Send Data Over a Network Using netcat
Often you cannot direct copy files between machines. One way to pass data is using netcat. There are versions of netcat for both Windows and Linux. Here are the steps to setup a connection to transfer data over a network using netcat.
Setup netcat to listen (the machine receiving the data)
- Command: nc -v -l -p 10000 > command.txt
- Notes: -p is the port that you are opening up to receive the data. You can name the text file anything you want (usually wise to name it something descriptive).
Run a command on the sending machine
- Command: command | nc receiving_machine_ip_address 10000
- When the transfer is complete, kill the command using Ctrl-c
Posted by: Heavymeddler
Analyzing Volatile Data
What to check for when analyzing volatile data through a netcat connection:
- The System Date and Time
- Current Network Connects
- Open TCP or UDP Ports
- Which Executables Are Opening TCP or UDP Ports
- Cached NetBIOS Name Table
- Users Currently Logged On
- The Internal Routing Table
- Running Processes
- Running Services
- Scheduled Jobs
- Open Files
- Process Memory Dumps
The System Date and Time
Check this to keep the machine time in sync with logs and trusted NTP server.
Windows Commands:
- date
- time
Linux/Unix Command:
- date
Current Network Configuration
Check this to see if an attacker is currently connected or running a brute force attack against the internet. Note that port assignments can be checked at www.portsdb.org.
Windows/Linux/Unix Command:
- netstat -an (Note that the -an flag specifies to check all network connections)
Open TCP or UDP Ports
Check for rogue ports that were not opened by the system. A suspiciously open port can be the sign of a back door created by an attacker. Note that port assignments can be checked at www.portsdb.org.
Windows Command:
- netstat -an
Linux/Unix Command;
- netstat -anp (the p shows the process number that opened the port)
Executables Opening TCP or UDP Ports
Using a tool called FPort distributed from www.foundstone.com, scan which executables are using ports. Compare the list to the list of questionable ports you gathered while running netcat. Research which process are system processes and which are suspicious.
Windows Command:
- FPort
Linux/Unix Command:
- lsof (adding -n command lengthens the output)
Cached NetBIOS Name Tables (Windows only)
Checking the NetBIOS Name Table cache will show the NetBIOS name or IP address of recently connected machines.
Windows Command:
- nbtstat -c (the -c switch instructs nbtstat to dump the cache)
Users Currently Logged On (Windows only)
Using the PSLoggedOn tool in the PSTools suite distributed at www.sysinternals.com you can see who is currently logged into your system. This would catch anybody that is connected remotely.
Windows Command:
- psloggedon
The Internal Routing Table
Checking the Routing Table will identify instances where an attacker is routing his connection to avoid a firewall or gain access from a machine with greater access.
Windows/Linux/Unix Command:
- netstat -rn
Running Processes
Using the pslist tool to check which processes are running will show which processes have been run by an attacker. The elapsed time will help indicate which processes were launched by the system and which were launched by an attacker.
Windows Command:
- pslist
Linux/Unix Command:
- ps -aux
Running Services (Windows only)
Using the PSService tool you can examine the services running on the target machine. Finding a rogue service can be valuable since attackers can run executables from them.
Windows Command:
- psservice
Scheduled Jobs
Attackers can schedule jobs to do things while they are not even there.
Windows Command:
- at
Linux/Unix Command:
- cron
Open Files
The PSfile tool will check for any files opened remotely on the machine. This will help determine more information about the attack.
Windows Command:
- psfile
Linux/Unix Command:
- lsof
Process Memory Dumps (Windows only)
Running process memory dumps and using tools to inspect the data will help gain additional information about the attacker and their intent. This is extensive and requires a large knowledge base to know what to look for.
Windows Command/Tool:
- userdump.exe (provided by Microsoft)
Full System Memory Dumps (Windows only)
Using the dd tool you can dump the entire memory of the target computer. It is wise to map a drive to a remote machine so that you do not overwrite valuable data.
Windows Command/Tools:
- dd
Loaded Kernel Modules (Linux/Unix only)
This command unloads the kernel modules so that you can inspect for items that are not system related.
Linux/Unix Command:
- lsmod
Mounted File Systems (Linux/Unix only)
These commands check for mounted file systems that are unexpected.
Linux/Unix Command:
- mount
- df
Posted by: Heavymeddler