I’m finally sitting down and learning how exploits work. The reasons are varied but really, I need to know more about them to be able to keep my machines sane.

The most potent thing that I would expect a lot of people to not understand is the power of netcat. Anyone in the field of network security should know it but the nc command is slightly crazy after you figure out how powerful it is.

Do this on a linux machine you own (hopefully one that’s on a personal network…):

# nc -vv -l -p 20000 -e /bin/sh localhost

This will start netcat listening on port 20000 and will pass any incomming command directly to stdin and stdout of /bin/sh. This means, in short, you can now connect to a terminal running on that port.

Then, from another linux machine (or the same one if yer limited by that sort of thing) try connecting to that port:

$ nc localhost 20000

Now type ‘ls’ and you should see the directory listing of the folder on the first machine where you started nc listening from.

One thing to note, hitting ctrl-c will end the original, listening nc’s /bin/sh process. I’m not sure how or if you can “disconnect” without killing the listening socket…

If you leave this running on a machine on a weird port (or port 31337 as some default payloads do) it’s easy enough for intruders to guess at what’s running on the machine. One could just connect to each open port on a machine with nc and running ‘whoami’ after the connection is open. In some cases, a box running this may kick back ‘root’ which means the obvious…

Netcat combined with ssh will let you tunnel this work…