhost 10905. Let the client and the server now exchange data. CPSC 526 Tutorial: Winter 2015. Port Scanning • A port: analogous to a doorway through which information goes in and out of a computer (application- level communication) • Port scanning can show us the port states (whether a port is open or closed) • Port scanning is done in the client mode • Basic syntax: nc -v hostname port • You can Specify a range of port numbers: E.g., to check all ports that are open and can receive traffic: nc [options] [IP address] 1 - 65535. Applicable options: -n -v -u, etc; -u for udp. CPSC 526 Tutorial: Winter 2015. File Transfer • The client can pick up a resource (e.g., file) from the server • First, initiate the file transfer process from the "server“. Server setup : nc -l -p portnumber < {filename} • Next, set up the client to pick up the file: nc [hostname/ip address] 1234 > {filename} • Close the connection • Simple demo: To see how the file transfer process works, we use Netcat to transfer a file from a "server" to a "client": open two terminals, one as server and the other as client. On the client terminal, create an empty directory called test (mkdir test). As client, cd to the test folder. At the server end, enter the command nc -l -p 1234 < {filename}. Now on a listening mode, the server is set for the file to be picked up by the client. At the client side, enter the command nc localhost 1234 > {filename}. CTRL-C to close connection. ls on the client to see that the file has now been transferred to the previously empty folder (test) • The security issue: files (sensitive information) can be transferred (stolen) from the network via permitted ports (e.g. port 80 - HTTP) , effectively by-passing defense mechanisms such as network boundary firewalls. CPSC 526 Tutorial: Winter 2015. Use as a Backdoor • We will use Netcat as a backdoor to access and execute a program remotely • This is made possible by the -e option • “Remote” in our demo context means that we will be able to access a folder and execute programs, from another folder, by virtue of our client-server connection • At the server end (Terminal 1), install a backdoor as follows: nc -l -p 12345 -e /bin/sh • At the client end (Terminal 2), remotely connect to the server as follows, to execute programs via the backdoor: nc 127.0.0.1 12345 • With connection established between the client and the server, we can now remotely execute command line programs on the server, from the client. • Simple demo: To see how the backdoor works: Set up Netcat on the server (terminal 1) as a backdoor: nc -l -p 12345 -e /bin/sh. On the client terminal (terminal 2/ "remote system"), cd to the test directory. Then, set up the client as follows: nc 127.0.0.1 12345. With client-server connection now in place, run the ls program. What do we see on the client? Execute other command line programs. • Close the connection: CTRL-C CPSC 526 Tutorial: Winter 2015. Class Activity - Netcat • Set up a server connection (listening mode) on a terminal. Using localhost as the hostname, set up a client connection on another terminal. Let the "client" and the "server" communicate on port 9999 by exchanging text. • Set up another client-server connection, replacing hostname with the IP address (?) of localhost. See if this also works. • Scan the http and https ports on www.google.com. What is the port state, with each connection? • File transfer: based on the earlier file transfer demo, use Netcat to transfer a file from an existing directory on your system to the Desktop. • Backdoor: based on our backdoor demo, access an existing directory on your system from the Desktop and run command line programs. CPSC 526 Tutorial: Winter 2015. Netstat • Shows incoming and outgoing connections happening across the network • Useful for network troubleshooting • Useful for performance management • Shows the amount of traffic on the network • Syntax: netstat [options] CPSC 526 Tutorial: Winter 2015. Common Netstat Command Line Options -a : displays all active connections (including the ports -TCP or UDP- on which the system is listening) -n : do not resolve names -t : show only tcp connections -c : continuously output connection information -u : show only udp connections -l : listening mode -p : show processes alongside the sockets they are using -s : show statistics by protocol -r : show the contents of the IP routing table -i : show network interfaces and their statistics CPSC 526 Tutorial: Winter 2015. Some Common Uses • Listing only TCP connections (netstat -a -t) • Listing only UDP connections (netstat -a -u) • Listing all (TCP and UDP) network connections (netstat -a) • Listing only listening connections (netstat -t -n -l) • Displaying kernel routing information (netstat -r -n) • Printing information about network interfaces (netstat -i). To get more detailed output, use the -e switch (netstat -i -e: similar to ifconfig.) • Getting process id/name and user id (sudo netstat -n -l -p -t) • Printing out network statistics - e.g., total no. of packets received and transmitted by protocol type.(netstat -s) • Continuously display tcp connections (netstat -c -t) CPSC 526 Tutorial: Winter 2015. Class Activity - Netstat • Run your browser and go to www.google.com. Then, using the appropriate options, dislay all tcp connections, where the source and destination IP addresses and ports are visible. [Hint: no name resolution.] • Display continuous tcp output, where the source and destination IP addresses and ports are visible. • Display continuous udp output, where the source and destination IP addresses and ports are visible. On a different terminal, simultaneously do a traceroute of www.google.com to see actual udp packets. • Display continuous udp and tcp output together, where the source and destination IP addresses and ports are visible. [Generate tcp and udp traffic as appropriate.] CPSC 526 Tutorial: Winter 2015. ARP • Another useful command line-based network management tool. • Explore its options here: http://www.computerhope.com/unix/arp.htm CPSC 526 Tutorial: Winter 2015..