Advanced Ethical Hacking - Netcat Manual Testing Tutorial


In this lesson, we're going to be going over the use of Netcat. Now Netcat is a command-line utility that is used to read from or write to the network. And that gets its name from the command-line utility cat, which cat can be used to Read from files. Or write to files. And Cat was short for concatenate. And it was used to combine files.

But if you don't have multiple files It acts similarly so what I'm doing here is I'm concatenating this particular file to the screen since I haven't provided a filename to send it out to. So Netcat works. Similarly, I am going to read from The network, or I could write to the network as well. And the first thing I want to do is I want to write to the network. So I'm going to use Netcat, and I'm just going to do a very simple Demonstration here of what Netcap can do.

So I'm going to connect to on port 80. So I'm going to connect to the web server At the hostname So now I'm just going to open up TCP connection you see I don't get anything back here to indicate one way or the other that I could check it by issuing an HTTP request. So if I issue that HTTP request you see that I get a response And this is the HTML that I'm getting back, as well as all of the JavaScript which is actually what we're looking at here right now.

So what I just got back was the HTML and JavaScript that would be sent to your browser. Now, Netcat has several other uses. What I could do is I could also issue a UDP request. In addition to the default TCP, I could also Connect on UDP, and you can see I can also do IPv4 or IPv6.

Now, one of the other interesting things that I can do with Netcat is I can set it up to be a listener. So I've got a listener here, and I'm going to say listen on Localhost which is the loopback address. And I'm going to say listen on port 5000. So now I've got a listener set up here, and I can open up Up a new terminal window.

And now I'm going to use Netcat again. So I can do Netcat on port 5,000. And I'm connected even though it doesn't say I'm connected. I'm connected. So you can see what I type in the window on my client side is being reflected on what's effectively a server side here. So anything I type in the client window Shows up in the server window. So you could set up a dummy server using Netcat and just the listener functionality of Netcat.

So you could have a dummy serve where somebody could connect for example and try to initiate And the automatic connection to get mail where you could collect usernames and passwords just as an example.

So there are a lot of different things that I can do with Netcat, and it gives me the ability to do manual manipulation of the server And the protocols that you're talking to the server with. Now, in a subsequent lesson, we'll talk about doing that manual manipulation and the different things you could do to check protocols, and that would be using Netcat. But this is just the basics of using Netcat to connect and to listen.

Protocol Checking

In this lesson, we're going to be talking about Protocol Checking. So what do I mean about Protocol Checking? Well, Protocol Checking is where I'm going to connect directly or manually to a specific server, And I'm going to issue protocol commands to that server. That allows me to do things like different check aspects of the protocol, like different extensions. Maybe it supports As well as the version and potentially software type of the server in question. So for doing this, there are of course a few utilities I could use.

But what I'm going to use is our old friend Netcat. So I'm going to use Netcat, and I'm going to connect to the host, I'm going to connect on port 80, which of course is the web port, and I'm going to issue an HTTP request here. So I've got my HTTP request, and it says bad request. So there's something that's wrong about the way this is done. And you can see what it's given me is it's given me a server name and a version.

Though I get GFE/2.0. So that's the server name and the version. Or the software name and the version. So let's get a little bit deeper here. So there was something wrong with what I sent, and error messages are very helpful, so sometimes it's useful to send something bogus like that head slash is often going to give you a bad request.

And the reason for that Is because we are at HTTP version 1,1 and the server may have assumed either 1.1 in which case that's missing the 1.1, or it may have assumed 1.0, either way, I didn't specify the version number though there could be different things wrong with What I sent there. So, in this case, I'm going to specify version 1.1 of the protocol. So I'm going to say head. So give me the headers. For slash which means give me your index page.

Whatever the default index page For the top of your Web directory is and I'm going to communicate with you using HTTP version one dot one. So with one dot one, we opened the door to having multiple virtual hosts on the same IP address. So with one dot one, we can have a lot of different Web servers living at the same IP address which means I now have to specify which host I want to talk to if I'm going to be using HTTP 1.1 I've gotta use this host line in my headers. And now I have to send a blank line saying I'm done With the headers I'm sending process the request. Now what I've got here is a response that says HTTP/1.1, so that's the version that I was communicating with. It says 200 OK, and 200 is just the status code.

OK, means yes, it worked, and I've got some additional information here. So I've got some cookies. I've got a couple of cookies here so the domain Is And I've got an HTTP only cookie as well. And there is a P3P header and a server header here. And the server is GWS and that's the Google Web Server not surprisingly. Since I connected to the Google Web Server, I would be using the Google Web Server software.

So we found some interesting things about this particular server that we are connecting to. Interestingly, I got two different server banners depending on What I did. So the first one was when I got an error, I got the server GFE/2.0, and when I didn't get an error, and it was processed correctly I went to the Google web server. So that's some interesting information that you may be able to use down the road.

Of course, web servers and HTTP aren't the only things I can use NetCat for. I can also use them to connect to mail servers. Among several other hosts, but let me demonstrate mail servers here.

And you get an idea for the things you can do. And if you know the protocols you can connect to any server that you want using Netcat. So I want to look up the mail server for so it tells me that. I've got several mail servers here. Let's just take the one with the lowest priority. So I'm going to take this one here, going to connect with NetCAD again, and in this case, I'm going to connect to port 25 which is the SMTP port.

So this tells me that it's running ESMTP or Extended SMTP. So that's SMTP with a bunch of extensions that allow us to do some different things. So I'm going to issue an extended hello, or EHLO. And I'm just going to give it a bogus domain name here. So now here's what we've got for a response. at your service. And it says 64.223.94. 46 is what I happen to be connected to. So I can do a size 8-bit mime, start TLS, which will allow me to do an encrypted session with this particular server, and I could also do enhanced status codes.

So I could just start interacting with this server now, and this gives me A syntax error. So what I've got here looks kind of like a hostname to me, so this might be an internal hostname, CK9SI, etc. So So that looks kind of like a hostname to me, given where it actually is. And the same sort of thing here, because I've got the same thing twice. And that may provide me with some information down the road. But, of course, what it's telling me is this is the external name So that's The external name of this particular set of SMTP servers here at Google.

Though again, I could use Netcat to connect to a wide range of services. I could connect to, let's see, on port 110. And that doesn't actually give me anything or the service isn't on that particular port number. So there's a lot of different things that I could do with Netcat and I could connect to any service that I want and start interacting with it. I could issue bogus commands and just see how it replies, or I could prove it with valid protocol commands And see what responses I get about its capabilities, and what information it may be willing to give up about itself, and, maybe, the network that it's on.

So, that's just protocol checking with Netcat.

SSL Client

I this lesson we're going to be talking about using SSL. SSL is the Secure Socket Library which allows encrypted communication primarily Early between web servers and clients or browsers. But SSL has also been implemented with several other protocols as well. Now we could connect to a web server on the port of the secure socket. And we could issue a request and we wouldn't actually get Much of anything back here.

The reason is that it's expecting some encryption or an encrypted handshake to begin the process of negotiation for encryption protocols. So I can't use Netcat in order to communicate with Encrypted services.

So what can I use instead?

Well, OpenSSL is a package that provides.

SSL and encryption to web servers and various other communications protocols. So I can use OpenSSL And the functionality that's in OpenSSL to do the negotiation of the encryption for me. OpenSSL actually has a lot of functionality built into it. And what we're going to use here is we're going to use s_client, so I'm going to do s_client. And actually get an error there.

So let's take a look at the different things that s_client can do. So these are the things that I need to know about s_client. So instead of just s_client and having it prompt me What it's looking for here is for me to do the dash connect thing.

Now I can also do things like specifying the certificate that I would use to negotiate the encryption and And I can specify the number of other things as well. Like for example, I could specify that I want to use SSL version two SSL version three TLS version one. So what I'm going to do here is s_client- connect, And it uses the form host: port.

So I'm going to connect to the host on port 443, which of course is the SSL TLS port. So it's done a handshake here And it says I've got a TLS version one connection up. And the cipher I'm using is RC4-SHAW. The public key is 10-24 bit. So you can see information here about the certificate that is in use by Google. So it's issued actually by Thought Consulting. And you can see that is issued to Google in mountain view and the name is

Though we can check the specifics of the certificate using this. Now, I can just do what I would typically do when I'm connecting manually to a server I can just start typing the protocol commands, and it is going to do the encryption for me and send it on to the server it is going to send me an encrypted communication back and OpenSSL is going to decrypt it for me and show me the plain text and that is actually what I have got here. I've got the HTML and the javascript from the web page that I requested.

And it's been decrypted, and you can see that it's in plain text. So that's how you would use open SSL to do communication with Services or servers that are using encryption in order to communicate with their clients.

And since we wouldn't be able to type the encryption by hand Or figure all of that stuff out we would actually use OpenSSL to do that, and OpenSSL would handle all of the encryption for us, and then we're just typing commands but that gives us the ability to communicate with servers that are using encryption.


A lot of people believe that encryption is a great solution to a lot of security problems.

In fact, some people will tell you that encryption is kind of synonymous with security. Security. So, when somebody asks you, do you have security on your website, what they're asking is do you do encryption, because a lot of people just kind of assume that that's really how you fix everything. Now, that's not necessarily true. So, there is a tool called, SSLScan, and SSLScan will scan for all of the different Encryption ciphers and schemes that are being used on a particular website.

So the reason for that is because there are versions of SSL and there are encryption ciphers that are vulnerable to attacks. 

Des, for example, is vulnerable to attack and other versions of SSL like SSL two Are open to attack. So what we want to do is we want to us SSLScan to very quickly determine what the ciphers that are supported on a different server are.

Now again, you could probably do this just like many other tools. You could do this by hand if you wanted to There are other ways of doing this SSL scan happens to be a really useful tool that's good at doing that scanning. So what I want to do is I'm just going to do a scan against Google, and I'm going to say port 443 which is the SSL port for their web server.

So it looks like We've got a number of accepted and a number of rejected. And all of the ones that are accepted are the ones that they support. So we would have to go and figure out which ones were accepted here. Except that we could use the option no-failed. So if you want to see everything that it tests, you can certainly do that but in order make this a little bit shorter, I'm going to say no-failed.

So Now, we're only going to print the ones that are accepted. That should make the list quite a bit shorter. And then we can determine whether any ciphers use outdated or old encryption mechanisms, or short bit-lengths in their key-space, so anything under 128-bits, for example, Would probably not be particularly good to use as an encryption cipher with the encryption mechanisms that we're using here. 

So now we've gone a copy of the certificate that spits out. The two preferred ones here are using rc4 with The secure hashing algorithm as opposed to MD5, and MD5 has started to develop some problems, and so SHA is a preferred hashing Mechanism at this point. [00:03:10] So it looks like Google is pretty good here.

We're using all SSL version three, or TLS version one. There's no SSL version one, SSL version two; there's no DES in here anywhere. And there is AES which is a really good mechanism. AES256 is even better so you can see that we've got some pretty good encryption ciphers here on this particular server.

Now I could do, And I'm going to do this against a local system, just to see what's installed here. And it looks like we've got reasonably good outcomes here as well too.

So, this was a just out of the box Install with a certificate and a so it looks like out of the box it comes with some reasonably good ciphers. But you can use SSL scans against any service that uses SSL. So for example sometimes uses SSL In order to secure the transport and encrypt it. Web traffic, of course, uses SSL.

So any service that uses SSL, you could point SSL scan against it and see what encryption ciphers and mechanisms are being used there.


So at this point, I actually want to take a look at a tool called Nikto. Now Nikto has been around for quite a while. It's a very early web application testing utility. And I've got it installed here. We're just going to run Nikto, and I didn't specify a host mostly because I wanted it to generate this help here and you can see all of the Parameters and configuration settings that we can use.

And what I want to do is, I'm going to run Nikto here. And we're going to say, well let me see. We're going to say host is 172.3 30.42.55 and port is going to be 80, and we're not going to use SSL although I could use SSL here.

And let me see we're going to do evasion. So we're going to use techniques that may evade IDS detection, And we're going to do a mutate so we can guess additional file names. And we're just going to use all of the plugins here so I could specify which plugins. I'm just going to use all of the ones that Nikto has available to us. And now I'm just going to run that.

And once Nikto is running, it's going to be generating a lot of requests to the web server and will eventually get some output here, based on what it finds at this particular web server on this port. And it's going to test all of the connections that it can find. Based on the page that it is found. So going to run. It's going to generate a report with all of the vulnerabilities that it may have found and it's going to look through the pages for all of those vulnerabilities.

So again you can see there's a lot of different configuration parameters that could actually specify a format to save the report file into. I could enable the display of outputs. I could actually check for database support as well as other things for syntax errors. I've got the ability to take a look at the plugins. If I didn't want to run all of them, I could just list the plugins that are there. And I could also disable the cache, which would prevent URIs from caching there. I've got the ability to make sure I prepend the root of all requests.

So rather than just requesting the directory, for example, I could ensure that the request is /directory. I could do some scan tuning, and Nikto runs on a set of plugins and a number of configuration settings. You could update the database with all of the plugins that are available.

So, right here we've got the output from the tests that we ran, and looks like we've got an Ubuntu Server running Apache 2.2.22, did fine, CGI-bin with directory indexing turned on, and we found the HTTP methods We did find php that was installed and a test script which runs phpinfo which is generally not such a good thing and there are a number of other possibilities here as well including some directories Nickto thinks maybe worth taking a look at And seeing whether we can do something interesting with them. So also it found WordPress and just let us know that it did find WordPress.

So Nikto is, it's not a proxy like some other test tools that you may run into. It's also not graphical, so there's no pretty GUI to go with Nikto, it's just a command line utility. And you've got a lot of configuration settings that you can do tweaking on in order to get different output. And run some different tests against the web server that you want to take a look at. And again this is the starting point for giving you some data that you may be able to use.

In terms of the testing that you're going to be doing manually. And seeing what you may have for starting points that NICTO is providing to you. And again we've got things like PHP. And we've got Apache 2.2.22 That may be a starting point for us to be looking for vulnerabilities or exploits against those particular packages.


There's a protocol that's available called the Simple Network Management Protocol, or SNMP. And SNMP gives you some ability to check configuration settings on a particular system. So SNMP is Really useful for not only checking configuration settings but some cases you may be able to set parameters as well and one of the things about SMNP is it's been around for a long time. And so it's got some weaknesses in the version that is often run.

So the version that's often run and if we get to specify the version number here, I want to run version one and the thing about version one is often there were community strings and the community string is really kind of like a pre-shared key or a password. And the community strings that were typically used were Fairly well-known.

So the read-only community string would be public, and the read-write community string would be private. So there are two community strings.

One is for read-only and the other is for read-write. So public and private are the two well-known community strings. If you run across And SNMP server you could certainly try this little tag to gout and see if you got some data back. So I'm going to do an SNMP walk of this particular system here. An SNMP walk is actually going to check with SNMP and see all of the variables That are has configured. And the variables are actually configured in these things called management information bases or MIBs.

And the MIBs define the data that's available as well as the Format and how you would access it. So what we've got here is, we've got a system that's a Linux system. The name is a bill. This is the kernel version number here. And we've got time ticks which indicates it's been up for the day.

And we've got some other strings that are available here. And actually, down here we've got the boot image. So we actually know where the boot image is as well as the name. And here's the root device that it's being booted from. So this is actually the disc ID that we are booting off from. So you can see we can actually get a fair amount of detail from SNMP.

If the administrator hasn't configured it properly and closed off specific settings or not provided details like the ones that you'll find available here and also if they have left it wide open for anybody to get access to Then SNMP is a really good data collection tool. An SNMP walk is a really good utility that you can use to gather all of this data very quickly and easily.

As you see, I just ran an SNMP walk, I specified the version, and the community string And then just the server IP or system IP and SNMP walk when often did the rest for me, collected all of this great data that I may be able to use in terms of trying to figure out whether I may be able to find some vulnerability.

Certainly here's the Linux kernel version 3.2.0 and I could do some poking and see Whether some vulnerabilities are related to that particular version or not and whether there are some exploits available. So SMP is a great protocol for attackers who are looking for information. An SNMP walk is a really good tool in order to be able to make use of SNMP and pull the information off the system that's got an SNMP Server on it.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*