Hey all,

I've seen a few posts on methods of securing a netcat shell, but i noticed they all fail due to the universal pwd "*" working (due to the .bat approach).

So instead i knocked up a couple of lines of c code.

Here's the code:

// ncAuthenticate.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"

int main(int argc, char* argv[])
{



char myPwd[20];

cout << "Welcome to NetCat shell"; // best to leave this out for stealth reasons
cin >> myPwd;

if(strcmp(myPwd,"31i+3/<iddi3P@$$\/\/0rd")==0)
{
system("@CMD");
}

if(strcmp(myPwd,"31i+3/<iddi3P@$$\/\/0rd")!=0)
{
system("@PAUSE");
}


return 0;
}



Then to use this, simply copy nc.exe and ncauth.exe to \windows\system32 and setup a service using svrany or equiv as:

services.exe CREATESVRANY "SHORTLAMENAME" "LONGLAMENAME" "c:\windows\svrany.exe" "c:\WINDOWS\SYSTEM32\nc.exe"

and:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SHORTLAMENAME\Parameters" /v "AppParameters" /t REG_SZ /d "-l -L -p 7337 -d -e ncauth.exe"

finally, net start SHORTLAMENAME

To connect to the shell type nc -v -n ipaddresss 7337.

This post is to demonstrate the use of netcat to provide secure shells - e.g. to connect to your home pc from work, it's not intended for illegal use and I accept no responsibility for such acts.

Enjoy...

ThX man i will test this )

have you forgotten to attach the file or you just want us to compile using the modified code?

just make yourself a hello world wizzard app in vc++ and paste the code in. i prefer not to post compiled files, as the AV firms will just make your life hell otherwise.

can you post stdafx.h?

you dont need stdafx to compile it's just some lame microsoft thing.

you probaly need to include io.h though.

erm, edit2.. I'm not very fammiliar with "cin" but wouldent input of more than 20 charachers cause a buffer overflow?

just in case here is a C version that i know is safe:
Edit: Version 2

problem with 2nd code: if no pass is entered, it foesn't work if u connect again

than you may add infinite loop
and check password's in it

it's only my opinion
i may be wrong

greetz

ps. generally you could make sth like this on your own
or modify one of posted here

clip: did u even try it? I AM talking about when -L is used (as opposed to -l)

If u enter a right pass - works fine and gives u shell
Connect again and enter wrong pass - doesn't give u anything
Connect again - enter NO pass and press CTRL-C to force a close (to simulate a port scan) and try connecting again, and u cant

hmm you need both -l and -L. With these options i have tried to get it to stop connecting via the method you described and it kept working.

the buffer overflow risk is clearly there in the rough code i posted, search msdn for safer method of input, or just stick a try catch around it to avoid the crash.

thanks for the coding!

into the clip version you must include string.h!

The problem of reconnecting can be easily solved. Netcat goes into an infinite loop by default I believe when it is listening. All you have to do is recv() for data. If data recieved is greater than 0 launch u're password checker. This is basically the technique that I use for my bind shell program, it should give u an idea on how its done.


One more thing its always a bad idea to use a plaintext password. Use an encryption method to encrypt the password inside netcat. That way some smart ass with a hex editor won't be able to get the password.

Exploit Research & Discussion ?!?!

wrong forum ?

vnet - very true about encryption, but remember i am using this for my home pc for remote axxs from work, so only i would have the source.

but for the kiddies, use a decent hash algorithm.

Becareful about buffer overflow on your code, you must to check the size of password during the authenticating. However, if the size of required password is defined, caution to the brute force attack ...

Would anyone mind incorporating both those last ideas (size of pass and bypassing the infinite loop) into a code ... id do it but i sux at programming :\

There is no need to reinvent the wheel. Cryptcat has always been out there, i see no reason in trying to add "authentication" to Netcat.

actually thats not only for netcat, afaik you could use that for anything and include it in multiple applications.

And that argument about reinventing the wheel is just a bit short-sighted if you ask me.

I think this fixes the loop problem. NC only goes back to listening if the child process returns <> 0. Might be wrong though. This code is safe from buffer overflow. fgets limits the amount of bytes read from the stdin stream to 127bytes one less than the size if the myPwd[] buffer.

to be honest i didnt think about this much originally. i just saw ppl using batch files with netcat that would also accept * as a password! So i thought id draw up some rough code to illustrate how it could be done more securely.

tstngry actually that batch is really not very hard to crack
running nc with
nc -L -p 8666 -vv -e yourbat.bat