21 hours 43 minutes
scanning with Net Cat
are learning objectives are to understand how to use Net Cat scan for open ports and services, as well as demonstrate how to write simple scripts to scan for open ports with Net Cat.
So, Net Cat isn't just a port scanner, in fact out of mask and an end map. Net Cat, it's probably something you would want to use the least
out of the 34 scanning ports, but I just wouldn't want to show you. As I mentioned before, there was a hack the box challenge I did where N map didn't find the open port, but not Cat did. So I want to give you that option as well. Net Cat is described as the TCP i P Swiss army knife.
It's so versatile when you take the P W K course, you know, very early on will show you that you can chat between computers, it's used for banner grabbing, you can transfer files with it, which is very useful, which we can use later in the file transfer section of this course
and of course forgetting shells, buying shells, reverse shells connecting to that remote system.
So another thing of note is that Net Cat is not encrypted when you connect to another system or you send traffic, your connection is not secure. It's not that big of a deal in terms of Oh, SCP
but in the real world you use something like N Cat where you would use encryption to communicate with another system.
So as a port scanner, this is the syntax for net cat. Um and I've I've gone through the different flags here and what they mean, you can change the time out, sort of one second to two or 10 seconds. Just know, you know, the more seconds you put there, the longer it will take to scan.
I mean you're scanning a single host. It really doesn't take too long. Um as you can see here in the picture, I scanned this host from port 1 to 1024. Um it did find three open ports, it says https and http and domain for DNS.
It's not doing any kind of checking for that. It's just assuming because those are
the ports for https, http, http and DNS. So it's not doing any checking like that, That's why you have to do banner grabbing and things like that to further enumerate those services.
I say it can be slow to scan. It can be, it just depends on the system that you're scanning.
So how can we scan more than one host. Net Cat doesn't have that functionality built in. So we have to create a bash script one liner. It's very useful to know how to use bash to create these one liners. These 1 100 scripts. In fact you'll use things like reverse shell one liners and things like that
to get reverse shells from remote systems to your system.
So knowing how to script and to iterate through a list
is a very very useful skill.
So you'll see here that we're running this end map command. This is my local network. 19216811 Whack 20 for yours may be different. It might start with 172 and when I start with 10 it really just depends on your local network and how it's configured.
But ultimately what all this is doing is it's piped to talk. Talk is a whole another lesson and in and of itself.
But basically what this script is trying to do is find the list of I PS that are up on the network and that its writing it to this I. P list
you'll see here the output from doing that one liner. Uh is while read L do Net Cat is just basically doing that
command line command with Net Cat.
L is going to be that IP list text documents. Just iterating through that list on Port 80. Of course you can change that
to whatever port you want.
You can also do this with python. Um and as you can see here there's the shebang at the top which is calling user bin python three. So it's a python three script
and also you'll see the pound sign
in this document because pound sign is a comment. So I'm trying to explain basically what every line in this, in this python script does is basically doing the same thing that we did with the one liner and took me a whole lot longer to figure out how to do it.
Um But I wanted to show you that that you can accomplish the same task
uh with different scripts
and here it is in G edit, I told you like, get it better than mouse pad.
Um But you can see genetic colorize is everything so it looks nice and pretty
and you'll notice that the output between maybe you did, maybe you didn't. I know I go through the slides kind of quickly, but you'll notice that the output from each of those tools were different hosts may go up and up or down. So how do we see the difference between these two outputs? Well, there's a command for that. It's called the diff command.
As you can see here. I have def tack why? That's just a side by side comparison. I like that to show you know that the green is what was added in the python script. So the first one is the bash script. One liner. The second was the python script and you can see the python script when it ran it found some different hosts.
And like I said, host go up or down.
So that may be the reason why there's some differences between the two scripts when I ran it.
So let's do a demo.
All right. So let's use some of the commands we've learned before. I know I've run this uh this end map scan before. So I'm just gonna do history.
I'm gonna grip or search for
the command and as you can see here, line 871917 I use this command so if I want to pull that line, I can just do exclamation 917 That will pull that command. I'm running this. It should give me all the list or a list of all the
iP addresses that are up on my network
that didn't take too long. So let's cat that or see what's in that file type list.
So these are all the iP addresses that are up on my network. So now what I want to do is that one liner. So again, I know I've run this before history grip
While I know that was in that command. So let's do 9:20.
I'm gonna run this and you'll see that the output, it shows all the hosts that are up and this is just net cat trying to reach port
Now let's try that python script as well. Now if you write this python script and you try to run it off the bat. If you try to just run a script, you can do dot
uh forward slash neck had that scan, you'll notice that it was his permission denied. So what you want to do is ch mod or tomato, whatever you wanna call it. I do 777 This is unsafe if you're a developer or don't want certain people have access to your file for for the purposes, the purposes of this demonstration, 777 is fine.
Um We're doing it, we're gonna make the globally readable writable execute herbal for net cat dot scan. And I'll show you that L S L A net net cat scan, you can see it's read, write, execute, rewrite, execute, execute globally readable writable execute herbal. So now we should be able to run this
and again, it's doing the same thing like that bash script one liner is just iterating through that list of hosts
And Checking Port 80.
Now if you actually wanted to enumerate port 80
you do something like Net Cat. V for verbose and for no DNS
let's do something. Let's take a look here.
And how about 1921681161 Port 80
because this is http I'm gonna have to do something else and we'll get into this when we talk about more of the web web app attacks, but we do get request. HDP on zero.
and you'll see here this is the banner grab for HDP. You can see it's uh servers, engine X and we can see some header information here. Don't worry too much about this. I just wanted to show you that Net Cat can also enumerate ports if you want to enumerate something like
let's say ssh
184. My super cool, elite port,
You'll see here. It did a banner grab of of ssh of that open port.
So it's not going to do that when you iterate through that list to to scan for open ports but also know the versatility of Net Cat and disability to banner grabs in addition to port scanning.
So here's our hands on quiz. So try each scanner out. Try and map. Try masks can try Net Cat and and see what you like, see what you don't like.
And as well try to try to um do those scripts on your own. The bash scripting, the python script just to get some hands on experience with, with doing bash scripts and and writing python scripts. Because the more you do that, I think the more comfortable you'll be when it comes time to Os for euro SCP.
So in summary, we now understand how to use Net Cat to scan for open ports and services. And also we demonstrated how to write simple scripts to scan for open ports with cats.